search

elastic / beats

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash
https://www.elastic.co/products/beats
Other
109 stars 4.93k forks source link

[Winlogbeat] [Sysmon] dns.resolved_ip - not an IP string literal #18432

Closed nicpenning closed 4 years ago

nicpenning commented 4 years ago

Sysmon appears to generate DNS Query logs that get truncated after a certain amount of characters which could leave the QueryResults with an invalid IP address.

This is the error:

elasticsearch TCould not index event to Elasticsearch. status: 400, action: ["index", {:_id=>nil, :_index=>"winlogbeat-7.6.2", :routing=>nil, :_type=>"_doc"}, #<LogStash::Event:0x6f1f9792>], response: {"index"=>{"_index"=>"winlogbeat-7.6.2-2020.05.10-000007", "_type"=>"_doc", "_id"=>"vlSpBXIB44A-TpNhvsA_", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [dns.resolved_ip] of type [ip] in document with id 'vlSpBXIB44A-TpNhvsA_'. Preview of field's value: '52'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"'52' is not an IP string literal."}}}}

This is what the Windows Event Log looks like:

Dns query:
 RuleName:
 UtcTime: 2020-05-11 21:33:09.760
 ProcessGuid: {d83d2700-d8c3-5e9d-0100-001020175589}
 ProcessId: 123972
 QueryName: f4ec9d98b5294fe5b1bace95454f00b7.nrb.footprintdns.com
 QueryStatus: 0
 QueryResults: type: 5 lyh-efz.office.com;::ffff:40.97.30.130;::ffff:40.97.152.34;::ffff:52.96.43.162;::ffff:40.97.168.114;::ffff:40.97.152.2;::ffff:40.97.154.242;::ffff:40.97.170.2;::ffff:40.97.153.146;::ffff:40.97.126.210;::ffff:52.96.29.82;::ffff:40.97.126.178;::ffff:40.97.24.2;::ffff:40.97.170.194;::ffff:40.97.126.194;::ffff:40.97.124.226;::ffff:40.97.124.194;::ffff:40.97.30.162;::ffff:40.97.124.34;::ffff:40.97.29.50;::ffff:40.97.124.210;::ffff:40.97.28.98;::ffff:40.97.154.82;::ffff:40.97.170.178;::ffff:40.97.170.162;::ffff:40.96.32.34;::ffff:40.97.154.226;::ffff:40.97.169.242;::ffff:40.97.171.98;::ffff:40.97.169.146;::ffff:40.97.100.2;::ffff:40.97.169.162;::ffff:40.97.152.82;::ffff:40.97.155.194;::ffff:52.96.54.210;::ffff:52.96.40.114;::ffff:40.97.171.114;::ffff:52.96.37.210;::ffff:40.97.168.98;::ffff:40.97.154.66;::ffff:40.97.28.82;::ffff:40.97.28.114;::ffff:40.97.24.18;::ffff:40.97.228.178;::ffff:40.97.155.178;::ffff:40.97.31.50;::ffff:52.96.37.34;::ffff:40.97.124.18;::ffff:40.97.24.50;::ffff:40.97.230.178;::ffff:52

Here is a link to the discussion post I started in regards to what to expect of Sysmon: https://social.technet.microsoft.com/Forums/en-US/27010f2b-61c4-4051-a1d7-9cf681c87d7f/sysmon-dns-query-results-are-truncated?forum=windowsinternals

nicpenning commented 4 years ago

@andrewkroh Hope this helps!

elasticmachine commented 4 years ago

Pinging @elastic/siem (Team:SIEM)

andrewkroh commented 4 years ago

Fix: https://github.com/elastic/beats/pull/18436/