search

elastic / beats

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash
https://www.elastic.co/products/beats
Other
103 stars 4.92k forks source link

[Winlogbeat] Pipeline winlogbeat-8.9.2-security error #37217

Open kowalczyk-p opened 11 months ago

kowalczyk-p commented 11 months ago

Pipeline winlogbeat-8.9.2-security error return following error.message:

Processor "script" with tag "Set User Account Control" in pipeline "winlogbeat-8.9.2-security" failed with message "For input string: \"-\""

for example event:


A user account was changed.

Subject:
    Security ID:        S-1-5-21-842900000-651377000-000000000-00000
    Account Name:       REDACTED$
    Account Domain:     XXX
    Logon ID:       0x00000000

Target Account:
    Security ID:        S-1-5-21-842000000-651370000-682000000-000000
    Account Name:       redacted
    Account Domain:     XXX

Changed Attributes:
    SAM Account Name:   -
    Display Name:       -
    User Principal Name:    -
    Home Directory:     -
    Home Drive:     -
    Script Path:        -
    Profile Path:       -
    User Workstations:  -
    Password Last Set:  11/27/2023 8:33:07 PM
    Account Expires:        -
    Primary Group ID:   -
    AllowedToDelegateTo:    -
    Old UAC Value:      -
    New UAC Value:      -
    User Account Control:   -
    User Parameters:    -
    SID History:        -
    Logon Hours:        -

Additional Information:
    Privileges:     -
ManicPumpkin commented 11 months ago

I have the same issue. Tested with 8.4.2 and 8.11.2.

error.message:

Processor "script" with tag "Set User Account Control" in pipeline "winlogbeat-8.4.2-security" failed with message "For input string: \"-\""

It appears for evtx.code:

4738 4742

elasticmachine commented 9 months ago

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)