Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

windows/powershell: regexp considered too many characters for processing 800 command invocation details #3494

Closed
efd6 opened this issue Jun 9, 2022 · 1 comment · Fixed by #3495
Closed

windows/powershell: regexp considered too many characters for processing 800 command invocation details #3494

efd6 opened this issue Jun 9, 2022 · 1 comment · Fixed by #3495
Assignees
@efd6
Labels
bug Something isn't working, use only for issues Integration:windows Windows

Comments

@efd6
Copy link
Contributor

efd6 commented Jun 9, 2022
edited
Loading

Adding the following event (obtained from the winlogbeat top half pipeline) to test inputs results in a failure:

        {
            "@timestamp": "2020-05-15T08:33:26.393089Z",
            "event": {
                "action": "Pipeline Execution Details",
                "code": "800",
                "kind": "event",
                "provider": "PowerShell"
            },
            "host": {
                "name": "vagrant"
            },
            "log": {
                "level": "information"
            },
            "message": "Pipeline execution details for command line: . \n\nContext Information: \n\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=143\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine= \n\nDetails: \nCommandInvocation(Out-Default): \"Out-Default\"\nParameterBinding(Out-Default): name=\"InputObject\"; value=\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"",
            "winlog": {
                "api": "wineventlog",
                "channel": "Windows PowerShell",
                "computer_name": "vagrant",
                "event_data": {
                    "param2": "\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=143\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=",
                    "param3": "ParameterBinding(Out-Default): name=\"InputObject\"; value=\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\""
                },
                "event_id": "800",
                "keywords": [
                    "Classic"
                ],
                "opcode": "Info",
                "provider_name": "PowerShell",
                "record_id": 1847,
                "task": "Pipeline Execution Details"
            }
        }

FAILURE DETAILS:
windows/powershell test-events.json:
[0] unexpected pipeline error: [scripting] Regular expression considered too many characters, pattern: [^(.+)\\((.+)\\)\\:\\s*(.+)?$], limit factor: [6], char limit: [1470], count: [1471], wrapped: [ParameterBinding(Out-Default): name=\"InputObject\"; value=\"Can...], this limit can be changed by changed by the [script.painless.regex.limit-factor] setting


╭─────────┬─────────────┬───────────┬──────────────────┬─────────────────────────────────────────────────────────────────────────────┬──────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME        │ RESULT                                                                      │ TIME ELAPSED │
├─────────┼─────────────┼───────────┼──────────────────┼─────────────────────────────────────────────────────────────────────────────┼──────────────┤
│ windows │ powershell  │ pipeline  │ test-events.json │ FAIL: test case failed: one or more problems with fields found in documents │  17.476801ms │
╰─────────┴─────────────┴───────────┴──────────────────┴─────────────────────────────────────────────────────────────────────────────┴──────────────╯

Related to elastic/beats#31833.
@efd6 efd6 added bug Something isn't working, use only for issues Team:Security-External Integrations Integration:windows Windows labels Jun 9, 2022
@efd6 efd6 self-assigned this Jun 9, 2022
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@efd6 efd6 mentioned this issue Jun 9, 2022
Merged
4 tasks
@efd6 efd6 closed this as completed in #3495 Jun 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@efd6 efd6

Labels
bug Something isn't working, use only for issues Integration:windows Windows
Projects
None yet
Milestone
No milestone
2 participants
@elasticmachine @efd6