You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When an Event Log on Windows contains EventData with Data nodes that are missing the Name attribute, and there are also other nodes (e.g. Binary), all Data nodes have their data saved as an object with the same key: "". This causes any JSON parsing library to condense the keys, overwriting data.
This is a result of this function, which detects whether to save the Data nodes all as an object with keys matching the Name attributes, or a single array.
The issue however, is that the non-Data nodes do not get this treatment. In the case where the Data nodes are treated as a combined array, but other nodes exist, they are added to the property tree as if it were an object; forcing it into being an object. Now, since it was an array, all existing elements now have an object key of "".
What operating system and version are you using?
version = 10.0.19045
build = 19045
platform = windows
What version of osquery are you using?
version = 5.11.0
What steps did you take to reproduce the issue?
Run query against the event log. Any formatter works since the data itself is serialized as JSON no matter what.
osqueryi --json "SELECT * FROM windows_eventlog WHERE channel='Application' AND provider_name='MsiInstaller';"
Output:
{"channel":"Application","computer_name":"DESKTOP-LGPP4E9","data":"{\"EventData\":{\"\":\"Python 3.11.1 Core Interpreter (64-bit)\",\"\":\"3.11.1150.0\",\"\":\"1033\",\"\":\"0\",\"\":\"Python Software Foundation\",\"\":\"(NULL)\",\"\":\"\",\"Binary\":\"7B35443145464635312D343734302D344536322D384534392D3131433133444543333443337D3030303039333463656639663166653563346664393362366264366263323663636232303030303030393034\"}}","datetime":"2023-01-13T21:49:56.5321775Z","eventid":"1033","keywords":"0x80000000000000","level":"4","pid":"0","provider_guid":"","provider_name":"MsiInstaller","task":"0","tid":"0"}
I see this as the easier and more consistent route, but understand it could break dependencies if anyone is actually parsing this. It would also be applied recursively, since it seems Data nodes can exist under other children nodes of EventData as well.
Make non-Data nodes adhere to the as_array logic and merge.
Bug Report
When an Event Log on Windows contains
EventDatawithDatanodes that are missing theNameattribute, and there are also other nodes (e.g.Binary), allDatanodes have their data saved as an object with the same key:"". This causes any JSON parsing library to condense the keys, overwriting data.This is a result of this function, which detects whether to save the
Datanodes all as an object with keys matching theNameattributes, or a single array.The issue however, is that the non-
Datanodes do not get this treatment. In the case where theDatanodes are treated as a combined array, but other nodes exist, they are added to the property tree as if it were an object; forcing it into being an object. Now, since it was an array, all existing elements now have an object key of"".What operating system and version are you using?
What version of osquery are you using?
What steps did you take to reproduce the issue?
dataelement.What did you expect to see?
All data from the
EventDataelement.What did you see instead?
An empty object with only valid data from the
Binarynode.Possible Fixes
I see two possible fixes for this:
EventDataobject calledData. This would prevent other nodes from forcing it into an object when it was an array.Result:
I see this as the easier and more consistent route, but understand it could break dependencies if anyone is actually parsing this. It would also be applied recursively, since it seems
Datanodes can exist under other children nodes ofEventDataas well.Datanodes adhere to theas_arraylogic and merge.Result:
This would break any context of those extra nodes though.
The text was updated successfully, but these errors were encountered: