You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When an Event Log on Windows contains EventData with Data nodes that are missing the Name attribute, and there are also other nodes (e.g. Binary), all Data nodes have their data saved as an object with the same key: "". This causes any JSON parsing library to condense the keys, overwriting data.
This is a result of this function, which detects whether to save the Data nodes all as an object with keys matching the Name attributes, or a single array.
The issue however, is that the non-Data nodes do not get this treatment. In the case where the Data nodes are treated as a combined array, but other nodes exist, they are added to the property tree as if it were an object; forcing it into being an object. Now, since it was an array, all existing elements now have an object key of "".
What operating system and version are you using?
version = 10.0.19045
build = 19045
platform = windows
What version of osquery are you using?
version = 5.11.0
What steps did you take to reproduce the issue?
Run query against the event log. Any formatter works since the data itself is serialized as JSON no matter what.
osqueryi --json "SELECT * FROM windows_eventlog WHERE channel='Application' AND provider_name='MsiInstaller';"
Output:
{"channel":"Application","computer_name":"DESKTOP-LGPP4E9","data":"{\"EventData\":{\"\":\"Python 3.11.1 Core Interpreter (64-bit)\",\"\":\"3.11.1150.0\",\"\":\"1033\",\"\":\"0\",\"\":\"Python Software Foundation\",\"\":\"(NULL)\",\"\":\"\",\"Binary\":\"7B35443145464635312D343734302D344536322D384534392D3131433133444543333443337D3030303039333463656639663166653563346664393362366264366263323663636232303030303030393034\"}}","datetime":"2023-01-13T21:49:56.5321775Z","eventid":"1033","keywords":"0x80000000000000","level":"4","pid":"0","provider_guid":"","provider_name":"MsiInstaller","task":"0","tid":"0"}
I see this as the easier and more consistent route, but understand it could break dependencies if anyone is actually parsing this. It would also be applied recursively, since it seems Data nodes can exist under other children nodes of EventData as well.
Make non-Data nodes adhere to the as_array logic and merge.
Bug Report
When an Event Log on Windows contains
EventData
withData
nodes that are missing theName
attribute, and there are also other nodes (e.g.Binary
), allData
nodes have their data saved as an object with the same key:""
. This causes any JSON parsing library to condense the keys, overwriting data.This is a result of this function, which detects whether to save the
Data
nodes all as an object with keys matching theName
attributes, or a single array.The issue however, is that the non-
Data
nodes do not get this treatment. In the case where theData
nodes are treated as a combined array, but other nodes exist, they are added to the property tree as if it were an object; forcing it into being an object. Now, since it was an array, all existing elements now have an object key of""
.What operating system and version are you using?
What version of osquery are you using?
What steps did you take to reproduce the issue?
data
element.What did you expect to see?
All data from the
EventData
element.What did you see instead?
An empty object with only valid data from the
Binary
node.Possible Fixes
I see two possible fixes for this:
EventData
object calledData
. This would prevent other nodes from forcing it into an object when it was an array.Result:
I see this as the easier and more consistent route, but understand it could break dependencies if anyone is actually parsing this. It would also be applied recursively, since it seems
Data
nodes can exist under other children nodes ofEventData
as well.Data
nodes adhere to theas_array
logic and merge.Result:
This would break any context of those extra nodes though.
The text was updated successfully, but these errors were encountered: