Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix truncated event log message #41327

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

fix truncated event log message #41327

wants to merge 5 commits into from
+43 −35

Conversation

intxgo
Copy link
Contributor

@intxgo intxgo commented Oct 18, 2024
edited
Loading

Fixes

Proposed commit message

Fix windows event log ingest issues caused by event message truncation.

  1. Increased scratch buffer size from 8K wide characters to 256K wide characters. The scratch buffer is used for efficiency, one buffer per event source. It was set really low.
  2. Handling insufficient scratch buffer size condition. Windows API documentation is not very clear about it but the APIs return ERROR_INSUFFICIENT_BUFFER only when used with nil buffer, otherwise they happily succeed copying as much as the given buffer allows (truncating message). In such case we will retry with an ad-hoc pool buffer of sufficient size. In real world the initial 256K characters buffer should be large enough, so this is really a what-if fallback.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

@intxgo intxgo added bugfix backport-8.15 Automated backport to the 8.15 branch with mergify backport-8.16 Automated backport with mergify labels Oct 18, 2024
@intxgo intxgo requested a review from a team as a code owner October 18, 2024 20:00
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Oct 18, 2024
@intxgo intxgo added the Team:Security-Windows Platform Windows Platform Team in Security Solution label Oct 18, 2024
@elasticmachine
Copy link
Collaborator

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Oct 18, 2024
@mergify Mergify
Copy link
Contributor

mergify bot commented Oct 18, 2024

backport-8.x has been added to help with the transition to the new branch 8.x.
If you don't need it please use backport-skip label and remove the backport-8.x label.

@mergify mergify bot assigned intxgo Oct 18, 2024
@mergify mergify bot added the backport-8.x Automated backport to the 8.x branch with mergify label Oct 18, 2024
@intxgo
Copy link
Contributor Author

intxgo commented Oct 18, 2024 

>> check: Checking source code for common problems
Error: some files are not up-to-date. Run 'make update' then review and commit the changes. Modified: [winlogbeat/docs/modules_list.asciidoc]
make[1]: *** [../libbeat/scripts/Makefile:153: check] Error 1
make[1]: Leaving directory '/home/runner/work/beats/beats/winlogbeat'
make: *** [Makefile:94: check] Error 1
Error: Process completed with exit code 2.

I'm not sure how can I do it on Windows, it seems to be Linux hint?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@intxgo intxgo

Labels
backport-8.x Automated backport to the 8.x branch with mergify backport-8.15 Automated backport to the 8.15 branch with mergify backport-8.16 Automated backport with mergify bugfix Team:Security-Windows Platform Windows Platform Team in Security Solution
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@intxgo @elasticmachine