Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with command string and & and white spaces #16

Open
cbarker001 opened this issue Mar 28, 2017 · 6 comments
Open

Issue with command string and & and white spaces #16

cbarker001 opened this issue Mar 28, 2017 · 6 comments
Labels
waiting for beats

Comments

@cbarker001
Copy link

Hello,

When trying to run a reg query command with execbeat, I am running into an issue were no matter how I try to escape the registry key with & and a white space in the path, the line is not being parsed correctly.

I see two issues, one with the command and one with the args.

The issue with the command line in the execbeat.yml
commands:
schedule: 10 * * * *
command: cmd /c reg query 'HKEY_LOCAL_MACHINE\Software\key&stuff here'
args: /s
When checking the yaml file, the above lines are being parsed as:
commands:
args: /s
command: "cmd /c reg query 'HKEY_LOCAL_MACHINE\Software\key&stuff here'"
schedule: "10 * * * *"

However, the output when ran errors with the following.
{
"@timestamp": "2017-03-28T15:27:10.000Z",
"beat": {
"hostname": "somecomputer",
"name": "somecomputer",
"version": "3.1.1"
},
"exec": {
"command": "cmd /c reg query 'HKEY_LOCAL_MACHINE\Software\key\u0026stuff here'",
"exitCode": 0,
"stdout": ""
},
"type": "execbeat"
}

As you can see the & is getting parsed as \u0026. This happens with either single or double quotes.

To try and work around this issue, I modified the execbeat.yml file with the following:
execbeat:
commands:
schedule: 10 * * * *
command: cmd
args: /c reg query 'HKEY_LOCAL_MACHINE\Software\key&stuff here' /s

When executing the execbeat with this, I get the following error:
{
"@timestamp": "2017-03-28T15:42:10.000Z",
"beat": {
"hostname": "somecomputer",
"name": "somecomputer",
"version": "3.1.1"
},
"exec": {
"command": "cmd",
"exitCode": 1,
"stderr": "ERROR: Invalid key name.\r\nType "REG QUERY /?" for usage.\r\n'stuff' is not recognized as an internal
or external command,\r\noperable program or batch file.\r\n",
"stdout": ""
},
"type": "execbeat"

I have tried both single and double quoting the args options to no avail.

I believe this to be a bug in how execbeat is parsing the YAML file's command and args lines.
@christiangalsterer
Copy link
Owner

Thanks for raising this issue. I will look into it the next days.

@christiangalsterer
Copy link
Owner

Which version of execbeat do you use?

@cbarker001
Copy link
Author

The version I am using is 3.1.1.

Thanks!

@christiangalsterer
Copy link
Owner

christiangalsterer commented May 7, 2017
edited
Loading

This a general problem how config files are parsed by the beat lib/ golang itself. Not sure yet how to fix this and if possible in an easy way.

@christiangalsterer
Copy link
Owner

I played around a little bit.
When trying the first example, if works for me, except for the fact that the output has the wrong encoding. I debug and googled a little bit and the problem seem to be in the json Encoder (http://stackoverflow.com/questions/24656624/golang-display-character-not-ascii-like-not-0026)

As sending the event is done by beats framework I need to check if there is way to tweak the encoder in the beats framework.

@christiangalsterer
Copy link
Owner

There is an open issue in the beats framework for this, see elastic/beats#2581

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
waiting for beats
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@christiangalsterer @cbarker001