Bug Report
Describe the bug
XML Rendered logs missing/not being sent to fluentd when sysmon is installed.
To Reproduce
- Install and configure sysmon.
- Enable XML Rendering and turn off string insets in fluent-bit.conf
- Example log message if applicable:
{
"System": "",
"Message": "",
"src_ip": "(redacted)",
"src_host": "(redacted)"
}
Expected behavior
Expected logs in buffer :
{
"System": "<Prov....
"Message": "The Windows Filtering Platform has permitted a connection.\r\n\r\nApp.....
"src_ip": "(redacted)",
"src_host": "(redacted)"
}
Your Environment
- Version used : Fluent-Bit 4.2.3
- Configuration : Fluent-bit.conf (attached)
- fluent-bit.txt
additional context
We have 2 sets of machines. One with sysmon and one without sysmon we are using the same fluent-bit.conf file in both of them (sysmon provider commented out in non sysmon set). Strangely enough the machines with sysmon installed are not sending any xml rendered logs, even when the sysmon provider is commented out in the conf file.
We have tested this in 3 set of machines where the machines without sysmon are sending the rendered logs just fine, but the machine with sysmon installed are not sending any renedered logs, (though we are able to see the string insets coming through, missing some data). This is even happening when the sysmon provider is commented out in the conf file, in both the machines, the machine with sysmon has no rendered logs in the buffer.
Not sure but there might an issue with the API call for the render being timed out which causes rendering to fail, hence the blank data.
Bug Report
Describe the bug
XML Rendered logs missing/not being sent to fluentd when sysmon is installed.
To Reproduce
{
"System": "",
"Message": "",
"src_ip": "(redacted)",
"src_host": "(redacted)"
}
Expected behavior
Expected logs in buffer :
{
"System": "<Prov....
"Message": "The Windows Filtering Platform has permitted a connection.\r\n\r\nApp.....
"src_ip": "(redacted)",
"src_host": "(redacted)"
}
Your Environment
additional context
We have 2 sets of machines. One with sysmon and one without sysmon we are using the same fluent-bit.conf file in both of them (sysmon provider commented out in non sysmon set). Strangely enough the machines with sysmon installed are not sending any xml rendered logs, even when the sysmon provider is commented out in the conf file.
We have tested this in 3 set of machines where the machines without sysmon are sending the rendered logs just fine, but the machine with sysmon installed are not sending any renedered logs, (though we are able to see the string insets coming through, missing some data). This is even happening when the sysmon provider is commented out in the conf file, in both the machines, the machine with sysmon has no rendered logs in the buffer.
Not sure but there might an issue with the API call for the render being timed out which causes rendering to fail, hence the blank data.