Extra backslash's in file path
216 views
Skip to first unread message
Mark Gold
Mar 2, 2020, 5:10:37 AM3/2/20
to Wazuh mailing list
Hi,
I have an issue where since upgrading to Wazuh 3.11.3 from 3.10 where eventchannel fields from the windows security logs that have a path in it now show two \\'s.
The particular field that is causing an issue for me is data.win.eventdata.objectName. I am running windows file auditing which generates lots of events.
Now because Kibana seems to see \\ as some sort of escaped character I can't enter in the exact filepath without adding more escaping characters (see picture below). I also can't use the autocomplete function in Kibana.
So now to search on single folder I need to add two more \\'s to get the query to work. However I can't use wildcards (*) with those escaping characters - which I could do before to search for auditing logs on a folder and all subfolders.
The only thing I have found which I seems to be related is https://github.com/wazuh/wazuh/issues/4509.
So my questions are
- do we know when this bug will get fixed?
- is there any immediate workarounds that I could use to get filepaths back to a single \ in the directory path?
Example where I have to use extra (four) backslashes to get the query to work:
I have an issue where since upgrading to Wazuh 3.11.3 from 3.10 where eventchannel fields from the windows security logs that have a path in it now show two \\'s.
The particular field that is causing an issue for me is data.win.eventdata.objectName. I am running windows file auditing which generates lots of events.
Now because Kibana seems to see \\ as some sort of escaped character I can't enter in the exact filepath without adding more escaping characters (see picture below). I also can't use the autocomplete function in Kibana.
So now to search on single folder I need to add two more \\'s to get the query to work. However I can't use wildcards (*) with those escaping characters - which I could do before to search for auditing logs on a folder and all subfolders.
The only thing I have found which I seems to be related is https://github.com/wazuh/wazuh/issues/4509.
So my questions are
- do we know when this bug will get fixed?
- is there any immediate workarounds that I could use to get filepaths back to a single \ in the directory path?
Example where I have to use extra (four) backslashes to get the query to work:
Kieran Bowen
Mar 4, 2020, 1:22:43 PM3/4/20
to Wazuh mailing list
Hello,
All Windows eventchannel fields containing double backslashes instead of single backslashes is a bug in version 3.11 of the manager, and is related with the aforementioned GitHub issue. We are aware of the problem and the team is working on fixing it as soon as possible, but we do not have an ETA.
Also, I have tested wildcard queries and got them working on 3.11.3, please double check your syntax. The following query worked on my machine:
Ensure you are doing the following:
Regards,
Kieran
All Windows eventchannel fields containing double backslashes instead of single backslashes is a bug in version 3.11 of the manager, and is related with the aforementioned GitHub issue. We are aware of the problem and the team is working on fixing it as soon as possible, but we do not have an ETA.
Also, I have tested wildcard queries and got them working on 3.11.3, please double check your syntax. The following query worked on my machine:
data.win.eventdata.objectName:C\:\\\\Windows\\\\*
Ensure you are doing the following:
- Not quoting the query
- Escaping the : in C: (C\: instead of C:)
- Escaping each \ individually (replace each \\ in the filepath displayed by Kibana with \\\\)
Regards,
Kieran
Mark Gold
Mar 6, 2020, 3:43:48 AM3/6/20
to Wazuh mailing list
Hi Kieran,
Thanks for conformation that the bug is being worked on.
I didn’t realise you could search on those fields without the quotes. It means I can now use my wildcards at the beginning and end without using the backslashes. Like:
data.win.eventdata.objectName:*Windows* shows me all folders and subfolders of C:\Windows
Thanks again that is a good workaround.
Regards,
Mark
Reply all
Reply to author
Forward
0 new messages