From a1eafc109df3bcb9c2727222fd00a251fb2e029b Mon Sep 17 00:00:00 2001 From: Grishin Pavel <88319804+grishinpv@users.noreply.github.com> Date: Thu, 3 Feb 2022 20:16:43 +0300 Subject: [PATCH] Fix loop while reading from standalone evtx (#30006) - Fix loop while reading from standalone evtx file - Moved stop variable and check to outer loop Co-authored-by: Taylor Swanson (cherry picked from commit 3c6724adb94235feed193bc2f9c27ff1ebfd271b) --- CHANGELOG.next.asciidoc | 8 ++++++++ winlogbeat/beater/eventlogger.go | 7 +++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 8ef4bee6d2fb..f52c0b4c678e 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -25,6 +25,14 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Winlogbeat* +- Add support to Sysmon file delete events (event ID 23). {issue}18094[18094] +- Improve ECS field mappings in Sysmon module. `related.hash`, `related.ip`, and `related.user` are now populated. {issue}18364[18364] +- Improve ECS field mappings in Sysmon module. Hashes are now also populated to the corresponding `process.hash`, `process.pe.imphash`, `file.hash`, or `file.pe.imphash`. {issue}18364[18364] +- Improve ECS field mappings in Sysmon module. `file.name`, `file.directory`, and `file.extension` are now populated. {issue}18364[18364] +- Improve ECS field mappings in Sysmon module. `rule.name` is populated for all events when present. {issue}18364[18364] +- Remove top level `hash` property from sysmon events {pull}20653[20653] +- Move module processing from local Javascript processor to ingest node {issue}29184[29184] {pull}29435[29435] +- Fix run loop when reading from evtx file {pull}30006[30006] *Functionbeat* diff --git a/winlogbeat/beater/eventlogger.go b/winlogbeat/beater/eventlogger.go index b7507cfe8c05..390a2fb39755 100644 --- a/winlogbeat/beater/eventlogger.go +++ b/winlogbeat/beater/eventlogger.go @@ -130,7 +130,7 @@ func (e *eventLogger) run( }() runLoop: - for { + for stop := false; !stop; { err = api.Open(state) if eventlog.IsRecoverable(err) { e.log.Warnw("Open() encountered recoverable error. Trying again...", "error", err) @@ -142,7 +142,7 @@ runLoop: } e.log.Debug("Opened successfully.") - for stop := false; !stop; { + for !stop { select { case <-done: return @@ -171,6 +171,9 @@ runLoop: e.log.Debugf("Read() returned %d records.", len(records)) if len(records) == 0 { time.Sleep(time.Second) + if stop { + return + } continue }