diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc index 9f61392ab1f..5dc1102a834 100644 --- a/CHANGELOG.asciidoc +++ b/CHANGELOG.asciidoc @@ -73,6 +73,7 @@ https://github.com/elastic/beats/compare/v5.1.1...master[Check the HEAD diff] *Winlogbeat* - Fix handling of empty strings in event_data. {pull}3705[3705] +- Fix null terminators include in raw XML string when include_xml is enabled. {pull}3943[3943] ==== Added diff --git a/winlogbeat/sys/strings.go b/winlogbeat/sys/strings.go index 01009f00d7a..0377cf9933b 100644 --- a/winlogbeat/sys/strings.go +++ b/winlogbeat/sys/strings.go @@ -40,6 +40,10 @@ func UTF16ToUTF8Bytes(in []byte, out io.Writer) error { var v1, v2 uint16 for i := 0; i < len(in); i += 2 { v1 = uint16(in[i]) | uint16(in[i+1])<<8 + // Stop at null-terminator. + if v1 == 0 { + return nil + } switch { case v1 < surr1, surr3 <= v1: diff --git a/winlogbeat/sys/strings_test.go b/winlogbeat/sys/strings_test.go index 145c0e6660e..09f34754a18 100644 --- a/winlogbeat/sys/strings_test.go +++ b/winlogbeat/sys/strings_test.go @@ -107,6 +107,20 @@ func TestUTF16ToUTF8(t *testing.T) { assert.Equal(t, []byte(input), outputBuf.Bytes()) } +func TestUTF16BytesToStringTrimNullTerm(t *testing.T) { + input := "abc" + utf16Bytes := append(toUTF16Bytes(input), []byte{0, 0, 0, 0, 0, 0}...) + + outputBuf := &bytes.Buffer{} + err := UTF16ToUTF8Bytes(utf16Bytes, outputBuf) + if err != nil { + t.Fatal(err) + } + b := outputBuf.Bytes() + assert.Len(t, b, 3) + assert.Equal(t, input, string(b)) +} + func BenchmarkUTF16ToUTF8(b *testing.B) { utf16Bytes := toUTF16Bytes("A logon was attempted using explicit credentials.") outputBuf := &bytes.Buffer{} diff --git a/winlogbeat/tests/system/test_wineventlog.py b/winlogbeat/tests/system/test_wineventlog.py index 25ad14ffccb..98cb871337e 100644 --- a/winlogbeat/tests/system/test_wineventlog.py +++ b/winlogbeat/tests/system/test_wineventlog.py @@ -142,6 +142,7 @@ def test_include_xml(self): self.assertTrue(len(evts), 1) self.assert_common_fields(evts[0], msg=msg) self.assertTrue("xml" in evts[0]) + self.assertTrue(evts[0]["xml"].endswith(''), 'xml value: "{}"'.format(evts[0]["xml"])) def test_query_event_id(self): """