Skip to content

[Windows]: Powershell Operational events pipeline_error #10891

New issue
New issue
Closed
Closed
[Windows]: Powershell Operational events pipeline_error#10891
Assignees
bjmcnic
Labels
Integration:windowsWindowsTeam:Elastic-Agent-Data-PlaneAgent Data Plane team [elastic/elastic-agent-data-plane]needs:triage
@bjmcnic

Description

@bjmcnic
bjmcnic
opened on Aug 27, 2024

Integration Name

Windows [windows]

Dataset Name

windows.powershell_operational

Integration Version

1.47.0

Agent Version

8.15.0

Agent Output Type

elasticsearch

Elasticsearch Version

8.15.0

OS Version and Architecture

Windows Server 2016

Software/API Version

No response

Error Message

"error.message": [ "cannot access method/field [removeIf] from a null def reference" ],

Event Original

"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{A0C1853B-5C40-4B15-8766-3CF1C58F985A}'/><EventID>40961</EventID><Version>1</Version><Level>4</Level><Task>4</Task><Opcode>1</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2024-08-26T23:59:27.157373400Z'/><EventRecordID>223</EventRecordID><Correlation ActivityID='{39563452-F7DE-0002-6E59-5639DEF7DA01}'/><Execution ProcessID='4636' ThreadID='4664'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>WIN-REDACTED.redacted.com</Computer><Security UserID='S-1-5-21-1655821185-554591942-184963845-500'/></System><EventData></EventData><RenderingInfo Culture='en-US'><Message>PowerShell console is starting up</Message><Level>Information</Level><Task>PowerShell Console Startup</Task><Opcode>Start</Opcode><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Provider></Provider><Keywords></Keywords></RenderingInfo></Event>"

What did you do?

Using the Windows integration, configure it to collect Powershell Operational events, and specifically add event 40961 and 40962.

What did you see?

... "event": { "agent_id_status": "verified", "ingested": "2024-08-26T23:59:40Z", "code": "40961", "provider": "Microsoft-Windows-PowerShell", "created": "2024-08-26T23:59:28.930Z", "kind": "pipeline_error", "action": "PowerShell Console Startup", "category": "process", "type": "info", "dataset": "windows.powershell_operational" }, ... "error.message": [ "cannot access method/field [removeIf] from a null def reference" ],

What did you expect to see?

The expectation was that a pipeline_error would not be encountered.

Anything else?

The issue is understood and will be addressed in a PR (#10792).

Metadata

Metadata

Assignees

Labels

Integration:windowsWindowsTeam:Elastic-Agent-Data-PlaneAgent Data Plane team [elastic/elastic-agent-data-plane]needs:triage

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions