[aws]: guardduty error message is unhelpful

[buzzdeee]

Integration Name

AWS [aws]

Dataset Name

aws.guardduty aws.elb_logs

Integration Version

2.24.1

Agent Version

8.15.0

Agent Output Type

elasticsearch

Elasticsearch Version

8.15.0

OS Version and Architecture

ubuntu 20.04 LTS

Software/API Version

AWS

Error Message

freshly started ingesting AWS logs, for now Guardduty and ELB logs. all of them end up with event.kind: pipeline_error and error.message: "Cannot invoke "java.lang.CharSequence.length()" because "this.wrapped" is null"

Event Original

7b7f2b74-4804-3097-9879-07bb6e432af9.jsonl.json
For Guardduty, created some example findings, as can be found above.

resulting document:
resulting_document.json

What did you do?

ingest AWS guardduty and ELB logs from S3 via SQS notifications

What did you see?

pipeline_error and error.message

What did you expect to see?

no pipeline_error and no error.message

Anything else?

at a first glance, the fields seem to be parsed all well, dashboards show data. the pipeline_error and error.message are very irritating.

[buzzdeee]

just added cloudtrail log ingestion as well, there I observed error message:
Processor "conditional" with tag "my_tag" in pipeline "logs@custom" failed with message "Cannot invoke "java.lang.CharSequence.length()" because "this.wrapped" is null"

fixing the condition in logs@custom seems to have fixed the overall issue.

But it would be nice if Guardduty and ELB logs would give similar helpful error message like cloudtrail does.

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[efd6]

@buzzdeee This looks like it's an error in an @custom pipeline. We can improve the error reporting though.

[buzzdeee]

yeah, a more meaninful error message would have been of great help, as the one showing up in the CloudTrail ingester.

[efd6]

The enhancement has been sent.