The powershell_operational ingest pipeline uses a painless script process to split Event 4103 command invocations:
|
Pattern detailRegex = /^(.+)\((.+)\)\:\s*(.+)?$/; |
This processor can trigger the regex circuit breaker in Elasticsearch. Processing fails with an error similar to:
Painless scripting error - "Regular expression considered too many characters"
[scripting] Regular expression considered too many characters, pattern: [^(.+)\\\\((.+)\\\\)\\\\:\\\\s*(.+)?$], limit factor: [6], char limit: [2298], count: [2299], wrapped: [ParameterBinding(Select-Object): name=\\\"InputObject\\\"; value=\\\"@...], this limit can be changed by changed by the [script.painless.regex.limit-factor] setting
Values for "char limit: [2298], count: [2299]" change depending on the log length.
Possible solutions recommended prior to this issue's creation:
"The regex /^(.+)\((.+)\)\:\s*(.+)?$/ could be given more hints to reduce work (suggest /^([^(]+)\(([^)]+)\)\:\s*(.+)?$/ which should stop the RE engine searching fruitless paths), or it could be rewritten as a string split helper for greater efficiency at the cost of maintenance burden."
The
powershell_operationalingest pipeline uses a painless script process to split Event 4103 command invocations:integrations/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml
Line 316 in d64ef24
This processor can trigger the regex circuit breaker in Elasticsearch. Processing fails with an error similar to:
Possible solutions recommended prior to this issue's creation:
"The regex
/^(.+)\((.+)\)\:\s*(.+)?$/could be given more hints to reduce work (suggest/^([^(]+)\(([^)]+)\)\:\s*(.+)?$/which should stop the RE engine searching fruitless paths), or it could be rewritten as a string split helper for greater efficiency at the cost of maintenance burden."