winlogbeat/eventlog: don't attempt to salvage messages for forwarded …

…events (#34865) (#35539) (cherry picked from commit cc91e1c) Co-authored-by: Dan Kortschak <[email protected]>
elastic · May 22, 2023 · ae3e3f9 · ae3e3f9
1 parent afdafa1
commit ae3e3f9
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 4 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -73,6 +73,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]
 
 
 *Filebeat*
+
 - [Auditbeat System Package] Added support for Apple Silicon chips. {pull}34433[34433]
 - [Azure blob storage] Changed logger field name from `container` to `container_name` so that it does not clash
    with the ecs field name `container`. {pull}34403[34403]
@@ -123,6 +124,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]
 - Move repeated Windows event channel not found errors in winlog input to debug level.  {issue}35314[35314] {pull}35317[35317]
 - Fix crash when processing forwarded logs missing a message. {issue}34705[34705] {pull}34865[34865]
 - Fix crash when loading azurewebstorage cursor with no partially processed data. {pull}35433[35433]
+- Fix crash when processing forwarded logs missing a message. {issue}34705[34705] {pull}34865[34865]
 
 *Heartbeat*
 
@@ -206,6 +208,7 @@ automatic splitting at root level, if root level element is an array. {pull}3415
 - Move repeated channel not found errors to debug level.  {issue}35314[35314] {pull}35317[35317]
 - Fix panic due to misrepresented buffer use. {pull}35437[35437]
 - Allow program termination when attempting to open an absent channel. {pull}35474[35474]
+- Fix crash when processing forwarded logs missing a message. {issue}34705[34705] {pull}34865[34865]
 
 *Functionbeat*
 

diff --git a/winlogbeat/eventlog/wineventlog.go b/winlogbeat/eventlog/wineventlog.go
@@ -287,9 +287,9 @@ func newWinEventLog(options *conf.C) (EventLog, error) {
 		l.render = func(event win.EvtHandle, out io.Writer) error {
 			return win.RenderEvent(event, c.EventLanguage, l.renderBuf, l.cache.get, out)
 		}
-	}
-	l.message = func(event win.EvtHandle) (string, error) {
-		return win.Message(event, l.renderBuf, l.cache.get)
+		l.message = func(event win.EvtHandle) (string, error) {
+			return win.Message(event, l.renderBuf, l.cache.get)
+		}
 	}
 
 	return l, nil
@@ -463,7 +463,7 @@ func (l *winEventLog) Read() ([]Record, error) {
 			l.metrics.logError(err)
 			logp.Warn("%s failed creating bookmark: %v", l.logPrefix, err)
 		}
-		if r.Message == "" {
+		if r.Message == "" && l.message != nil {
 			r.Message, err = l.message(h)
 			if err != nil {
 				l.metrics.logError(err)