Windows sensor JSON parsing errors due to WMIRunner probe output being larger than 10,000 character, which creates a new line in the middle of the JSON


Description

Windows terminal width can handle 9999 characters. When the MID Server has Powershell v2, we receive payload more than that, the data is pushed to a new line. WMIRunner probes such as Windows - Installed Software, which return a lot of data in JSON format, will cause JSON parsing errors during sensor processing if the JSON has invalid new lines in it.

Steps to Reproduce

  1. Install a MID Server on a Windows host with only Powershell v2
  2. Run Discovery of a Windows Server with a considerable amount of Installed Software

Notice that "Windows - Installed Software" sensor if failing with an error and no Application patterns are running (e.g. you don't see the expected Oracle DB On Windows, IIS, Tomcat, MSSQL, SharePoint, SASS, My SQL server On Windows and Linux).

The ECC Queue input Error string field will have this error. The MID Server version probably will already be up to date when seeing this error:

Sensor is expecting JSON format in the output field after probe post processor script. Please check that your MID server is up to date. (sys_script_include.778011130a0a0b2500c4595ad1d1d768.script; line 28)

The ECC Queue input  payload will have something like:

<results error="JSON.parse (script_include:JSON; line 42)"...

Workaround

Apply the attached update set.


Related Problem: PRB1349945