x-pack/winlogbeat/module/routing: make pipeline routing robust to cha…

…nnel letter case (#36899)

Apparently some events from Windows servers and workstations in Security channel
have a lowercase channel name. This has not been observed in other channels, but
defensively apply the same care there.

CHANGELOG.next.asciidoc

@@ -274,6 +274,7 @@ is collected by it.
 
 *Winlogbeat*
 
+- Make ingest pipeline routing robust to letter case of channel names for forwarded events. {issue}36670[36670] {pull}36899[36899]
 
 *Functionbeat*
 

x-pack/winlogbeat/module/routing/ingest/routing.yml

@@ -6,16 +6,16 @@ processors:
       value: '{{_ingest.timestamp}}'
   - pipeline:
       name: '{< IngestPipeline "security" >}'
-      if: ctx?.winlog?.channel == 'Security' && ['Microsoft-Windows-Eventlog', 'Microsoft-Windows-Security-Auditing'].contains(ctx?.winlog?.provider_name)
+      if: ctx.winlog?.channel instanceof String && ctx.winlog.channel.toLowerCase() == 'security' && ['Microsoft-Windows-Eventlog', 'Microsoft-Windows-Security-Auditing'].contains(ctx.winlog?.provider_name)
   - pipeline:
       name: '{< IngestPipeline "sysmon" >}'
-      if: ctx?.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'
+      if: ctx.winlog?.channel instanceof String && ctx.winlog.channel.toLowerCase() == 'microsoft-windows-sysmon/operational'
   - pipeline:
       name: '{< IngestPipeline "powershell" >}'
-      if: ctx?.winlog?.channel == 'Windows PowerShell'
+      if: ctx.winlog?.channel instanceof String && ctx.winlog.channel.toLowerCase() == 'windows powershell'
   - pipeline:
       name: '{< IngestPipeline "powershell_operational" >}'
-      if: ctx?.winlog?.channel == 'Microsoft-Windows-PowerShell/Operational'
+      if: ctx.winlog?.channel instanceof String && ctx.winlog.channel.toLowerCase() == 'microsoft-windows-powershell/operational'
   - set:
       field: host.os.type
       value: windows