Migrate Winlogbeat to ECS, take 2 (#10333)

This pull request migrates Winlogbeat to ECS. Changed in this PR: - Nest most fields specific to Windows logs under "winlog.*" - Like we do for other log transports such as "syslog.*", "journald.*" etc. - Align multiple field names to the Windows Log naming (e.g. the Channel is no longer "log_name", but is "winlog.channel") - winlog.event_id is changing datatype from long to keyword - The process and thread ID of the event logging service are nested under "winlog." as a nesting of the ECS process field set, to make the experience consistent with ECS. - Fields migrated to ECS: - level => log.level (now lowercased) - xml => event.original - message_error => error.message - new ECS fields defined: - event.code is not yet in ECS, but may eventually be. It's a copy of winlog.event_id - event.kind - event.action - event.created - error.code Note that this PR only does a light adaptation to ECS, and does not look into event_data to parse out each source's information. This kind of processing is really source specific, and should be done server-side (e.g. Ingest Node). This way, improvements in event shaping can be done without a full re-deployment of Winlogbeat across a fleet of servers, and is also easier to customize for users.
elastic · Feb 5, 2019 · b35b1ad · b35b1ad
1 parent c047ef7
commit b35b1ad
Show file tree

Hide file tree

Showing 12 changed files with 936 additions and 720 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -135,6 +135,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 *Winlogbeat*
 
+- Adjust Winlogbeat fields to map to ECS. {pull}10333[10333]
+
 *Functionbeat*
 
 - Correctly normalize Cloudformation resource name. {issue}10087[10087]

diff --git a/dev-tools/ecs-migration.yml b/dev-tools/ecs-migration.yml
@@ -2044,3 +2044,118 @@
   to: event.created
   alias: true
   beat: journalbeat
+
+## Winlogbeat
+
+# Alias to ECS fields
+
+- from: xml
+  to: event.original
+  alias: true
+  beat: winlogbeat
+
+- from: level
+  to: log.level
+  alias: true
+  beat: winlogbeat
+
+# Move fields to winlog.* section, to reduce chances of top level field name conflicts.
+
+# renames to match Windows Event Log naming
+
+- from: type
+  to: winlog.api
+  alias: true
+  beat: winlogbeat
+
+- from: log_name
+  to: winlog.channel
+  alias: true
+  beat: winlogbeat
+
+- from: record_number
+  to: winlog.record_id
+  alias: true
+  beat: winlogbeat
+
+- from: process_id
+  to: winlog.process.pid
+  alias: true
+  beat: winlogbeat
+
+- from: source_name
+  to: winlog.provider_name
+  alias: true
+  beat: winlogbeat
+
+- from: thread_id
+  to: winlog.process.thread.id
+  alias: true
+  beat: winlogbeat
+
+# Fields moved without adjusting the name
+
+- from: activity_id
+  to: winlog.activity_id
+  alias: true
+  beat: winlogbeat
+
+- from: computer_name
+  to: winlog.computer_name
+  alias: true
+  beat: winlogbeat
+
+- from: event_id
+  to: winlog.event_id
+  alias: true
+  beat: winlogbeat
+
+- from: keywords
+  to: winlog.keywords
+  alias: true
+  beat: winlogbeat
+
+- from: message_error
+  to: error.message
+  alias: true
+  beat: winlogbeat
+
+- from: related_activity_id
+  to: winlog.related_activity_id
+  alias: true
+  beat: winlogbeat
+
+- from: opcode
+  to: winlog.opcode
+  alias: true
+  beat: winlogbeat
+
+- from: provider_guid
+  to: winlog.provider_guid
+  alias: true
+  beat: winlogbeat
+
+- from: task
+  to: winlog.task
+  alias: true
+  beat: winlogbeat
+
+- from: user.identifier
+  to: winlog.user.identifier
+  alias: true
+  beat: winlogbeat
+
+- from: user.domain
+  to: winlog.user.domain
+  alias: true
+  beat: winlogbeat
+
+- from: user.type
+  to: winlog.user.type
+  alias: true
+  beat: winlogbeat
+
+- from: version
+  to: winlog.version
+  alias: true
+  beat: winlogbeat