windows: make pipeline routing robust to channel letter case (#8242)

Apparently some events from Windows servers and workstations in Security channel have a lowercase channel name. This has not been observed in other channels, but defensively apply the same care there.
elastic · Oct 23, 2023 · 26c8cb3 · 26c8cb3
1 parent b9a6ebd
commit 26c8cb3
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 7 deletions.
diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.40.0"
+  changes:
+    - description: Make ingest pipeline routing robust to letter case of channel names for forwarded events.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/8242
 - version: "1.39.0"
   changes:
     - description: Added field `winlog.event_data.EnabledPrivilegeList` as type keyword to forwarded data stream.

diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json
@@ -34,7 +34,7 @@
                         "id": 4532
                     }
                 },
-                "channel": "Security",
+                "channel": "security",
                 "event_id": 1100,
                 "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
                 "opcode": "Info",

diff --git a/...es/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json-expected.json b/...es/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json-expected.json
@@ -39,7 +39,7 @@
                 "level": "information"
             },
             "winlog": {
-                "channel": "Security",
+                "channel": "security",
                 "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
                 "event_id": "1100",
                 "keywords": [

diff --git a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml
@@ -3,16 +3,16 @@ description: Pipeline for Windows forwarded Event Logs
 processors:
   - pipeline:
       name: '{{ IngestPipeline "security" }}'
-      if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Security" && ctx?.winlog?.provider_name != null && ["Microsoft-Windows-Eventlog", "Microsoft-Windows-Security-Auditing"].contains(ctx?.winlog?.provider_name)
+      if: ctx.winlog?.channel instanceof String && ctx.winlog.channel.toLowerCase() == "security" && ["Microsoft-Windows-Eventlog", "Microsoft-Windows-Security-Auditing"].contains(ctx.winlog?.provider_name)
   - pipeline:
       name: '{{ IngestPipeline "powershell" }}'
-      if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Windows PowerShell"
+      if: ctx.winlog?.channel instanceof String && ctx.winlog.channel.toLowerCase() == "windows powershell"
   - pipeline:
       name: '{{ IngestPipeline "powershell_operational" }}'
-      if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Microsoft-Windows-PowerShell/Operational"
+      if: ctx.winlog?.channel instanceof String && ctx.winlog.channel.toLowerCase() == "microsoft-windows-powershell/operational"
   - pipeline:
       name: '{{ IngestPipeline "sysmon_operational" }}'
-      if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Microsoft-Windows-Sysmon/Operational"
+      if: ctx.winlog?.channel instanceof String && ctx.winlog.channel.toLowerCase() == "microsoft-windows-sysmon/operational"
 
   - set:
       field: host.os.type

diff --git a/packages/windows/manifest.yml b/packages/windows/manifest.yml
@@ -1,6 +1,6 @@
 name: windows
 title: Windows
-version: 1.39.0
+version: 1.40.0
 description: Collect logs and metrics from Windows OS and services with Elastic Agent.
 type: integration
 categories: