[windows] Adding custom config to datastreams winlog input (#8877)

* Adding custom winlog input config to windows integration * changelog * cleaning up new lines
elastic · Jan 16, 2024 · 3840a7f · 3840a7f
1 parent bc6b4cd
commit 3840a7f
Show file tree

Hide file tree

Showing 18 changed files with 94 additions and 1 deletion.
diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.44.0"
+  changes:
+    - description: Add `custom` configuration option to winlog inputs.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/8877
 - version: "1.43.0"
   changes:
     - description: Limit request tracer log count to five.

diff --git a/packages/windows/data_stream/applocker_exe_and_dll/agent/stream/winlog.yml.hbs b/packages/windows/data_stream/applocker_exe_and_dll/agent/stream/winlog.yml.hbs
@@ -29,3 +29,4 @@ processors:
 {{#if processors.length}}
 {{processors}}
 {{/if}}
+{{custom}}
diff --git a/packages/windows/data_stream/applocker_exe_and_dll/manifest.yml b/packages/windows/data_stream/applocker_exe_and_dll/manifest.yml
@@ -53,6 +53,16 @@ streams:
         show_user: false
         description: >
           Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+      - name: custom
+        type: yaml
+        title: Custom Configurations
+        description: >-
+          YAML configuration options for winlog input. Be careful, this may break the integration.
+        required: false
+        show_user: false
+        default: |-
+          # Winlog configuration example
+          #batch_read_size: 100
 
   - input: httpjson
     title: Windows AppLocker EXE and DLL Events via Splunk Enterprise REST API

diff --git a/packages/windows/data_stream/applocker_msi_and_script/agent/stream/winlog.yml.hbs b/packages/windows/data_stream/applocker_msi_and_script/agent/stream/winlog.yml.hbs
@@ -29,3 +29,4 @@ processors:
 {{#if processors.length}}
 {{processors}}
 {{/if}}
+{{custom}}
diff --git a/packages/windows/data_stream/applocker_msi_and_script/manifest.yml b/packages/windows/data_stream/applocker_msi_and_script/manifest.yml
@@ -53,6 +53,16 @@ streams:
         show_user: false
         description: >
           Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+      - name: custom
+        type: yaml
+        title: Custom Configurations
+        description: >-
+          YAML configuration options for winlog input. Be careful, this may break the integration.
+        required: false
+        show_user: false
+        default: |-
+          # Winlog configuration example
+          #batch_read_size: 100
 
   - input: httpjson
     title: Windows AppLocker MSI and Script Events via Splunk Enterprise REST API

diff --git a/packages/windows/data_stream/applocker_packaged_app_deployment/agent/stream/winlog.yml.hbs b/packages/windows/data_stream/applocker_packaged_app_deployment/agent/stream/winlog.yml.hbs
@@ -29,3 +29,4 @@ processors:
 {{#if processors.length}}
 {{processors}}
 {{/if}}
+{{custom}}
diff --git a/packages/windows/data_stream/applocker_packaged_app_deployment/manifest.yml b/packages/windows/data_stream/applocker_packaged_app_deployment/manifest.yml
@@ -53,6 +53,16 @@ streams:
         show_user: false
         description: >
           Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+      - name: custom
+        type: yaml
+        title: Custom Configurations
+        description: >-
+          YAML configuration options for winlog input. Be careful, this may break the integration.
+        required: false
+        show_user: false
+        default: |-
+          # Winlog configuration example
+          #batch_read_size: 100
 
   - input: httpjson
     title: Windows AppLocker/Packaged app-Deployment Events via Splunk Enterprise REST API

diff --git a/packages/windows/data_stream/applocker_packaged_app_execution/agent/stream/winlog.yml.hbs b/packages/windows/data_stream/applocker_packaged_app_execution/agent/stream/winlog.yml.hbs
@@ -29,3 +29,4 @@ processors:
 {{#if processors.length}}
 {{processors}}
 {{/if}}
+{{custom}}
diff --git a/packages/windows/data_stream/applocker_packaged_app_execution/manifest.yml b/packages/windows/data_stream/applocker_packaged_app_execution/manifest.yml
@@ -53,6 +53,16 @@ streams:
         show_user: false
         description: >
           Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+      - name: custom
+        type: yaml
+        title: Custom Configurations
+        description: >-
+          YAML configuration options for winlog input. Be careful, this may break the integration.
+        required: false
+        show_user: false
+        default: |-
+          # Winlog configuration example
+          #batch_read_size: 100
 
   - input: httpjson
     title: Windows AppLocker/Packaged app-Execution Events via Splunk Enterprise REST API

diff --git a/packages/windows/data_stream/forwarded/agent/stream/winlog.yml.hbs b/packages/windows/data_stream/forwarded/agent/stream/winlog.yml.hbs
@@ -32,3 +32,4 @@ processors:
 {{#if processors.length}}
 {{processors}}
 {{/if}}
+{{custom}}
diff --git a/packages/windows/data_stream/forwarded/manifest.yml b/packages/windows/data_stream/forwarded/manifest.yml
@@ -61,6 +61,16 @@ streams:
         show_user: false
         description: >
           Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+      - name: custom
+        type: yaml
+        title: Custom Configurations
+        description: >-
+          YAML configuration options for winlog input. Be careful, this may break the integration.
+        required: false
+        show_user: false
+        default: |-
+          # Winlog configuration example
+          #batch_read_size: 100
 
   - input: httpjson
     title: Windows ForwardedEvents via Splunk Enterprise REST API

diff --git a/packages/windows/data_stream/powershell/agent/stream/winlog.yml.hbs b/packages/windows/data_stream/powershell/agent/stream/winlog.yml.hbs
@@ -29,3 +29,4 @@ processors:
 {{#if processors.length}}
 {{processors}}
 {{/if}}
+{{custom}}
diff --git a/packages/windows/data_stream/powershell/manifest.yml b/packages/windows/data_stream/powershell/manifest.yml
@@ -60,6 +60,16 @@ streams:
         show_user: false
         description: >
           Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+      - name: custom
+        type: yaml
+        title: Custom Configurations
+        description: >-
+          YAML configuration options for winlog input. Be careful, this may break the integration.
+        required: false
+        show_user: false
+        default: |-
+          # Winlog configuration example
+          #batch_read_size: 100
 
   - input: httpjson
     title: Windows Powershell Events via Splunk Enterprise REST API

diff --git a/packages/windows/data_stream/powershell_operational/agent/stream/winlog.yml.hbs b/packages/windows/data_stream/powershell_operational/agent/stream/winlog.yml.hbs
@@ -29,3 +29,4 @@ processors:
 {{#if processors.length}}
 {{processors}}
 {{/if}}
+{{custom}}
diff --git a/packages/windows/data_stream/powershell_operational/manifest.yml b/packages/windows/data_stream/powershell_operational/manifest.yml
@@ -60,6 +60,16 @@ streams:
         show_user: false
         description: >
           Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+      - name: custom
+        type: yaml
+        title: Custom Configurations
+        description: >-
+          YAML configuration options for winlog input. Be careful, this may break the integration.
+        required: false
+        show_user: false
+        default: |-
+          # Winlog configuration example
+          #batch_read_size: 100
 
   - input: httpjson
     title: Windows Powershell Operational Events via Splunk Enterprise REST API

diff --git a/packages/windows/data_stream/sysmon_operational/agent/stream/winlog.yml.hbs b/packages/windows/data_stream/sysmon_operational/agent/stream/winlog.yml.hbs
@@ -29,3 +29,4 @@ processors:
 {{#if processors.length}}
 {{processors}}
 {{/if}}
+{{custom}}
diff --git a/packages/windows/data_stream/sysmon_operational/manifest.yml b/packages/windows/data_stream/sysmon_operational/manifest.yml
@@ -51,6 +51,16 @@ streams:
         show_user: false
         description: >
           Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+      - name: custom
+        type: yaml
+        title: Custom Configurations
+        description: >-
+          YAML configuration options for winlog input. Be careful, this may break the integration.
+        required: false
+        show_user: false
+        default: |-
+          # Winlog configuration example
+          #batch_read_size: 100
 
   - input: httpjson
     title: Windows Sysmon Operational Events via Splunk Enterprise REST API

diff --git a/packages/windows/manifest.yml b/packages/windows/manifest.yml
@@ -1,6 +1,6 @@
 name: windows
 title: Windows
-version: 1.43.0
+version: 1.44.0
 description: Collect logs and metrics from Windows OS and services with Elastic Agent.
 type: integration
 categories: