FIX: Windows Event Logs forwarded via Wazuh are not parsing host.name properly

[InfosecGoon]

Windows Event Logs (including Sysmon, which is where we initially spotted this) that are ingested through Winlogbeat record the host name of the sending host as winlog.computer_name. But if they're sent via Wazuh, it's recorded as winlog.computer instead. Which isn't a big deal if your environment isn't mixing-and-matching log transports, but it's coming up now because the new Sysmon dashboards are configured to use winlog.computer_name and so they're not showing anything for environments forwarding the events via Wazuh. I've confirmed the behavior on my test machines.

After discussion with Josh B and Wes, it looks like host.name is also being set incorrectly (should be Windows endpoint agent name, instead it's the name of the receiving SO instance) and Josh thinks this is the root of the problem.

[TOoSmOotH]

Wazuh is not supported any more