Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Winlogbeat] Lowercase Security channel name #36670

Closed
kowalczyk-p opened this issue Sep 25, 2023 · 2 comments · Fixed by #36899
Closed

[Winlogbeat] Lowercase Security channel name #36670

kowalczyk-p opened this issue Sep 25, 2023 · 2 comments · Fixed by #36899
Assignees
@efd6
Labels
Winlogbeat

Comments

@kowalczyk-p
Copy link

Some of events from Windows servers and workstations in Security channel have lowercase channel name. This is problem because routing pipeline for Winlogbeat runs valid sub-pipeline only if channel name matches "Security" exacly. As result some of important events are not parsed.

Routing pipeline from version 8.8.2:

[
  {
    "set": {
      "field": "event.ingested",
      "value": "{{_ingest.timestamp}}"
    }
  },
  {
    "pipeline": {
      "name": "winlogbeat-8.8.2-security",
      "if": "ctx?.winlog?.channel == 'Security' && ['Microsoft-Windows-Eventlog', 'Microsoft-Windows-Security-Auditing'].contains(ctx?.winlog?.provider_name)"
    }
  },
  {
    "pipeline": {
      "name": "winlogbeat-8.8.2-sysmon",
      "if": "ctx?.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'"
    }
  },
  {
    "pipeline": {
      "name": "winlogbeat-8.8.2-powershell",
      "if": "ctx?.winlog?.channel == 'Windows PowerShell'"
    }
  },
  {
    "pipeline": {
      "name": "winlogbeat-8.8.2-powershell_operational",
      "if": "ctx?.winlog?.channel == 'Microsoft-Windows-PowerShell/Operational'"
    }
  }
]

I did not noticed same issue for any other channel.
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Sep 25, 2023
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Oct 16, 2023
@jamiehynds jamiehynds added Winlogbeat needs_team Indicates that the issue/PR needs a Team:* label labels Oct 16, 2023
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Oct 16, 2023
@botelastic
Copy link

botelastic bot commented Oct 16, 2023

This issue doesn't have a Team:<team> label.

@efd6 efd6 self-assigned this Oct 18, 2023
This was referenced Oct 18, 2023
Merged
Merged
@kowalczyk-p kowalczyk-p mentioned this issue Nov 13, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@efd6 efd6

Labels
Winlogbeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

x-pack/winlogbeat/module/routing: make pipeline routing robust to channel letter case efd6/beats
4 participants
@elasticmachine @kowalczyk-p @jamiehynds @efd6