Custom Windows event logs

[leehinman]

What does this PR do?

Adds a new integration for adding custom Windows event logs

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.

Related issues

• Closes [Windows] Custom Event Channel support #317

Screenshots

Catalog Screenshot

Overview Screenshot

Add Integration Screenshot

Advanced Options Screenshot

[fearful-symmetry]

Is there a reason this is its own integration? We might just want to put it in the Windows integration.

[leehinman]

Is there a reason this is its own integration? We might just want to put it in the Windows integration.

:-) This is an ongoing debate. If you have multiple custom logs, you have to add the integration multiple times and it was felt that adding the Windows integration multiple times was "odd". So having it's own integration was thought to be less confusing.

Long term we want to use the "multi" option from elastic/package-spec#110 and I think at that time we would move it to the Windows integration.

[fearful-symmetry]

This is an ongoing debate. If you have multiple custom logs, you have to add the integration multiple times and it was felt that adding the Windows integration multiple times was "odd". So having it's own integration was thought to be less confusing.

Ahh, okay, makes sense. Yah, over time we'll definitely want to integrate it. In general, the Integration install/management process isn't great for discoverability.

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Build Cause: Pull request #794 updated

• Start Time: 2021-04-02T01:31:17.460+0000

• Duration: 59 min 15 sec

• Commit: 8776247

Test stats 🧪

Test	Results
Failed	0
Passed	1923
Skipped	3
Total	1926

Trends 🧪

[andresrc]

@leehinman I understand we are using this as an "input" package (/cc @ruflin )

[ruflin]

I would consider this an input package. Even though this is a bit special as winlog is already very structured.

[leehinman]

@andresrc or @ruflin sorry, I sounds like "input package" has special meaning, but I'm not aware of it. Could you clarify? or point me to issue/docs? I just want to make sure I'm not supposed to be doing something different.

[jamiehynds]

@leehinman users may be unsure what to populate the dataset name with. Does the value default to generic or do we need to pre-populate with a default value, e.g. windows.custom

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[andrewkroh]

Does this need show_user: false? Checking the spec, this supposedly defaults to false true. https://github.com/elastic/package-spec/blob/a8fe73d82b25806f6b96582b99993a63b67ef130/versions/1/data_stream/manifest.spec.yml#L83

[leehinman]

No not needed, I can remove.

I often include it because it controls inclusion in "Advanced" items, so while developing it makes it easy to toggle.

[andrewkroh]

Sorry 🤦 , I was really unclear in that comment. What I meant was, does custom need to add show_user: false because it's an advanced setting? And I misquoted the link, the spec says the default is show_user: true, so without it I assume custom is always being shown to the user.

[leehinman]

I think you found a Fleet GUI bug. So if show_user: false or show_user is missing, then "Custom Configurations" showed up in the "Advanced Settings". If show_user:true, then it is always shown to the user. Weird.

Anyway, I'm adding show_user:false to "Custom Configurations".

[andrewkroh]

👍

[hogemo]

Is it possible to listen for multiple channels for one integration? Or do i specifically need one integration per channel?