[winlogbeat] Use the original host for host.name in Windows Event Logs

[faec]

Windows Event Logs allows windows logs from many systems to be automatically collected on a single aggregated node. When Winlogbeat ingests these aggregate logs, it sets host.name to the host that is running the beat, rather than the host that the log originally came from. This causes downstream confusion, e.g. the support case that prompted this noted that the SIEM "Uncommon Processes" category wasn't useful in this setting because logs from many nodes were treated as a single host.

This problem comes up in other settings, such as syslog ingestion in Filebeat which often aggregates logs from many nodes, so while the particular case that prompted it is Winlogbeat, this is arguably a larger meta-issue for any beats / inputs that might serve as aggregation points.

It's still possible to handle these correctly today using advanced features such as script processors, but it would be nice to have a simpler and more consistent configuration story for this increasingly common pattern.

[cwurm]

Thanks @faec. For context, this only applies when using Windows Event Forwarding (WEF).

In that case, it's possible to change the host.name to the hostname of the forwarded event using a pipeline such as (from this discuss thread):

processors:
  - script:
    lang: javascript
    id: forwarded_hostname
    source: >
      function process(event) {
        var channel = event.Get("winlog.channel");
        if channel && channel === "ForwardedEvents" {
          event.Put("host.name" , event.Get("winlog.computer_name"));
        }
      }

But yeah, would be nice if at some point Winlogbeat would do this automatically.

/cc @andrewkroh

[tomrade]

Hey ive also had this but the fix noted in the form doesn't seem to work for me as im using the option forwarded: true which renames the channel to be the channel from the forwarded event and thus will never hit the trigger

[aimarpl]

Seems like the mentioned code isn't working in winlogbeat 7.4. Here's my winlogbeat.yml:

winlogbeat.event_logs:
  - name: ForwardedEvents
    ignore_older: 72h
    forwarded: true
    processors:
      - script:
        lang: javascript
        id: forwarded_hostname
        source: >
          function process(event) {
            var channel = event.Get("winlog.channel");
            if channel && channel === "ForwardedEvents" {
              event.Put("host.name" , event.Get("winlog.computer_name"));
            }
          }

and here's an output:

any idea what could that be?

[aimarpl]

ah, got it working;
I have created new .js file: ${path.home}/module/security/config/forwarded_logs.js

which contains following code:

function process(event) {
          event.Put("host.name", event.Get("winlog.computer_name"));
        }

And in winlogbeat.yml processors section I added:

- script:
    lang: javascript
    id: forwarded_hostname
    file: ${path.home}/module/security/config/forwarded_logs.js

Now it all works like a charm :)

Thing is, it only seems to be working when added in top processors section, not under event_logs

[cwurm]

Thing is, it only seems to be working when added in top processors section, not under event_logs

Yeah, if you put it under event_logs, libbeat overwrites it, unfortunately. We have a proposal to fix it: #13920 (comment)

Hey ive also had this but the fix noted in the form doesn't seem to work for me as im using the option forwarded: true which renames the channel to be the channel from the forwarded event and thus will never hit the trigger

I see, yeah. Same problem as above, we first need to fix libbeat to not overwrite host.name, then we can set it correctly right when reading events.

[Nitromatt]

ah, got it working;
I have created new .js file: ${path.home}/module/security/config/forwarded_logs.js

which contains following code:

function process(event) {
          event.Put("host.name", event.Get("winlog.computer_name"));
        }

And in winlogbeat.yml processors section I added:

- script:
    lang: javascript
    id: forwarded_hostname
    file: ${path.home}/module/security/config/forwarded_logs.js

Now it all works like a charm :)

Thing is, it only seems to be working when added in top processors section, not under event_logs

Have tried your solution, but the winlogbeat service won't start, checked syntax and all looks ok, any chance of getting your winlogbeat.yml file?

[cwurm]

Hey ive also had this but the fix noted in the form doesn't seem to work for me as im using the option forwarded: true which renames the channel to be the channel from the forwarded event and thus will never hit the trigger

I see, yeah. Same problem as above, we first need to fix libbeat to not overwrite host.name, then we can set it correctly right when reading events.

@tomrade A workaround that I just though about: You could add a forwarded field yourself in the event_logs section using the add_fields processor, then use that field to overwrite host.name in the top-level processors section with the script above.