x-pack/winlogbeat/module/routing: set host.os.type and host.os.family in forwarded events

[efd6]

What does this PR do?

Sets host.os.type and host.os.family in forwarded events.

Why is it important?

These fields are used in detection rules.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

• [ ]

How to test this PR locally

Related issues

• For [Windows] Adding host.os.type to forwarded events integrations#6162

Use cases

Screenshots

Logs

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-05-14T22:23:58.990+0000

• Duration: 36 min 54 sec

Test stats 🧪

Test	Results
Failed	0
Passed	336
Skipped	0
Total	336

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[legoguy1000]

Does the following config https://www.elastic.co/guide/en/beats/winlogbeat/master/configuration-winlogbeat-options.html#_event_logs_forwarded set the forwarded tag? I'm looking at the code and I don't think so. So should we do both?

winlogbeat.event_logs:
  - name: <Channel>
    forwarded: true
    tags: [forwarded]

For more context, we're not using the ForwardedEvents channel, we have multitude of custom channels that intakes WEF logs from the environment to balance the load.

[efd6]

Yeah, I spent a fair bit of time trying to sort that out. As far as I can make out, forwarded must be set by the user in the config as you have in the snippet. This is how it always appears in the repo.

[legoguy1000]

Would it not make sense to just if forwarded: true to automatically add the forwarded tag? That way users don't have to remember to do both?

[legoguy1000]

Or perhaps instead of requiring the tag. Just check if the field isn't set, set to windows otherwise use the provided field

[efd6]

The config value doesn't make its way into the ingested document AFAICS.

[legoguy1000]

Correct. I'm thinking in the winlogbeat code to either auto add the tag if you're going to leave the if:.... conditional on the ingest processors OR change the conditional to just always set the fields if they're not already set since I think it's a decent default to assume the OS is windows

[efd6]

change the conditional to just always set the fields if they're not already set since I think it's a decent default to assume the OS is windows

I like this one.

[legoguy1000]

for our purposes until this is merged and released, it looks like i'm going to use the below in our environment

      - set:
          field: host.os.type
          value: windows
          override: false
      - set:
          field: host.os.family
          value: windows
          override: false

The override logic works so if its already set, nothing changes and if not, it gets set to windows.

[ebeahan]

LGTM