[Winlogbeat] Set host.name to computername (#14625)

leehinman · web-flow · commit da6dd9d64740 · 2019-11-20T13:29:40.000-06:00
* Set host.name to computername - set host.name to computer name for windows events and sysmon - Add info about libbeat #14407 dependency Fixes #13706
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -276,6 +276,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 *Winlogbeat*
 
 - Fix data race affecting config validation at startup. {issue}13005[13005]
+- Set host.name to computername in Windows event logs & sysmon.  Requires {pull}14407[14407] in libbeat to work  {issue}13706[13706]
 
 *Functionbeat*
 
diff --git a/winlogbeat/eventlog/eventlog.go b/winlogbeat/eventlog/eventlog.go
@@ -134,6 +134,7 @@ func (e Record) ToEvent() beat.Event {
 	m.Put("event.code", e.EventIdentifier.ID)
 	m.Put("event.provider", e.Provider.Name)
 	addOptional(m, "event.action", e.Task)
+	addOptional(m, "host.name", e.Computer)
 
 	m.Put("event.created", time.Now())
 
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json
@@ -11,6 +11,9 @@
       "provider": "Microsoft-Windows-Security-Auditing",
       "type": "authentication_success"
     },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
     "log": {
       "level": "information"
     },
@@ -83,6 +86,9 @@
       "provider": "Microsoft-Windows-Security-Auditing",
       "type": "authentication_success"
     },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
     "log": {
       "level": "information"
     },
@@ -155,6 +161,9 @@
       "provider": "Microsoft-Windows-Security-Auditing",
       "type": "authentication_success"
     },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
     "log": {
       "level": "information"
     },
@@ -230,6 +239,9 @@
       "provider": "Microsoft-Windows-Security-Auditing",
       "type": "authentication_success"
     },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
     "log": {
       "level": "information"
     },
@@ -302,6 +314,9 @@
       "provider": "Microsoft-Windows-Security-Auditing",
       "type": "authentication_success"
     },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
     "log": {
       "level": "information"
     },
@@ -374,6 +389,9 @@
       "provider": "Microsoft-Windows-Security-Auditing",
       "type": "authentication_success"
     },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
     "log": {
       "level": "information"
     },
@@ -446,6 +464,9 @@
       "provider": "Microsoft-Windows-Security-Auditing",
       "type": "authentication_success"
     },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
     "log": {
       "level": "information"
     },
@@ -518,6 +539,9 @@
       "provider": "Microsoft-Windows-Security-Auditing",
       "type": "authentication_success"
     },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
     "log": {
       "level": "information"
     },
@@ -590,6 +614,9 @@
       "provider": "Microsoft-Windows-Security-Auditing",
       "type": "authentication_success"
     },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
     "log": {
       "level": "information"
     },
@@ -665,6 +692,9 @@
       "provider": "Microsoft-Windows-Security-Auditing",
       "type": "authentication_success"
     },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
     "log": {
       "level": "information"
     },
@@ -737,6 +767,9 @@
       "provider": "Microsoft-Windows-Security-Auditing",
       "type": "authentication_success"
     },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
     "log": {
       "level": "information"
     },
@@ -812,6 +845,9 @@
       "provider": "Microsoft-Windows-Security-Auditing",
       "type": "authentication_success"
     },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
     "log": {
       "level": "information"
     },
@@ -884,6 +920,9 @@
       "provider": "Microsoft-Windows-Security-Auditing",
       "type": "authentication_success"
     },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
     "log": {
       "level": "information"
     },
@@ -956,6 +995,9 @@
       "provider": "Microsoft-Windows-Security-Auditing",
       "type": "authentication_success"
     },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
     "log": {
       "level": "information"
     },
@@ -1028,6 +1070,9 @@
       "provider": "Microsoft-Windows-Security-Auditing",
       "type": "authentication_success"
     },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
     "log": {
       "level": "information"
     },
@@ -1100,6 +1145,9 @@
       "provider": "Microsoft-Windows-Security-Auditing",
       "type": "authentication_success"
     },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
     "log": {
       "level": "information"
     },
@@ -1172,6 +1220,9 @@
       "provider": "Microsoft-Windows-Security-Auditing",
       "type": "authentication_success"
     },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
     "log": {
       "level": "information"
     },
@@ -1244,6 +1295,9 @@
       "provider": "Microsoft-Windows-Security-Auditing",
       "type": "authentication_failure"
     },
+    "host": {
+      "name": "vagrant-2012-r2"
+    },
     "log": {
       "level": "information"
     },
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-4672.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-4672.evtx.golden.json
@@ -8,6 +8,9 @@
       "module": "security",
       "provider": "Microsoft-Windows-Security-Auditing"
     },
+    "host": {
+      "name": "vagrant-2016"
+    },
     "log": {
       "level": "information"
     },
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.evtx.golden.json
@@ -8,6 +8,9 @@
       "module": "security",
       "provider": "Microsoft-Windows-Security-Auditing"
     },
+    "host": {
+      "name": "WIN-41OB2LO92CR"
+    },
     "log": {
       "level": "information"
     },
@@ -58,6 +61,9 @@
       "module": "security",
       "provider": "Microsoft-Windows-Security-Auditing"
     },
+    "host": {
+      "name": "WIN-41OB2LO92CR"
+    },
     "log": {
       "level": "information"
     },
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json
@@ -8,6 +8,9 @@
       "module": "security",
       "provider": "Microsoft-Windows-Security-Auditing"
     },
+    "host": {
+      "name": "WIN-41OB2LO92CR"
+    },
     "log": {
       "level": "information"
     },
@@ -81,6 +84,9 @@
       "module": "security",
       "provider": "Microsoft-Windows-Security-Auditing"
     },
+    "host": {
+      "name": "WIN-41OB2LO92CR"
+    },
     "log": {
       "level": "information"
     },
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json
@@ -8,6 +8,9 @@
       "module": "security",
       "provider": "Microsoft-Windows-Security-Auditing"
     },
+    "host": {
+      "name": "WIN-41OB2LO92CR"
+    },
     "log": {
       "level": "information"
     },
@@ -62,6 +65,9 @@
       "module": "security",
       "provider": "Microsoft-Windows-Security-Auditing"
     },
+    "host": {
+      "name": "WIN-41OB2LO92CR"
+    },
     "log": {
       "level": "information"
     },
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json
@@ -8,6 +8,9 @@
       "module": "security",
       "provider": "Microsoft-Windows-Security-Auditing"
     },
+    "host": {
+      "name": "WIN-41OB2LO92CR"
+    },
     "log": {
       "level": "information"
     },
@@ -63,6 +66,9 @@
       "module": "security",
       "provider": "Microsoft-Windows-Security-Auditing"
     },
+    "host": {
+      "name": "WIN-41OB2LO92CR"
+    },
     "log": {
       "level": "information"
     },
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json
@@ -8,6 +8,9 @@
       "module": "security",
       "provider": "Microsoft-Windows-Security-Auditing"
     },
+    "host": {
+      "name": "WIN-41OB2LO92CR"
+    },
     "log": {
       "level": "information"
     },
@@ -62,6 +65,9 @@
       "module": "security",
       "provider": "Microsoft-Windows-Security-Auditing"
     },
+    "host": {
+      "name": "WIN-41OB2LO92CR"
+    },
     "log": {
       "level": "information"
     },
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json
@@ -8,6 +8,9 @@
       "module": "security",
       "provider": "Microsoft-Windows-Security-Auditing"
     },
+    "host": {
+      "name": "WIN-41OB2LO92CR"
+    },
     "log": {
       "level": "information"
     },
@@ -62,6 +65,9 @@
       "module": "security",
       "provider": "Microsoft-Windows-Security-Auditing"
     },
+    "host": {
+      "name": "WIN-41OB2LO92CR"
+    },
     "log": {
       "level": "information"
     },
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json
@@ -8,6 +8,9 @@
       "module": "security",
       "provider": "Microsoft-Windows-Security-Auditing"
     },
+    "host": {
+      "name": "WIN-41OB2LO92CR"
+    },
     "log": {
       "level": "information"
     },
@@ -63,6 +66,9 @@
       "module": "security",
       "provider": "Microsoft-Windows-Security-Auditing"
     },
+    "host": {
+      "name": "WIN-41OB2LO92CR"
+    },
     "log": {
       "level": "information"
     },
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.evtx.golden.json
@@ -8,6 +8,9 @@
       "module": "security",
       "provider": "Microsoft-Windows-Security-Auditing"
     },
+    "host": {
+      "name": "WIN-41OB2LO92CR"
+    },
     "log": {
       "level": "information"
     },
@@ -82,6 +85,9 @@
       "module": "security",
       "provider": "Microsoft-Windows-Security-Auditing"
     },
+    "host": {
+      "name": "WIN-41OB2LO92CR"
+    },
     "log": {
       "level": "information"
     },
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.evtx.golden.json
@@ -8,6 +8,9 @@
       "module": "security",
       "provider": "Microsoft-Windows-Security-Auditing"
     },
+    "host": {
+      "name": "WIN-41OB2LO92CR"
+    },
     "log": {
       "level": "information"
     },
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.evtx.golden.json
@@ -8,6 +8,9 @@
       "module": "security",
       "provider": "Microsoft-Windows-Security-Auditing"
     },
+    "host": {
+      "name": "WIN-41OB2LO92CR"
+    },
     "log": {
       "level": "information"
     },
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.evtx.golden.json
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.evtx.golden.json
diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.evtx.golden.json
diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-10.2-dns.evtx.golden.json
diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json
