Some of events from Windows servers and workstations in Security channel have lowercase channel name. This is problem because routing pipeline for Winlogbeat runs valid sub-pipeline only if channel name matches "Security" exacly. As result some of important events are not parsed.
Routing pipeline from version 8.8.2:
[
{
"set": {
"field": "event.ingested",
"value": "{{_ingest.timestamp}}"
}
},
{
"pipeline": {
"name": "winlogbeat-8.8.2-security",
"if": "ctx?.winlog?.channel == 'Security' && ['Microsoft-Windows-Eventlog', 'Microsoft-Windows-Security-Auditing'].contains(ctx?.winlog?.provider_name)"
}
},
{
"pipeline": {
"name": "winlogbeat-8.8.2-sysmon",
"if": "ctx?.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'"
}
},
{
"pipeline": {
"name": "winlogbeat-8.8.2-powershell",
"if": "ctx?.winlog?.channel == 'Windows PowerShell'"
}
},
{
"pipeline": {
"name": "winlogbeat-8.8.2-powershell_operational",
"if": "ctx?.winlog?.channel == 'Microsoft-Windows-PowerShell/Operational'"
}
}
]
I did not noticed same issue for any other channel.
Some of events from Windows servers and workstations in Security channel have lowercase channel name. This is problem because routing pipeline for Winlogbeat runs valid sub-pipeline only if channel name matches "Security" exacly. As result some of important events are not parsed.
Routing pipeline from version 8.8.2:
I did not noticed same issue for any other channel.