Windows Integrations don't render the preserve_original_event tag even when it's toggled on

[devamanv]

Current behavior

An issue was recently reported in the system integration wherein a user would not see the event.original field in the ingested events for Windows(but was working fine for Mac and Linux). It was found that the preserve_original_event wasn't being rendered in the Agent config, even when the Preserve Original event toggle was on. This led to the removal of the event.original field from the ingested event.

Read on for additional details.

On windows no event.original:

On Linux/Mac

The issue was traced to the event.original getting deleted by the .fleet_final_pipeline here

{
    "remove": {
      "description": "Remove event.original unless the preserve_original_event tag is set",
      "field": "event.original",
      "if": "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))",
      "ignore_failure": true,
      "ignore_missing": true
    }
}

The winlog inputs use the include_xml: true config option. So, at the Agent level the original XML is added to the event, as seen in the code.

As a fix, it was suggested to add "preserve_original_event" in the tags section for each of the 3 datastreams (Application, Security, System) in "Collect events from the Windows event log". This brought back the missing event.original field.

Expected behavior

The tags should be rendered in the Agent config when the Preserve Original Event toggle is turned on by the user.

We need to check and revisit all the integrations that rely on include_xml(especially windows based integrations), and need to also set the tag preserve_original_event.

[leehinman]

Integrations that need work:

• hid_bravura_monitor winlog data_stream is missing the include_xml option
• system security data_stream is missing the preserve_original_event tag
• system system data_stream is missing the preserve_original_event tag
• system application data_stream is missing the preserve_original_event tag
• microsoft_sqlserver audit data_stream is missing the preserve_original_event tag
• winlog data_stream is missing the preserve_original_event tag
• windows sysmon_operational data_stream is missing the preserve_original_event tag
• windows powershell_operational data_stream is missing the preserve_original_event tag
• windows powershell data_stream is missing the preserve_original_event tag
• windows forwarded data_stream is missing the preserve_original_event tag
• windows applocker_exe_and_dll data_stream is missing the preserve_original_event tag
• windows applocker_packaged_app_deployment data_stream is missing the preserve_original_event tag
• windows applocker_msi_and_script data_stream is missing the preserve_original_event tag
• windows applocker_packaged_app_execution data_stream is missing the preserve_original_event tag

[andrewkroh]

Good find @leehinman.

---

The issue was traced to the event.original getting deleted by the .fleet_final_pipeline

This is a surprising change in the behavior of Fleet that preserve_original_event is necessary for the event.original field to pass through the final pipeline. My wish is that changes like this would be announced through the fleet-contributors mailing list.

[devamanv]

system security data_stream is missing the preserve_original_event tag
system system data_stream is missing the preserve_original_event tag
system application data_stream is missing the preserve_original_event tag

These data_streams under the system package will be taken care of with this PR.
The remaining datastreams will be handled in subsequent PRs

[elasticmachine]

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

For winlog, windows, and hid_bravura_monitor.

[nicpenning]

👀