There are some Windows events where Winlogbeat parses out the username to winlog.user.name but leaves user.name blank. For example, event ID 4104 (PowerShell script block logging).
Event ID 4104 is in the Microsoft-Windows-PowerShell/Operational and PowerShellCore/Operational log channels. I successfully set up a copy_fields processor in winlogbeat.yml for those log channels (see this topic), but it occurred to me that it's just better to check any event that has winlog.user.name but not user.name and have it perform the field copy.
Not quite. The topic you referenced (mine also) was about event ID 4104 specifically. I was able to solve that one by doing the action based on the source log channel.
In this topic, I am searching for a way to copy winlog.user.name to user.name anytime the former exists (and is set to a value) and the latter does not, no matter what event ID or source log channel.
The example processor code in my OP does not work. It does not result in a populated user.name field for events where winlog.user.name is present but user.name isn't.
I'm assuming the issue is how I'm declaring the conditionals or the values for them, but I do not know how to fix it.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.