Event.module Field Not Added by Winlogbeat Module (>= v8.0.0)

Hi there,

As far as I understand, event.module is not being added to each document originating from Winlogbeat (starting from v8.0.0) that uses Winlogbeat modules.

This field was previously seen from v7.4.0 onwards, where the field was added in the Winlogbeat module's JavaScript file. Winlogbeat modules changed from 8.0.0 onwards to use Elasticsearch Ingest Node for processing.

In the winlogbeat-[beats_version]-[module_name] ingest pipeline, event.module is not seen to be added. Here is a snippet of the ingest pipeline, where all parts of the pipeline that handles the event.X field is seen (we do not see event.module):

image1106×1078 35 KB

I do not see it being added in the winlogbeat-[beats_version]-routing ingest pipeline too.

Here is a snippet of a Winlogbeat document (after it had been parsed by the Sysmon ingest pipeline):

image968×907 25.1 KB

References:

1. Update sysmon and security modules by andrewkroh · Pull Request #13047 · elastic/beats · GitHub
2. Beats version 7.4.0 | Beats Platform Reference [8.1] | Elastic
3. Modules | Winlogbeat Reference [8.1] | Elastic

Thanks for reporting the problem. I've created an issue for this at [Winlogbeat] 8.x Module pipelines not setting event.module · Issue #31330 · elastic/beats · GitHub.

Thank you for the very prompt reply and for creating an issue about it!

Appreciate that the issue has been resolved (very quickly) with this merged pull request.

I noted that the change will be backported to earlier v8.x versions - when/how do we install a version of Beats with this latest change? Do we have to wait for the next incremental release of Beats? (i.e. 8.1.3 or 8.2?)

Thank you.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.