move Windows logs to system (#411)

* move windows logs to system * shuffle sysmon and forwarded logs back, add system and application logs * fix up dashboards * bump kibana version, add notice to windows package * rename data streams * add guard to logs * add agent.yml files * update readme * move conditionals to stream * update minimum kibana version, add condition to load
elastic · Dec 14, 2020 · 2b4f96b · 2b4f96b
1 parent 1f5013c
commit 2b4f96b
Show file tree

Hide file tree

Showing 135 changed files with 1,824 additions and 242 deletions.
diff --git a/packages/system/_dev/build/docs/README.md b/packages/system/_dev/build/docs/README.md
@@ -190,3 +190,24 @@ This dataset is available on:
 
 {{fields "uptime"}}
 
+### Application
+
+The Windows `application` dataset provides events from the Windows
+`Application` event log.
+
+{{fields "application"}}
+
+### System
+
+The Windows `system` dataset provides events from the Windows `System`
+event log.
+
+{{fields "system"}}
+
+
+### Security
+
+The Windows `security` dataset provides events from the Windows
+`Security` event log.
+
+{{fields "security"}}
diff --git a/packages/system/data_stream/application/agent/stream/winlog.yml.hbs b/packages/system/data_stream/application/agent/stream/winlog.yml.hbs
@@ -0,0 +1,3 @@
+name: Application
+condition: ${host.platform} == 'windows'
+ignore_older: 72h
diff --git a/packages/system/data_stream/application/elasticsearch/ingest_pipeline/default.yml b/packages/system/data_stream/application/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,10 @@
+---
+    description: Pipeline for Windows Application Event Logs
+    processors:
+      - set:
+          field: event.ingested
+          value: '{{_ingest.timestamp}}'
+    on_failure:
+      - set:
+          field: "error.message"
+          value: "{{ _ingest.on_failure_message }}"
diff --git a/...ows/data_stream/security/fields/agent.yml → .../data_stream/application/fields/agent.yml b/...ows/data_stream/security/fields/agent.yml → .../data_stream/application/fields/agent.yml
diff --git a/packages/system/data_stream/application/fields/base-fields.yml b/packages/system/data_stream/application/fields/base-fields.yml
@@ -0,0 +1,12 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
diff --git a/packages/system/data_stream/application/fields/ecs.yml b/packages/system/data_stream/application/fields/ecs.yml
@@ -0,0 +1,16 @@
+- description: Time when the event was first read by an agent or by your pipeline.
+  example: '2016-05-23T08:05:34.857Z'
+  name: event.created
+  type: date
+- description: Timestamp when an event arrived in the central data store.
+  example: '2016-05-23T08:05:35.101Z'
+  name: event.ingested
+  type: date
+- description: Raw text message of entire event.
+  example: Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232
+  ignore_above: 1024
+  name: event.original
+  type: keyword
+- description: Error message.
+  name: error.message
+  type: text