[winlogbeat/libbeat] Change event.code and winlog.event_id type

CHANGELOG.next.asciidoc

@@ -533,6 +533,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add source.ip validation for event ID 4778 in the Security module. {issue}19627[19627]
 - Protect against accessing undefined variables in Sysmon module. {issue}22219[22219] {pull}22236[22236]
 - Protect against accessing an undefined variable in Security module. {pull}22937[22937]
+- Change `event.code` and `winlog.event_id` from int to keyword. {pull}25176[25176]
 
 *Functionbeat*
 

libbeat/processors/decode_xml_wineventlog/processor.go

@@ -139,8 +139,9 @@ func fields(evt winevent.Event) (common.MapStr, common.MapStr) {
 
 	ecs := common.MapStr{}
 
+	eventCode, _ := win.GetValue("event_id")
+	ecs.Put("event.code", eventCode)
 	ecs.Put("event.kind", "event")
-	ecs.Put("event.code", evt.EventIdentifier.ID)
 	ecs.Put("event.provider", evt.Provider.Name)
 	winevent.AddOptional(ecs, "event.action", evt.Task)
 	winevent.AddOptional(ecs, "host.name", evt.Computer)

libbeat/processors/decode_xml_wineventlog/processor_test.go

@@ -55,7 +55,7 @@ func TestProcessor(t *testing.T) {
 			Output: common.MapStr{
 				"event": common.MapStr{
 					"action":   "Special Logon",
-					"code":     uint32(4672),
+					"code":     "4672",
 					"kind":     "event",
 					"outcome":  "success",
 					"provider": "Microsoft-Windows-Security-Auditing",
@@ -71,7 +71,7 @@ func TestProcessor(t *testing.T) {
 					"outcome":       "success",
 					"activity_id":   "{ffb23523-1f32-0000-c335-b2ff321fd701}",
 					"level":         "information",
-					"event_id":      uint32(4672),
+					"event_id":      "4672",
 					"provider_name": "Microsoft-Windows-Security-Auditing",
 					"record_id":     uint64(11303),
 					"computer_name": "vagrant",
@@ -129,7 +129,7 @@ func TestProcessor(t *testing.T) {
 					"outcome":       "success",
 					"activity_id":   "{ffb23523-1f32-0000-c335-b2ff321fd701}",
 					"level":         "information",
-					"event_id":      uint32(4672),
+					"event_id":      "4672",
 					"provider_name": "Microsoft-Windows-Security-Auditing",
 					"record_id":     uint64(11303),
 					"computer_name": "vagrant",

winlogbeat/eventlog/eventlog.go

@@ -92,8 +92,9 @@ func (e Record) ToEvent() beat.Event {
 	// ECS data
 	m.Put("event.created", time.Now())
 
+	eventCode, _ := win.GetValue("event_id")
+	m.Put("event.code", eventCode)
 	m.Put("event.kind", "event")
-	m.Put("event.code", e.EventIdentifier.ID)
 	m.Put("event.provider", e.Provider.Name)
 
 	rename(m, "winlog.outcome", "event.outcome")

winlogbeat/sys/winevent/event.go

@@ -98,7 +98,7 @@ func (e Event) Fields() common.MapStr {
 	win := common.MapStr{}
 
 	AddOptional(win, "channel", e.Channel)
-	AddOptional(win, "event_id", e.EventIdentifier.ID)
+	AddOptional(win, "event_id", fmt.Sprint(e.EventIdentifier.ID))
 	AddOptional(win, "provider_name", e.Provider.Name)
 	AddOptional(win, "record_id", e.RecordID)
 	AddOptional(win, "task", e.Task)

winlogbeat/tests/system/test_wineventlog.py

@@ -68,11 +68,10 @@ def test_read_unknown_event_id(self):
         wineventlog - Read unknown event ID
         """
         msg = "Unknown event ID"
-        event_id = 1111
-        self.write_event_log(msg, eventID=event_id)
+        self.write_event_log(msg, eventID=1111)
         evts = self.read_events()
         self.assertTrue(len(evts), 1)
-        self.assert_common_fields(evts[0], eventID=event_id, extra={
+        self.assert_common_fields(evts[0], eventID="1111", extra={
             "winlog.keywords": ["Classic"],
             "winlog.opcode": "Info",
         })
@@ -199,10 +198,10 @@ def test_query_event_id(self):
             ]
         }, expected_events=4)
         self.assertTrue(len(evts), 4)
-        self.assertEqual(evts[0]["winlog.event_id"], 50)
-        self.assertEqual(evts[1]["winlog.event_id"], 100)
-        self.assertEqual(evts[2]["winlog.event_id"], 175)
-        self.assertEqual(evts[3]["winlog.event_id"], 200)
+        self.assertEqual(evts[0]["winlog.event_id"], "50")
+        self.assertEqual(evts[1]["winlog.event_id"], "100")
+        self.assertEqual(evts[2]["winlog.event_id"], "175")
+        self.assertEqual(evts[3]["winlog.event_id"], "200")
 
     def test_query_level_single(self):
         """
@@ -270,8 +269,8 @@ def test_query_ignore_older(self):
             ]
         })
         self.assertTrue(len(evts), 1)
-        self.assertEqual(evts[0]["winlog.event_id"], 10)
-        self.assertEqual(evts[0]["event.code"], 10)
+        self.assertEqual(evts[0]["winlog.event_id"], "10")
+        self.assertEqual(evts[0]["event.code"], "10")
 
     def test_query_provider(self):
         """

winlogbeat/tests/system/winlogbeat.py

@@ -135,7 +135,7 @@ def read_registry(self, requireBookmark=False):
 
         return event_logs
 
-    def assert_common_fields(self, evt, msg=None, eventID=10, sid=None,
+    def assert_common_fields(self, evt, msg=None, eventID="10", sid=None,
                              level="information", extra=None):
 
         assert host_name(evt["winlog.computer_name"]).lower() == host_name(platform.node()).lower()

x-pack/winlogbeat/module/powershell/test/testdata/400.evtx.golden.json

@@ -6,7 +6,7 @@
       "category": [
         "process"
       ],
-      "code": 400,
+      "code": "400",
       "kind": "event",
       "module": "powershell",
       "provider": "PowerShell",
@@ -46,7 +46,7 @@
       "api": "wineventlog",
       "channel": "Windows PowerShell",
       "computer_name": "vagrant",
-      "event_id": 400,
+      "event_id": "400",
       "keywords": [
         "Classic"
       ],
@@ -63,7 +63,7 @@
       "category": [
         "process"
       ],
-      "code": 400,
+      "code": "400",
       "kind": "event",
       "module": "powershell",
       "provider": "PowerShell",
@@ -105,7 +105,7 @@
       "api": "wineventlog",
       "channel": "Windows PowerShell",
       "computer_name": "vagrant",
-      "event_id": 400,
+      "event_id": "400",
       "keywords": [
         "Classic"
       ],
@@ -122,7 +122,7 @@
       "category": [
         "process"
       ],
-      "code": 400,
+      "code": "400",
       "kind": "event",
       "module": "powershell",
       "provider": "PowerShell",
@@ -162,7 +162,7 @@
       "api": "wineventlog",
       "channel": "Windows PowerShell",
       "computer_name": "vagrant",
-      "event_id": 400,
+      "event_id": "400",
       "keywords": [
         "Classic"
       ],
@@ -179,7 +179,7 @@
       "category": [
         "process"
       ],
-      "code": 400,
+      "code": "400",
       "kind": "event",
       "module": "powershell",
       "provider": "PowerShell",
@@ -213,7 +213,7 @@
       "api": "wineventlog",
       "channel": "Windows PowerShell",
       "computer_name": "vagrant",
-      "event_id": 400,
+      "event_id": "400",
       "keywords": [
         "Classic"
       ],

x-pack/winlogbeat/module/powershell/test/testdata/403.evtx.golden.json

@@ -6,7 +6,7 @@
       "category": [
         "process"
       ],
-      "code": 403,
+      "code": "403",
       "kind": "event",
       "module": "powershell",
       "provider": "PowerShell",
@@ -45,7 +45,7 @@
       "api": "wineventlog",
       "channel": "Windows PowerShell",
       "computer_name": "vagrant",
-      "event_id": 403,
+      "event_id": "403",
       "keywords": [
         "Classic"
       ],
@@ -62,7 +62,7 @@
       "category": [
         "process"
       ],
-      "code": 403,
+      "code": "403",
       "kind": "event",
       "module": "powershell",
       "provider": "PowerShell",
@@ -102,7 +102,7 @@
       "api": "wineventlog",
       "channel": "Windows PowerShell",
       "computer_name": "vagrant",
-      "event_id": 403,
+      "event_id": "403",
       "keywords": [
         "Classic"
       ],
@@ -119,7 +119,7 @@
       "category": [
         "process"
       ],
-      "code": 403,
+      "code": "403",
       "kind": "event",
       "module": "powershell",
       "provider": "PowerShell",
@@ -166,7 +166,7 @@
       "api": "wineventlog",
       "channel": "Windows PowerShell",
       "computer_name": "vagrant",
-      "event_id": 403,
+      "event_id": "403",
       "keywords": [
         "Classic"
       ],
@@ -183,7 +183,7 @@
       "category": [
         "process"
       ],
-      "code": 403,
+      "code": "403",
       "kind": "event",
       "module": "powershell",
       "provider": "PowerShell",
@@ -217,7 +217,7 @@
       "api": "wineventlog",
       "channel": "Windows PowerShell",
       "computer_name": "vagrant",
-      "event_id": 403,
+      "event_id": "403",
       "keywords": [
         "Classic"
       ],

x-pack/winlogbeat/module/powershell/test/testdata/4103.evtx.golden.json

@@ -12,7 +12,7 @@
       "category": [
         "process"
       ],
-      "code": 4103,
+      "code": "4103",
       "kind": "event",
       "module": "powershell",
       "provider": "Microsoft-Windows-PowerShell",
@@ -94,7 +94,7 @@
       "api": "wineventlog",
       "channel": "Microsoft-Windows-PowerShell/Operational",
       "computer_name": "vagrant",
-      "event_id": 4103,
+      "event_id": "4103",
       "opcode": "To be used when operation is just executing a method",
       "process": {
         "pid": 3984,
@@ -119,7 +119,7 @@
       "category": [
         "process"
       ],
-      "code": 4103,
+      "code": "4103",
       "kind": "event",
       "module": "powershell",
       "provider": "Microsoft-Windows-PowerShell",
@@ -217,7 +217,7 @@
       "api": "wineventlog",
       "channel": "Microsoft-Windows-PowerShell/Operational",
       "computer_name": "vagrant",
-      "event_id": 4103,
+      "event_id": "4103",
       "opcode": "To be used when operation is just executing a method",
       "process": {
         "pid": 5032,

x-pack/winlogbeat/module/powershell/test/testdata/4104.evtx.golden.json

@@ -6,7 +6,7 @@
       "category": [
         "process"
       ],
-      "code": 4104,
+      "code": "4104",
       "kind": "event",
       "module": "powershell",
       "provider": "Microsoft-Windows-PowerShell",
@@ -36,7 +36,7 @@
       "api": "wineventlog",
       "channel": "Microsoft-Windows-PowerShell/Operational",
       "computer_name": "vagrant",
-      "event_id": 4104,
+      "event_id": "4104",
       "opcode": "On create calls",
       "process": {
         "pid": 4844,
@@ -61,7 +61,7 @@
       "category": [
         "process"
       ],
-      "code": 4104,
+      "code": "4104",
       "kind": "event",
       "module": "powershell",
       "provider": "Microsoft-Windows-PowerShell",
@@ -96,7 +96,7 @@
       "api": "wineventlog",
       "channel": "Microsoft-Windows-PowerShell/Operational",
       "computer_name": "vagrant",
-      "event_id": 4104,
+      "event_id": "4104",
       "opcode": "On create calls",
       "process": {
         "pid": 4844,

x-pack/winlogbeat/module/powershell/test/testdata/4105.evtx.golden.json

@@ -6,7 +6,7 @@
       "category": [
         "process"
       ],
-      "code": 4105,
+      "code": "4105",
       "kind": "event",
       "module": "powershell",
       "provider": "Microsoft-Windows-PowerShell",
@@ -34,7 +34,7 @@
       "api": "wineventlog",
       "channel": "Microsoft-Windows-PowerShell/Operational",
       "computer_name": "vagrant",
-      "event_id": 4105,
+      "event_id": "4105",
       "opcode": "On create calls",
       "process": {
         "pid": 4204,

x-pack/winlogbeat/module/powershell/test/testdata/4106.evtx.golden.json

@@ -6,7 +6,7 @@
       "category": [
         "process"
       ],
-      "code": 4106,
+      "code": "4106",
       "kind": "event",
       "module": "powershell",
       "provider": "Microsoft-Windows-PowerShell",
@@ -34,7 +34,7 @@
       "api": "wineventlog",
       "channel": "Microsoft-Windows-PowerShell/Operational",
       "computer_name": "vagrant",
-      "event_id": 4106,
+      "event_id": "4106",
       "opcode": "On create calls",
       "process": {
         "pid": 4776,