Cherry-pick #18153 to 7.x: [Winlogbeat] Skip add_host_metadata for forwarded event logs

[andrewkroh]

Cherry-pick of PR #18153 to 7.x branch. Original message:

What does this PR do?

Update config examples to use the "forwarded" tag to skip adding host metadata.

Also disable host.name being added by libbeat. This field was overwritten by
the winlog.computer_name so it didn't serve any purpose to have libbeat set it.

Relates #13920

Why is it important?

Having host.* fields populated with data from the system on which the event occurred is important for interpreting and reacting to the data.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
  - [ ] I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

Relates #13920

Use cases

When reading from ForwardedEvents in a Windows Event Collector (WEC) setup you don't want the WEC machine using it's own host metadata in forwarded events. This solves that problem.

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[elasticmachine]

💔 Build Failed

Expand to view the summary

Build stats

• Build Cause: [Pull request Cherry-pick #18153 to 7.x: [Winlogbeat] Skip add_host_metadata for forwarded event logs #18183 opened]

• Start Time: 2020-05-04T16:25:17.211+0000

• Duration: 89 min 55 sec (5335388)

• Commit: 45d26fb

Test stats 🧪

Test	Results
Failed	0
Passed	5686
Skipped	854
Total	6540

Steps errors

Expand to view the steps failures

• Name: Report to Codecov

  • Description: curl -sSLo codecov https://codecov.io/bash for i in auditbeat filebeat heartbeat libbeat metricbeat packetbeat winlogbeat journalbeat do FILE="${i}/build/coverage/full.cov" if [ -f "${FILE}" ]; then bash codecov -f "${FILE}" fi done

  • Result: FAILURE

  • Duration: 2 min 23 sec<

  • Start Time: 2020-05-04T16:47:54.821+0000

• Name: Make -C generator/_templates/metricbeat test

  • Description: make -C generator/_templates/metricbeat test

  • Result: FAILURE

  • Duration: 2 min 19 sec<

  • Start Time: 2020-05-04T17:05:57.557+0000

Log output

Expand to view the last 100 lines of log output

[2020-05-04T17:53:26.400Z] 	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
[2020-05-04T17:53:26.400Z] 	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
[2020-05-04T17:53:26.400Z] 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[2020-05-04T17:53:26.400Z] 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[2020-05-04T17:53:26.400Z] 	at java.lang.Thread.run(Thread.java:748)
[2020-05-04T17:53:26.400Z] No artifacts found that match the file pattern "**/build/TEST*.out". Configuration error?
[2020-05-04T17:53:27.345Z] + curl -sSLo codecov https://codecov.io/bash
[2020-05-04T17:53:27.620Z] + FILE=auditbeat/build/coverage/full.cov
[2020-05-04T17:53:27.620Z] + [ -f auditbeat/build/coverage/full.cov ]
[2020-05-04T17:53:27.620Z] + FILE=filebeat/build/coverage/full.cov
[2020-05-04T17:53:27.620Z] + [ -f filebeat/build/coverage/full.cov ]
[2020-05-04T17:53:27.620Z] + FILE=heartbeat/build/coverage/full.cov
[2020-05-04T17:53:27.620Z] + [ -f heartbeat/build/coverage/full.cov ]
[2020-05-04T17:53:27.620Z] + FILE=libbeat/build/coverage/full.cov
[2020-05-04T17:53:27.620Z] + [ -f libbeat/build/coverage/full.cov ]
[2020-05-04T17:53:27.620Z] + FILE=metricbeat/build/coverage/full.cov
[2020-05-04T17:53:27.620Z] + [ -f metricbeat/build/coverage/full.cov ]
[2020-05-04T17:53:27.620Z] + FILE=packetbeat/build/coverage/full.cov
[2020-05-04T17:53:27.620Z] + [ -f packetbeat/build/coverage/full.cov ]
[2020-05-04T17:53:27.620Z] + FILE=winlogbeat/build/coverage/full.cov
[2020-05-04T17:53:27.620Z] + [ -f winlogbeat/build/coverage/full.cov ]
[2020-05-04T17:53:27.621Z] + FILE=journalbeat/build/coverage/full.cov
[2020-05-04T17:53:27.621Z] + [ -f journalbeat/build/coverage/full.cov ]
[2020-05-04T17:53:35.436Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats
[2020-05-04T17:53:35.904Z] + find . -type f -name TEST*.xml -path */build/* -delete
[2020-05-04T17:53:35.942Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Lint
[2020-05-04T17:53:36.444Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Elastic-Agent-x-pack
[2020-05-04T17:53:36.854Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Winlogbeat-oss
[2020-05-04T17:53:37.143Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Dockerlogbeat
[2020-05-04T17:53:37.736Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Generators-Metricbeat-Linux
[2020-05-04T17:53:38.133Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Journalbeat-oss
[2020-05-04T17:53:38.717Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Functionbeat-x-pack
[2020-05-04T17:53:39.142Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Elastic-Agent-x-pack-Windows
[2020-05-04T17:53:39.670Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Metricbeat-crosscompile
[2020-05-04T17:53:40.034Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Metricbeat-OSS-Unit-tests
[2020-05-04T17:53:40.544Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Heartbeat-oss
[2020-05-04T17:53:40.987Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Winlogbeat-Windows-x-pack
[2020-05-04T17:53:41.497Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Auditbeat-x-pack
[2020-05-04T17:53:41.961Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Libbeat-x-pack
[2020-05-04T17:53:42.369Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Auditbeat-Linux
[2020-05-04T17:53:42.800Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Filebeat-Windows
[2020-05-04T17:53:43.178Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Packetbeat-oss
[2020-05-04T17:53:43.533Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Auditbeat-crosscompile
[2020-05-04T17:53:43.974Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Metricbeat-Windows
[2020-05-04T17:53:44.384Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Winlogbeat-Windows
[2020-05-04T17:53:44.738Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Filebeat-x-pack
[2020-05-04T17:53:45.343Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Filebeat-oss
[2020-05-04T17:53:45.705Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Metricbeat-Python-integration-tests
[2020-05-04T17:53:46.141Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Heartbeat-Windows
[2020-05-04T17:53:46.585Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Metricbeat-OSS-Integration-tests
[2020-05-04T17:53:46.980Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Libbeat-oss
[2020-05-04T17:53:47.443Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Functionbeat-Windows
[2020-05-04T17:53:47.913Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Metricbeat-x-pack
[2020-05-04T17:53:48.416Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Libbeat-crosscompile
[2020-05-04T17:53:48.852Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Auditbeat-Windows
[2020-05-04T17:53:49.269Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Libbeat-stress-tests
[2020-05-04T17:53:50.123Z] + cat
[2020-05-04T17:53:50.123Z] + /usr/local/bin/runbld ./runbld-script
[2020-05-04T17:53:50.123Z] Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
[2020-05-04T17:53:56.867Z] runbld>>> runbld started
[2020-05-04T17:53:56.867Z] runbld>>> 1.6.11/a66728ff8f4356963772e6e6d2069392fa06acbe
[2020-05-04T17:53:58.824Z] runbld>>> The following profiles matched the job 'Beats/beats-beats-mbp/PR-18183' in order of occurrence in the config (last value wins).
[2020-05-04T17:53:59.787Z] runbld>>> Debug logging enabled.
[2020-05-04T17:53:59.787Z] runbld>>> Storing result
[2020-05-04T17:54:00.064Z] runbld>>> Store result: created {:total 2, :successful 2, :failed 0} 1
[2020-05-04T17:54:00.064Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200504175359-8D2A0FB0
[2020-05-04T17:54:00.064Z] runbld>>> Adding system facts.
[2020-05-04T17:54:01.031Z] runbld>>> Adding vcs info for the latest commit:  45d26fb27b49927c4f0b2d1cd6fc4049cff17be4
[2020-05-04T17:54:01.372Z] runbld>>> >>>>>>>>>>>> SCRIPT EXECUTION BEGIN >>>>>>>>>>>>
[2020-05-04T17:54:01.372Z] runbld>>> Adding /usr/lib/jvm/java-8-openjdk-amd64/bin to the path.
[2020-05-04T17:54:01.372Z] Processing JUnit reports with runbld...
[2020-05-04T17:54:01.372Z] + echo 'Processing JUnit reports with runbld...'
[2020-05-04T17:54:01.644Z] runbld>>> <<<<<<<<<<<< SCRIPT EXECUTION END <<<<<<<<<<<<
[2020-05-04T17:54:01.644Z] runbld>>> DURATION: 9ms
[2020-05-04T17:54:01.644Z] runbld>>> STDOUT: 40 bytes
[2020-05-04T17:54:01.644Z] runbld>>> STDERR: 49 bytes
[2020-05-04T17:54:01.644Z] runbld>>> WRAPPED PROCESS: SUCCESS (0)
[2020-05-04T17:54:01.644Z] runbld>>> Searching for build metadata in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats
[2020-05-04T17:54:03.079Z] runbld>>> Storing build metadata: 
[2020-05-04T17:54:03.079Z] runbld>>> Adding test report.
[2020-05-04T17:54:03.079Z] runbld>>> Searching for junit test output files with the pattern: TEST-.*\.xml$ in: /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats
[2020-05-04T17:54:04.483Z] runbld>>> Found 78 test output files
[2020-05-04T17:54:04.755Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-openmetrics.xml
[2020-05-04T17:54:04.755Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-istio.xml
[2020-05-04T17:54:04.755Z] runbld>>> No testsuite node found in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183/src/github.com/elastic/beats/Metricbeat-x-pack/x-pack/metricbeat/build/TEST-go-integration-activemq.xml
[2020-05-04T17:54:05.754Z] runbld>>> Test output logs contained: Errors: 0 Failures: 0 Tests: 6390 Skipped: 701
[2020-05-04T17:54:05.754Z] runbld>>> Storing result
[2020-05-04T17:54:05.754Z] runbld>>> FAILURES: 0
[2020-05-04T17:54:06.022Z] runbld>>> Store result: updated {:total 2, :successful 2, :failed 0} 2
[2020-05-04T17:54:06.022Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200504175359-8D2A0FB0
[2020-05-04T17:54:06.022Z] runbld>>> Email notification disabled by environment variable.
[2020-05-04T17:54:06.022Z] runbld>>> Slack notification disabled by environment variable.
[2020-05-04T17:54:11.616Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-18183
[2020-05-04T17:54:11.773Z] [INFO] getVaultSecret: Getting secrets
[2020-05-04T17:54:11.853Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-05-04T17:54:12.893Z] + chmod 755 generate-build-data.sh
[2020-05-04T17:54:12.893Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18183/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18183/runs/1 FAILURE 5335388
[2020-05-04T17:54:13.443Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18183/runs/1/steps/?limit=10000 -o steps-info.json
[2020-05-04T17:54:14.354Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18183/runs/1/tests/?status=FAILED -o tests-errors.json
[2020-05-04T17:54:15.266Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-18183/runs/1/log/ -o pipeline-log.txt