[Winlogbeat] `failed to parse field [winlog.event_data.Id] of type [keyword] ` when id contains `.`

[narph]

Running Winlogbeat on other language OS's (in this case Spanish).

EX message

"message": "CommandInvocation(Get-Date): \"Get-Date\"\n\n\nContexto:\n Gravedad = Informational\n Nombre de host = ConsoleHost\n Versión de host = 5.1.19041.1320\n Id. de host = 56995afd-2444-424e-871c-4c5513731a3b\n Aplicación host = C:\\…

Each part \n Id. is being parsed into a field under a Id object that is prefixed with de

…\n Id. de host = 56…
…320\n Id. de espacio de ejecución = fc8f1c...\n Id. de canalización = 1\n Nombre…
…la\n Usuario conectado = \n Id. de shell = Microsoft.PowerShell\n\n\nDatos…

Becomes

                    "Id": {
                        " de host": "56995afd-2444-424e-871c-4c5513731a3b",
                        " de shell": "Microsoft.PowerShell",
                        " de espacio de ejecución": "fc8f1...",
                        " de canalización": "1"
                    },

causing

"failed to parse field [winlog.event_data.Id] of type [keyword] in document with id '0434AIABa-64rEwC2A60'.

Potential fault at line:

beats/winlogbeat/sys/winevent/maputil.go

Line 66 in 89bcc33

_, _ = h.Put(k, sys.RemoveWindowsLineEndings(kv.Value))

where id gets parsed.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[andrewkroh]

In short, we should not use mapstr.Put because the key names contain dots. The dots imply nested objects in Put. Our mappings for winlog.event_data.* expect string values only (no objects). Instead we should write directly into the map (e.g. h[k] = kv.Value).

[efd6]

@narph Is the XML event that contains the example available to include in a test?