[winlog] Add ECS fields for error checking/codes (#5273)

nicpenning · web-flow · commit c9f3c19473b3 · 2023-02-15T16:22:51.000+10:30
Account for any ingest pipelines that might throw some error messages or
event codes.
diff --git a/packages/winlog/changelog.yml b/packages/winlog/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.12.0"
+  changes:
+    - description: Add ecs error fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/5273
 - version: "1.11.0"
   changes:
     - description: Add agent fields
diff --git a/packages/winlog/data_stream/winlog/fields/ecs.yml b/packages/winlog/data_stream/winlog/fields/ecs.yml
@@ -1,5 +1,9 @@
 - name: ecs.version
   external: ecs
+- name: error.code
+  external: ecs
+- name: error.message
+  external: ecs
 - name: event.created
   external: ecs
 - name: log.level
diff --git a/packages/winlog/docs/README.md b/packages/winlog/docs/README.md
@@ -43,6 +43,8 @@ To achieve this, `renderXml` needs to be set to `1` in your [inputs.conf](https:
 | data_stream.namespace | Data stream namespace. | constant_keyword |
 | data_stream.type | Data stream type. | constant_keyword |
 | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.code | Error code describing the error. | keyword |
+| error.message | Error message. | match_only_text |
 | event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
 | event.dataset | Event dataset | constant_keyword |
 | event.module | Event module | constant_keyword |
diff --git a/packages/winlog/manifest.yml b/packages/winlog/manifest.yml
@@ -3,7 +3,7 @@ name: winlog
 title: Custom Windows Event Logs
 description: Collect and parse logs from any Windows event log channel with Elastic Agent.
 type: integration
-version: "1.11.0"
+version: "1.12.0"
 release: ga
 conditions:
   kibana.version: '^7.16.0 || ^8.0.0'
