[meta] Deprecate `winlogbeat` in favor of `filebeat` `winlog` input.

[marc-gr]

Some time ago the winlog input was added to filebeat so it could be used by the elastic agent.

The functionality is basically on par with winlogbeat, which makes us maintain both implementations.

Would be nice to discuss the possibility to deprecate winlogbeat in the following releases, making the preferred choice filebeat winlog input or elastic agent integrations to consume windows events. This way we could prepare users targetting winlogbeat removal for a future 9.0 version.

TODO:

• [ ] Convert the Winlogbeat modules and the routing pipeline into a Filebeat module
• [x] document the winlog input
• [ ] update all detection rules for windows event logs to search filebeat-* indices
• [ ] review Kibana for any special handling of event logs that depends on winlogbeat-* or perhaps agent.type: winlogbeat
• [ ] mark winlogbeat as deprecated and provide guidance to migrate

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

[elasticmachine]

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

[andrewkroh]

Some things that would be needed to make Filebeat equivalent are

• convert the Winlogbeat modules and the routing pipeline into a Filebeat module
• document the winlog input
• update all detection rules for windows event logs to search filebeat-* indices
• review Kibana for any special handling of event logs that depends on winlogbeat-* or perhaps agent.type: winlogbeat

One thing to consider is the impact of OpenTelemetry, if we decided to start supporting the OTel collector to ingest windows event logs, then I think we would want Winlogbeat users to migrate to that. I would want to avoid having users migrate from Winlogbeat->Filebeat and then Filebeat->OTel if those two changes are possible within a short time window. So it might worth asking what it would take to make Windows event log collection/processing portable to OTel 🤔.

[marc-gr]

Would the otel usecase also impact the current winlog integrations?

[pierrehilbert]

@leehinman could you have a look here please?

[strawgate]

@andrewkroh and I will be chatting today but I think we should definitely chat about using the OTel input

[marc-gr]

After some conversations it seems the OTel collector should not impact the progress of this. Will convert this into a meta issue. Please feel free to chime in if there are still unclear things.

[nicpenning]

👀 woohoo!

This is great. I have had concerns with two separate products doing nearly the same function and seeing missed bugs/issues on one or the other.

After this, perhaps we can talk about the name "filebeat" hahaha 😆

[andrewkroh]

I have had concerns with two separate products doing nearly the same function and seeing missed bugs/issues

I am concerned with the change actually making this worse. While we may deprecate one, there will still be multiple copies of ingest pipeline logic floating around. I think we need to discuss this more, @marc-gr. I want to avoid yet another clone/fork of the pipelines.

[marc-gr]

I have had concerns with two separate products doing nearly the same function and seeing missed bugs/issues

I am concerned with the change actually making this worse. While we may deprecate one, there will still be multiple copies of ingest pipeline logic floating around. I think we need to discuss this more, @marc-gr. I want to avoid yet another clone/fork of the pipelines.

I'll hold migrating the modules for now then