Current behavior

An issue was recently reported in the system integration wherein a user would not see the event.original field in the ingested events for Windows(but was working fine for Mac and Linux). It was found that the preserve_original_event wasn't being rendered in the Agent config, even when the Preserve Original event toggle was on. This led to the removal of the event.original field from the ingested event.

Read on for additional details.

On windows no event.original:

On Linux/Mac

The issue was traced to the event.original getting deleted by the .fleet_final_pipeline here

{ "remove": { "description": "Remove event.original unless the preserve_original_event tag is set", "field": "event.original", "if": "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))", "ignore_failure": true, "ignore_missing": true } } 

The winlog inputs use the include_xml: true config option. So, at the Agent level the original XML is added to the event, as seen in the code.

As a fix, it was suggested to add "preserve_original_event" in the tags section for each of the 3 datastreams (Application, Security, System) in "Collect events from the Windows event log". This brought back the missing event.original field.

Expected behavior

The tags should be rendered in the Agent config when the Preserve Original Event toggle is turned on by the user.

We need to check and revisit all the integrations that rely on include_xml(especially windows based integrations), and need to also set the tag preserve_original_event.