elastic · ruflin · Jan 18, 2019 · webmat · Jan 18, 2019 · andrewkroh
diff --git a/winlogbeat/_meta/fields.common.yml b/winlogbeat/_meta/fields.common.yml
@@ -3,6 +3,7 @@
   description: >
     Contains common fields available in all event types.
   fields:
+    # Is this event.type?
     - name: type
       required: true
       description: >
@@ -31,7 +32,8 @@
         activity.
 
     - name: computer_name
-      type: keyword
+      type: alias
+      path: host.name
       required: true
       description: >
         The name of the computer that generated the record. When using Windows
@@ -49,7 +51,8 @@
         earlier versions of Windows.
 
     - name: event_id
-      type: long
+      type: alias
+      path: event.id
       required: true
       description: >
         The event identifier. The value is specific to the source of the event.
@@ -61,22 +64,26 @@
         The keywords are used to classify an event.
 
     - name: log_name
-      type: keyword
+      # This does not exist yet
+      path: log.name
+      type: alias
       required: true
       description: >
         The name of the event log from which this record was read. This value is
         one of the names from the `event_logs` collection in the configuration.
 
     - name: level
-      type: keyword
+      type: alias
+      path: log.level
       required: false
       description: >
         The level of the event. There are five levels of events that can be
         logged: Success, Information, Warning, Error, Audit Success, and Audit
         Failure.
 
     - name: message_error
-      type: keyword
+      type: alias
+      path: error.message
       required: false
       description: >
         The error that occurred while reading and formatting the message from
@@ -116,7 +123,8 @@
         the event.
 
     - name: process_id
-      type: long
+      type: alias
+      path: process.id
       required: false
       description: >
         The process_id identifies the process that generated the event.
@@ -138,7 +146,8 @@
         operating systems) is written to this field.
 
     - name: thread_id
-      type: long
+      type: alias
+      path: process.thread.id
       required: false
       description: >
         The thread_id identifies the thread that generated the event.
@@ -152,6 +161,7 @@
         `event_data`.
 
     - name: user.identifier
+      # Is this user.id?
       type: keyword
       required: false
       example: S-1-5-21-3541430928-2051711210-1391384369-1001

diff --git a/winlogbeat/eventlog/eventlog.go b/winlogbeat/eventlog/eventlog.go
@@ -82,30 +82,30 @@ type Record struct {
 func (e Record) ToEvent() beat.Event {
 	m := common.MapStr{
 		"type":          e.API,
-		"log_name":      e.Channel,
-		"source_name":   e.Provider.Name,
-		"computer_name": e.Computer,
 		"record_number": strconv.FormatUint(e.RecordID, 10),
-		"event_id":      e.EventIdentifier.ID,
 	}
+	m.Put("event.id", e.EventIdentifier.ID)
+	m.Put("log.name", e.Channel)
+	m.Put("source.name", e.Channel)
+	m.Put("host.name", e.Computer)
 
 	addOptional(m, "xml", e.XML)
 	addOptional(m, "provider_guid", e.Provider.GUID)
 	addOptional(m, "version", e.Version)
-	addOptional(m, "level", e.Level)
+	addOptional(m, "log.level", e.Level)
 	addOptional(m, "task", e.Task)
 	addOptional(m, "opcode", e.Opcode)
 	addOptional(m, "keywords", e.Keywords)
 	addOptional(m, "message", sys.RemoveWindowsLineEndings(e.Message))
-	addOptional(m, "message_error", e.RenderErr)
+	addOptional(m, "error.message", e.RenderErr)
 
 	// Correlation
 	addOptional(m, "activity_id", e.Correlation.ActivityID)
 	addOptional(m, "related_activity_id", e.Correlation.RelatedActivityID)
 
 	// Execution
-	addOptional(m, "process_id", e.Execution.ProcessID)
-	addOptional(m, "thread_id", e.Execution.ThreadID)
+	addOptional(m, "process.id", e.Execution.ProcessID)
+	addOptional(m, "process.thread.id", e.Execution.ThreadID)
 	addOptional(m, "processor_id", e.Execution.ProcessorID)
 	addOptional(m, "session_id", e.Execution.SessionID)
 	addOptional(m, "kernel_time", e.Execution.KernelTime)
@@ -139,7 +139,7 @@ func (e Record) ToEvent() beat.Event {
 // MapStr.
 func addOptional(m common.MapStr, key string, v interface{}) {
 	if m != nil && !isZero(v) {
-		m[key] = v
+		m.Put(key) = v
 	}
 }