Description
In GWorkspace Chrome logs, user.name is sometimes populated with a hostname\user.name format rather than just the username. The hostname component should be mapped to host.hostname or host.name instead, keeping user.name clean and consistent with ECS expectations.
Current behavior
In certain Chrome log events, most notably event.action: content_transfer, user.name is populated in the format hostname\username (ie MYHOST\firstname.lastname). This conflates host identity with user identity in a single field, making it difficult to filter, correlate, or alert on user activity across log sources.
Requested behavior
When user.name contains a hostname\username pattern, the integration should map fields as
"user": {
"name": "firstname.lastname"
},
"host": {
"hostname": "MYHOST"
}
Sample event.original is available upon request.
User context
This issue was raised internally. The hostname prefixed user.name value prevents consistent user correlation across log sources (similar to this CloudTrail user.name/ARN session name parsing issue: #18346)
Description
In GWorkspace Chrome logs,
user.nameis sometimes populated with ahostname\user.nameformat rather than just the username. The hostname component should be mapped tohost.hostnameorhost.nameinstead, keepinguser.nameclean and consistent with ECS expectations.Current behavior
In certain Chrome log events, most notably
event.action: content_transfer,user.nameis populated in the formathostname\username(ie MYHOST\firstname.lastname). This conflates host identity with user identity in a single field, making it difficult to filter, correlate, or alert on user activity across log sources.Requested behavior
When
user.namecontains ahostname\usernamepattern, the integration should map fields asSample
event.originalis available upon request.User context
This issue was raised internally. The hostname prefixed
user.namevalue prevents consistent user correlation across log sources (similar to this CloudTrailuser.name/ARN session name parsing issue: #18346)