win32_event_log: read host from EvtSystemComputer on each event

[edferron-dd]

What does this PR do?

Updates collect_fqdn in the win32_event_log check to always set the event host from the EvtSystemComputer attribute embedded in the Windows event, falling back to the Agent hostname only when that field is null.

Motivation

This updates the extension to read the computer name from the Event as host. In the use case when Windows Event Collection is used to forward events to a central server, the current extension assumes the event originates from the host where the agent resides versus reporting the host from where the event is originated.

Review checklist (to be filled by reviewers)

• Feature or bugfix MUST have appropriate tests (unit, integration, e2e)
• Add qa/required if this PR needs QA validation, or qa/skip-qa if it does not. Exactly one of the two is required.
• If you need to backport this PR to another branch, you can add the backport/<branch-name> label to the PR and it will automatically open a backport PR once this one is merged

[datadog-datadog-prod-us1]

 

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 4 Pipeline jobs failed

PR | test / check     

PR | test / test (windows, windows-2022, win32_event_log, Windows Event Log (py3.13), py3.13) / Windows Event Log (py3.13)-py3.13     

PR | test / test-minimum-base-package (windows, windows-2022, win32_event_log, Windows Event Log (py3.13), py... / minimum-base-package-Windows Event Log (py3.13)-py3.13     

View all 4 failed jobs.

🧪 2 Tests failed in 1 job

PR | run  

test_expected[127.0.0.1] from test_check.py   (Fix with Cursor)

Candidates size assertion for \`message\`, count: None, at_least: 1) failed

test_expected[localhost] from test_check.py   (Fix with Cursor)

Candidates size assertion for \`message\`, count: None, at_least: 1) failed

ℹ️ Info

No other issues found (see more)

❄️ No new flaky tests detected

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: d8a8e5a | Docs | Datadog PR Page | Give us feedback!}

[edferron-dd]

This updates the extension to read the computer name from the Event as host. In the use case when Windows Event Collection is used to foward events to a central server, the current extension assumes the event originates from the host where the agrent sides versus reporting the host from where the event is originated

[dd-octo-sts]

Validation Report

Validation	Description	Status
version	Validate version consistency between package and changelog	❌

Run ddev validate all changed --fix to attempt to auto-fix supported validations.

Passed validations (20)

Validation	Description	Status
agent-reqs	Verify check versions match the Agent requirements file	✅
ci	Validate CI configuration and code coverage settings	✅
codeowners	Validate every integration has a CODEOWNERS entry	✅
config	Validate default configuration files against spec.yaml	✅
dep	Verify dependency pins are consistent and Agent-compatible	✅
http	Validate integrations use the HTTP wrapper correctly	✅
imports	Validate check imports do not use deprecated modules	✅
integration-style	Validate check code style conventions	✅
jmx-metrics	Validate JMX metrics definition files and config	✅
labeler	Validate PR labeler config matches integration directories	✅
legacy-signature	Validate no integration uses the legacy Agent check signature	✅
license-headers	Validate Python files have proper license headers	✅
licenses	Validate third-party license attribution list	✅
metadata	Validate metadata.csv metric definitions	✅
models	Validate configuration data models match spec.yaml	✅
openmetrics	Validate OpenMetrics integrations disable the metric limit	✅
package	Validate Python package metadata and naming	✅
qa-label	Validate the pull request declares whether it needs QA for the next Agent release	✅
readmes	Validate README files have required sections	✅
saved-views	Validate saved view JSON file structure and fields	✅

View full run