diff --git a/packages/system/changelog.yml b/packages/system/changelog.yml
index beb129f5b10..8da040471d9 100644
--- a/packages/system/changelog.yml
+++ b/packages/system/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.6.0"
+  changes:
+    - description: Consistently map message field in Windows integrations.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2008
 - version: "1.5.0"
   changes:
     - description: Better user mappings for security events
diff --git a/packages/system/data_stream/application/fields/ecs.yml b/packages/system/data_stream/application/fields/ecs.yml
index 0bf56397fa5..cfbc8e8c80e 100644
--- a/packages/system/data_stream/application/fields/ecs.yml
+++ b/packages/system/data_stream/application/fields/ecs.yml
@@ -8,3 +8,5 @@
   name: event.ingested
 - external: ecs
   name: event.original
+- external: ecs
+  name: message
diff --git a/packages/system/data_stream/security/fields/ecs.yml b/packages/system/data_stream/security/fields/ecs.yml
index cc5cd530a48..63d614f0871 100644
--- a/packages/system/data_stream/security/fields/ecs.yml
+++ b/packages/system/data_stream/security/fields/ecs.yml
@@ -34,6 +34,8 @@
   name: log.file.path
 - external: ecs
   name: log.level
+- external: ecs
+  name: message
 - external: ecs
   name: process.args
 - external: ecs
diff --git a/packages/system/data_stream/system/fields/ecs.yml b/packages/system/data_stream/system/fields/ecs.yml
index e1794b551d6..7abb6419d34 100644
--- a/packages/system/data_stream/system/fields/ecs.yml
+++ b/packages/system/data_stream/system/fields/ecs.yml
@@ -24,3 +24,5 @@
   name: event.sequence
 - external: ecs
   name: event.type
+- external: ecs
+  name: message
diff --git a/packages/system/docs/README.md b/packages/system/docs/README.md
index ef175772727..35ef4964d0f 100644
--- a/packages/system/docs/README.md
+++ b/packages/system/docs/README.md
@@ -71,6 +71,7 @@ The Windows `application` dataset provides events from the Windows
 | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
 | host.os.version | Operating system version as a raw string. | keyword |
 | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
 | winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword |
 | winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword |
 | winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword |
@@ -261,6 +262,7 @@ event log.
 | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
 | host.os.version | Operating system version as a raw string. | keyword |
 | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
 | winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword |
 | winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword |
 | winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword |
@@ -537,6 +539,7 @@ An example event for `security` looks as following:
 | input.type | Type of Filebeat input. | keyword |
 | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
 | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
 | process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword |
 | process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long |
 | process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard |
diff --git a/packages/system/manifest.yml b/packages/system/manifest.yml
index 20ea0283612..0967f90a702 100644
--- a/packages/system/manifest.yml
+++ b/packages/system/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: system
 title: System
-version: 1.5.0
+version: 1.6.0
 license: basic
 description: This Elastic integration collects logs and metrics from your servers
 type: integration
diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml
index 196ffeafa5b..d6f5514607a 100644
--- a/packages/windows/changelog.yml
+++ b/packages/windows/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.3.0"
+  changes:
+    - description: Consistently map message field in Windows integrations.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2008
 - version: "1.2.3"
   changes:
     - description: Fix ingest pipeline templating for related.ip
diff --git a/packages/windows/data_stream/powershell/fields/ecs.yml b/packages/windows/data_stream/powershell/fields/ecs.yml
index 952b198bdba..3491fdf3de5 100644
--- a/packages/windows/data_stream/powershell/fields/ecs.yml
+++ b/packages/windows/data_stream/powershell/fields/ecs.yml
@@ -38,6 +38,8 @@
   name: host.name
 - external: ecs
   name: log.level
+- external: ecs
+  name: message
 - external: ecs
   name: process.args
 - external: ecs
diff --git a/packages/windows/data_stream/powershell_operational/fields/ecs.yml b/packages/windows/data_stream/powershell_operational/fields/ecs.yml
index 952b198bdba..3491fdf3de5 100644
--- a/packages/windows/data_stream/powershell_operational/fields/ecs.yml
+++ b/packages/windows/data_stream/powershell_operational/fields/ecs.yml
@@ -38,6 +38,8 @@
   name: host.name
 - external: ecs
   name: log.level
+- external: ecs
+  name: message
 - external: ecs
   name: process.args
 - external: ecs
diff --git a/packages/windows/docs/README.md b/packages/windows/docs/README.md
index 265bdabbe21..a472df9e3d0 100644
--- a/packages/windows/docs/README.md
+++ b/packages/windows/docs/README.md
@@ -288,6 +288,7 @@ An example event for `powershell` looks as following:
 | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
 | input.type | Type of Filebeat input. | keyword |
 | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
 | powershell.command.invocation_details | An array of objects containing detailed information of the executed command. | array |
 | powershell.command.invocation_details.name | Only used for ParameterBinding detail type. Indicates the parameter name. | keyword |
 | powershell.command.invocation_details.related_command | The command to which the detail is related to. | keyword |
@@ -614,6 +615,7 @@ An example event for `powershell_operational` looks as following:
 | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
 | input.type | Type of Filebeat input. | keyword |
 | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
 | powershell.command.invocation_details | An array of objects containing detailed information of the executed command. | array |
 | powershell.command.invocation_details.name | Only used for ParameterBinding detail type. Indicates the parameter name. | keyword |
 | powershell.command.invocation_details.related_command | The command to which the detail is related to. | keyword |
diff --git a/packages/windows/manifest.yml b/packages/windows/manifest.yml
index 8e7e2d62ba6..87430677282 100644
--- a/packages/windows/manifest.yml
+++ b/packages/windows/manifest.yml
@@ -1,6 +1,6 @@
 name: windows
 title: Windows
-version: 1.2.3
+version: 1.3.0
 description: This Elastic integration collects logs and metrics from Windows
 type: integration
 categories:
diff --git a/packages/winlog/changelog.yml b/packages/winlog/changelog.yml
index edf87a2d115..9ec90093b9e 100644
--- a/packages/winlog/changelog.yml
+++ b/packages/winlog/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.1.0"
+  changes:
+    - description: Consistently map message field in Windows integrations.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2008
 - version: "1.0.3"
   changes:
     - description: Update Title and Description.
diff --git a/packages/winlog/data_stream/winlog/fields/ecs.yml b/packages/winlog/data_stream/winlog/fields/ecs.yml
index 3dee6254a9e..e6ed801be2a 100644
--- a/packages/winlog/data_stream/winlog/fields/ecs.yml
+++ b/packages/winlog/data_stream/winlog/fields/ecs.yml
@@ -2,3 +2,5 @@
   external: ecs
 - name: log.level
   external: ecs
+- name: message
+  external: ecs
diff --git a/packages/winlog/docs/README.md b/packages/winlog/docs/README.md
index b6cbfa1656a..5a8a529f910 100644
--- a/packages/winlog/docs/README.md
+++ b/packages/winlog/docs/README.md
@@ -26,6 +26,7 @@ To configure Splunk Enterprise to be able to pull events from it, please visit
 | event.module | Event module | constant_keyword |
 | input.type | Type of Filebeat input. | keyword |
 | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text |
 | tags | User defined tags | keyword |
 | winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword |
 | winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword |
diff --git a/packages/winlog/manifest.yml b/packages/winlog/manifest.yml
index be866f82df7..40f084dd3ef 100644
--- a/packages/winlog/manifest.yml
+++ b/packages/winlog/manifest.yml
@@ -3,7 +3,7 @@ name: winlog
 title: Custom Windows event logs
 description: Collect event logs from Windows with Elastic Agent.
 type: integration
-version: 1.0.3
+version: 1.1.0
 release: ga
 conditions:
   kibana.version: '^7.16.0'