{,x-pack/}winlogbeat: resurrect tests for event processing (#31464)

This is a moderately involved change. The process is described in the steps
below, but the reader should refer to the commits in the PR to see exactly
what was done and when.

* port forward semi-processed events for tests

This brings partially processed event data from a modified version of the testing
code at 8896fd3 (the commit immediately prior to
the removal of the javascript processing pipeline in #29435: commit at
2f3b0c5cbe9cfdd10e11fd52e2a259e564001100).

The evtx.golden.json files were generated by removing the js processing call at
https://github.com/elastic/beats/blob/8896fd319a257f3e0783119a7dd8d0978ef62197/x-pack/winlogbeat/module/testing_windows.go#L132-L135
to match the code in that file as it appears here and then run go test -update
in x-pack/winlogbeat/module/{powershell,security,sysmon}/test on a windows 2019
host.

The test package for each of the modules is also resurrected with modifications
reflecting the loss of the javascript processor.

Tests in x-pack/winlogbeat/module/{security,sysmon}/test fail in this
commit.

* make sure metadata is available for enrichment of raw values

This fixes failing tests in x-pack/winlogbeat/module/security/test, but tests in
sysmon continue to fail because sysmon-11-filedeletedetected.evtx was added in
33acb3c (2022-01-25) after the origin of the
forward port origin (2021-12-02).

* update golden file for sysmon-11-filedeletedetected.evtx

* ignore opcode field on Windows 2022

Also prohibit generating golden files for PowerShell on Windows 2022 to
prevent unnecessary work in discovering that this will fail on other
versions.

* defer event field filtering until value comparison

This will result in additional diff noise if golden values are generated on multiple
versions of windows so it may be worth keeping the version used reasonably constant.
The version used here was 2019.

winlogbeat/eventlog/wineventlog.go

@@ -396,8 +396,17 @@ func (l *winEventLog) buildRecordFromXML(x []byte, recoveredErr error) Record {
 		e.RenderErr = append(e.RenderErr, recoveredErr.Error())
 	}
 
+	md, err := win.NewPublisherMetadataStore(win.NilHandle, e.Provider.Name, logp.L())
+	if err != nil {
+		// Return an empty store on error (can happen in cases where the
+		// log was forwarded and the provider doesn't exist on collector).
+		md = win.NewEmptyPublisherMetadataStore(e.Provider.Name, logp.L())
+		logp.Warn("failed to load publisher metadata for %v "+
+			"(returning an empty metadata store): %v", e.Provider.Name, err)
+	}
+
 	// Get basic string values for raw fields.
-	winevent.EnrichRawValuesWithNames(nil, &e)
+	winevent.EnrichRawValuesWithNames(&md.WinMeta, &e)
 	if e.Level == "" {
 		// Fallback on LevelRaw if the Level is not set in the RenderingInfo.
 		e.Level = win.EventLevel(e.LevelRaw).String()

x-pack/winlogbeat/module/powershell/test/powershell_windows_test.go

@@ -0,0 +1,44 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package test
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/elastic/beats/v7/x-pack/winlogbeat/module"
+	"github.com/elastic/go-sysinfo/providers/windows"
+
+	// Register required processors.
+	_ "github.com/elastic/beats/v7/libbeat/cmd/instance"
+	_ "github.com/elastic/beats/v7/libbeat/processors/timestamp"
+)
+
+// Ignore these fields because they can be different on different versions
+// of windows.
+var ignoreFields = []string{
+	"message",
+}
+
+func TestPowerShell(t *testing.T) {
+	// FIXME: We do not get opcode strings in the XML on Windows 2022, so ignore that
+	// field there. Only apply this to that platform to avoid regressions elsewhere.
+	// This means that golden values should be generated on a non-2022 version of
+	// Windows to ensure that this field is properly rendered. This is checked in
+	// the module.TestPipeline function.
+	//
+	// See https://github.com/elastic/beats/issues/31490 for tracking issue.
+	os, err := windows.OperatingSystem()
+	if err != nil {
+		t.Fatalf("failed to get operating system info: %v", err)
+	}
+	t.Logf("running tests on %s", os.Name)
+	if strings.Contains(os.Name, "2022") {
+		ignoreFields = append(ignoreFields, "winlog.opcode")
+		t.Log("ignoring winlog.opcode")
+	}
+
+	module.TestPipeline(t, "testdata/*.evtx", module.WithFieldFilter(ignoreFields))
+}

x-pack/winlogbeat/module/powershell/test/testdata/400.evtx.golden.json

@@ -3,49 +3,26 @@
     "@timestamp": "2020-05-14T07:00:30.8914235Z",
     "event": {
       "action": "Engine Lifecycle",
-      "category": [
-        "process"
-      ],
       "code": "400",
       "kind": "event",
-      "module": "powershell",
-      "provider": "PowerShell",
-      "sequence": 13,
-      "type": [
-        "start"
-      ]
+      "provider": "PowerShell"
     },
     "host": {
       "name": "vagrant"
     },
     "log": {
       "level": "information"
     },
-    "powershell": {
-      "engine": {
-        "new_state": "Available",
-        "previous_state": "None",
-        "version": "5.1.17763.1007"
-      },
-      "process": {
-        "executable_version": "1.0.0.0"
-      },
-      "runspace_id": "405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2"
-    },
-    "process": {
-      "args": [
-        "C:\\Windows\\system32\\wsmprovhost.exe",
-        "-Embedding"
-      ],
-      "args_count": 2,
-      "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding",
-      "entity_id": "2458050c-5e21-47a6-bbdf-41ef2151b519",
-      "title": "ServerRemoteHost"
-    },
+    "message": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=2458050c-5e21-47a6-bbdf-41ef2151b519\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=",
     "winlog": {
       "api": "wineventlog",
       "channel": "Windows PowerShell",
       "computer_name": "vagrant",
+      "event_data": {
+        "param1": "Available",
+        "param2": "None",
+        "param3": "\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=2458050c-5e21-47a6-bbdf-41ef2151b519\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine="
+      },
       "event_id": "400",
       "keywords": [
         "Classic"
@@ -60,51 +37,26 @@
     "@timestamp": "2020-05-14T07:01:14.3715076Z",
     "event": {
       "action": "Engine Lifecycle",
-      "category": [
-        "process"
-      ],
       "code": "400",
       "kind": "event",
-      "module": "powershell",
-      "provider": "PowerShell",
-      "sequence": 13,
-      "type": [
-        "start"
-      ]
+      "provider": "PowerShell"
     },
     "host": {
       "name": "vagrant"
     },
     "log": {
       "level": "information"
     },
-    "powershell": {
-      "engine": {
-        "new_state": "Available",
-        "previous_state": "None",
-        "version": "5.1.17763.1007"
-      },
-      "process": {
-        "executable_version": "5.1.17763.1007"
-      },
-      "runspace_id": "056a5045-a7bb-49c6-9a9d-2ea95acea751"
-    },
-    "process": {
-      "args": [
-        "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
-        "-noexit",
-        "-command",
-        "'C:\\Gopath\\src\\github.com\\elastic\\beats'"
-      ],
-      "args_count": 4,
-      "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'",
-      "entity_id": "83c6a631-910d-4530-bec2-18b2d0fc380a",
-      "title": "ConsoleHost"
-    },
+    "message": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=83c6a631-910d-4530-bec2-18b2d0fc380a\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=056a5045-a7bb-49c6-9a9d-2ea95acea751\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=",
     "winlog": {
       "api": "wineventlog",
       "channel": "Windows PowerShell",
       "computer_name": "vagrant",
+      "event_data": {
+        "param1": "Available",
+        "param2": "None",
+        "param3": "\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=83c6a631-910d-4530-bec2-18b2d0fc380a\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=056a5045-a7bb-49c6-9a9d-2ea95acea751\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine="
+      },
       "event_id": "400",
       "keywords": [
         "Classic"
@@ -119,49 +71,26 @@
     "@timestamp": "2020-05-14T11:32:51.9892568Z",
     "event": {
       "action": "Engine Lifecycle",
-      "category": [
-        "process"
-      ],
       "code": "400",
       "kind": "event",
-      "module": "powershell",
-      "provider": "PowerShell",
-      "sequence": 13,
-      "type": [
-        "start"
-      ]
+      "provider": "PowerShell"
     },
     "host": {
       "name": "vagrant"
     },
     "log": {
       "level": "information"
     },
-    "powershell": {
-      "engine": {
-        "new_state": "Available",
-        "previous_state": "None",
-        "version": "5.1.17763.1007"
-      },
-      "process": {
-        "executable_version": "5.1.17763.1007"
-      },
-      "runspace_id": "24067d05-e98a-4fbb-9cda-020e4c65017d"
-    },
-    "process": {
-      "args": [
-        "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe",
-        "C:\\Users\\vagrant\\Desktop\\patata.ps1"
-      ],
-      "args_count": 2,
-      "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\patata.ps1",
-      "entity_id": "f3d0acd6-4ec1-4e0a-9c8e-27ee07eec3ab",
-      "title": "Windows PowerShell ISE Host"
-    },
+    "message": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=f3d0acd6-4ec1-4e0a-9c8e-27ee07eec3ab\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\patata.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=24067d05-e98a-4fbb-9cda-020e4c65017d\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=",
     "winlog": {
       "api": "wineventlog",
       "channel": "Windows PowerShell",
       "computer_name": "vagrant",
+      "event_data": {
+        "param1": "Available",
+        "param2": "None",
+        "param3": "\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=f3d0acd6-4ec1-4e0a-9c8e-27ee07eec3ab\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\patata.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=24067d05-e98a-4fbb-9cda-020e4c65017d\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine="
+      },
       "event_id": "400",
       "keywords": [
         "Classic"
@@ -176,43 +105,26 @@
     "@timestamp": "2020-06-04T07:20:27.7472275Z",
     "event": {
       "action": "Engine Lifecycle",
-      "category": [
-        "process"
-      ],
       "code": "400",
       "kind": "event",
-      "module": "powershell",
-      "provider": "PowerShell",
-      "sequence": 9,
-      "type": [
-        "start"
-      ]
+      "provider": "PowerShell"
     },
     "host": {
       "name": "vagrant"
     },
     "log": {
       "level": "information"
     },
-    "powershell": {
-      "engine": {
-        "new_state": "Available",
-        "previous_state": "None",
-        "version": "2.0"
-      },
-      "process": {
-        "executable_version": "2.0"
-      },
-      "runspace_id": "6ebeca05-d618-4c66-a0d8-4269d800d099"
-    },
-    "process": {
-      "entity_id": "7018c049-c75b-4e02-9c0f-6761b97e1657",
-      "title": "ConsoleHost"
-    },
+    "message": "Engine state is changed from None to Available. \n\nDetails: \n\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=9\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=",
     "winlog": {
       "api": "wineventlog",
       "channel": "Windows PowerShell",
       "computer_name": "vagrant",
+      "event_data": {
+        "param1": "Available",
+        "param2": "None",
+        "param3": "\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=9\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine="
+      },
       "event_id": "400",
       "keywords": [
         "Classic"