Fix loop while reading from standalone evtx

[grishinpv]

What does this PR do?

Tjis fix adds checking EOF to prevent constant loop while reading standalone evtx file

Why is it important?

When we reach the end of the file (case io.EOF) we set stop = true.
But next we continue the loop regardless stop value and read whole file again and again.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

[mergify]

This pull request does not have a backport label. Could you fix it @grishinpv? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 7./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Reason: null

• Start Time: 2022-02-03T15:56:11.205+0000

• Duration: 68 min 43 sec

• Commit: a3fa9bc

Test stats 🧪

Test	Results
Failed	0
Passed	1305
Skipped	26
Total	1331

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[andrewkroh]

Have you followed the instructions in https://www.elastic.co/guide/en/beats/winlogbeat/7.7/reading-from-evtx.html#reading-from-evtx? Specifically the part about no_more_events: stop. Does that not work? If that's not working then we have a bug.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[taylor-swanson]

This appears to be the same issue as reported here: https://discuss.elastic.co/t/winlogbeat-wont-exit-winlogbeat-json-output-size-is-different-for-same-file/295706

I did test out the original fix and it does work, but as my other comment points out, there's an edge case that's missed when there are records returned, along with an io.EOF.

[ashim-mahara]

Commenting to track the bug. I was the one who posted on the forum earlier. Let me know if you need any help, I have moderate experience working with Golang.

[taylor-swanson]

Hi @grishinpv, do you have an update on the status of your change? If you would like, I can push the necessary changes and get this PR merged. If you do push a change, we'll also need an update to CHANGELOG.next.asciidoc, something like:

--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -84,6 +84,7 @@
 - Improve ECS field mappings in Sysmon module. `rule.name` is populated for all events when present. {issue}18364[18364]
 - Remove top level `hash` property from sysmon events {pull}20653[20653]
 - Move module processing from local Javascript processor to ingest node {issue}29184[29184] {pull}29435[29435]
+- Fix run loop when reading from evtx file {pull}30006[30006]
 
 *Functionbeat*

If I don't hear back in the next day or so, I'll go ahead and push the changes so we can get this fix in.

[leehinman]

LGTM

[leehinman]

/test

[ashim-mahara]

Still not working on Winlogbeat 8.0.0 Windows x86_64. Behavior is as before as explained in https://discuss.elastic.co/t/winlogbeat-wont-exit-winlogbeat-json-output-size-is-different-for-same-file/295706.