From 5a997095029a0b2053b0fc2c302064dc0d6107cf Mon Sep 17 00:00:00 2001
From: Grishin Pavel <88319804+grishinpv@users.noreply.github.com>
Date: Tue, 25 Jan 2022 23:13:59 +0300
Subject: [PATCH 1/2] Fix loop while reading from standalone evtx

When we reach the end of the file (case io.EOF) we set stop = true.
But next we continue look regardless stop value and read whole file again and again
---
 winlogbeat/beater/eventlogger.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/winlogbeat/beater/eventlogger.go b/winlogbeat/beater/eventlogger.go
index b7507cfe8c0..36fbdf39dbb 100644
--- a/winlogbeat/beater/eventlogger.go
+++ b/winlogbeat/beater/eventlogger.go
@@ -171,6 +171,9 @@ runLoop:
 			e.log.Debugf("Read() returned %d records.", len(records))
 			if len(records) == 0 {
 				time.Sleep(time.Second)
+				if stop {
+					return
+				}
 				continue
 			}
 

From a3fa9bcf8dd8a2623fad626150e169683a95c745 Mon Sep 17 00:00:00 2001
From: Taylor Swanson <taylor.swanson@elastic.co>
Date: Wed, 2 Feb 2022 07:53:14 -0600
Subject: [PATCH 2/2] Move stop variable and check to outer loop, update
 changelog

---
 CHANGELOG.next.asciidoc          | 1 +
 winlogbeat/beater/eventlogger.go | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 92e3291317e..fe1c33ea552 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -84,6 +84,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Improve ECS field mappings in Sysmon module. `rule.name` is populated for all events when present. {issue}18364[18364]
 - Remove top level `hash` property from sysmon events {pull}20653[20653]
 - Move module processing from local Javascript processor to ingest node {issue}29184[29184] {pull}29435[29435]
+- Fix run loop when reading from evtx file {pull}30006[30006]
 
 *Functionbeat*
 
diff --git a/winlogbeat/beater/eventlogger.go b/winlogbeat/beater/eventlogger.go
index 36fbdf39dbb..390a2fb3975 100644
--- a/winlogbeat/beater/eventlogger.go
+++ b/winlogbeat/beater/eventlogger.go
@@ -130,7 +130,7 @@ func (e *eventLogger) run(
 	}()
 
 runLoop:
-	for {
+	for stop := false; !stop; {
 		err = api.Open(state)
 		if eventlog.IsRecoverable(err) {
 			e.log.Warnw("Open() encountered recoverable error. Trying again...", "error", err)
@@ -142,7 +142,7 @@ runLoop:
 		}
 		e.log.Debug("Opened successfully.")
 
-		for stop := false; !stop; {
+		for !stop {
 			select {
 			case <-done:
 				return