wintest: new package to provide support for winlogbeat ingest node pipeline testing #31833
Conversation
efd6
added
enhancement
Winlogbeat
Team:Security-External Integrations
backport-skip
botelastic
bot
added
needs_team
💚 Flaky test reportTests succeeded. 🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
efd6
force-pushed
the
wintest/docker
branch
5 times, most recently
from
ebe7550 to
67c624d
Compare
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
efd6
force-pushed
the
wintest/docker
branch
6 times, most recently
from
a52f1ac to
8dfeec6
Compare
efd6
force-pushed
the
wintest/docker
branch
3 times, most recently
from
231bcbd to
dd6ae23
Compare
|
|
||
| // This list is constructed through iteration over a Java hashmap | ||
| // and so is not consistently ordered. | ||
| "winlog.event_data.TicketOptionsDescription", |
There was a problem hiding this comment.
The inconsistency in this could be avoided by using bit operations in the painless rather than the map iteration that is currently done.
I expect, but have not observed, that the same issue will be present in the AccessMaskDescription processing.
| ctx.winlog.event_data.put("AccessMask", list); | ||
| } | ||
|
|
||
| ArrayList desc = new ArrayList(); | ||
| for (entry in params.AccessMaskDescriptions.entrySet()) { |
There was a problem hiding this comment.
The fix would be to iterate over the word size of the flags, e.g. for the AccessMaskDescription case
for (def b = 0; b < 32; b++) {
long accessFlag = 1L << b;
if (accessMask&accessFlag == accessFlag) {
and an appropriate access to the parameter map — maybe via a hex string format of the accessFlag if an integer map key is not possible.
The equivalent change can be made for TicketOptionsDescription at line 876 in this file.
|
This pull request is now in conflicts. Could you fix it? 🙏 |
efd6
force-pushed
the
wintest/docker
branch
2 times, most recently
from
08fd54d to
8050192
Compare
|
AFAICS the E2E failures are unrelated. |
Yes the E2E tests have been unstable for a few weeks, I am looking into disabling the flakiest ones when triggered from beats but not from agent. |
…peline testing Includes wiring in module tests, but skipped for powershell and security due to failing tests.
…800 parameter detail processing
This guarantees that flag description lists will be in a canonical order, and and should be less work.
|
Rebased with the hope that the tests pass. |
|
E2E failure is unrelated, End-To-End Tests / fleet_ debian_10_arm64_fleet_mode_agent: |
…peline testing (#31833) - powershell: fix regexp constraints in event 800 parameter detail processing - security: fix documentation - security: fix sidlist processing - security: fix access mask and access list processing
What does this PR do?
This adds infrastructure for testing ingest pipelines in winlogbeat.
Why is it important?
Winlogbeat's ingest pipelines are currently untested and provisional testing shows that there will be failures when testing is instituted. Tests will make it possible to fix these problems.
Checklist
I have made corresponding change to the default configuration filesCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Author's Checklist
-p 1, otherwise there is contention for the container's network port if package test globbing is used.The linter complaint can be completely ignored; it is due to staticcheck knowing that aTests are now passing, so not.Skipis a terminating statement and so that later uses are not ever executed.Skipis being done.Failing in Powershell:
Failing in Security:
Note that the final two failures in Security look to be due to instability in the ordering of addition to an array and this may need a fix in the comparison code in the module test.
How to test this PR locally
Related issues
Use cases
Screenshots
Logs