elastic
diff --git a/‎x-pack/winlogbeat/module/security/test/security_windows_test.go‎
Lines changed: 8 additions & 1 deletion b/‎x-pack/winlogbeat/module/security/test/security_windows_test.go‎
Lines changed: 8 additions & 1 deletion
diff --git a/‎x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json‎
Lines changed: 0 additions & 18 deletions b/‎x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json‎
Lines changed: 0 additions & 18 deletions
diff --git a/‎x-pack/winlogbeat/module/security/test/testdata/security-windows2016-4672.evtx.golden.json‎
Lines changed: 0 additions & 1 deletion b/‎x-pack/winlogbeat/module/security/test/testdata/security-windows2016-4672.evtx.golden.json‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.evtx.golden.json‎
Lines changed: 0 additions & 2 deletions b/‎x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.evtx.golden.json‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json‎
Lines changed: 0 additions & 2 deletions b/‎x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4720_Account_Created.evtx.golden.json‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json‎
Lines changed: 0 additions & 2 deletions b/‎x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.evtx.golden.json‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json‎
Lines changed: 0 additions & 2 deletions b/‎x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.evtx.golden.json‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json‎
Lines changed: 0 additions & 2 deletions b/‎x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.evtx.golden.json‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json‎
Lines changed: 0 additions & 2 deletions b/‎x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.evtx.golden.json‎
Lines changed: 0 additions & 2 deletions
diff --git a/‎x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json‎
Lines changed: 0 additions & 2 deletions b/‎x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.evtx.golden.json‎
Lines changed: 0 additions & 2 deletions
@@ -14,6 +14,13 @@ import (
 	_ "github.com/elastic/beats/libbeat/processors/timestamp"
 )
 
+// Ignore these fields because they can be different on different versions
+// of windows.
+var ignoreFields = []string{
+	"message",
+}
+
 func TestSecurity(t *testing.T) {
-	module.TestPipeline(t, "testdata/*.evtx", "../config/winlogbeat-security.js")
+	module.TestPipeline(t, "testdata/*.evtx", "../config/winlogbeat-security.js",
+		module.WithFieldFilter(ignoreFields))
 }
@@ -14,7 +14,6 @@
     "log": {
       "level": "information"
     },
-    "message": "Special privileges assigned to new logon.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1766348727-1038078804-3833492317-1000\n\tAccount Name:\t\tvagrant\n\tAccount Domain:\t\tVAGRANT-2016\n\tLogon ID:\t\t0x76A087\n\nPrivileges:\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege",
     "user": {
       "domain": "VAGRANT-2016",
       "id": "S-1-5-21-1766348727-1038078804-3833492317-1000",
 
@@ -14,7 +14,6 @@
     "log": {
       "level": "information"
     },
-    "message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x767A77\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
     "user": {
       "domain": "WIN-41OB2LO92CR",
       "id": "S-1-5-21-101361758-2486510592-3018839910-1000",
@@ -67,7 +66,6 @@
     "log": {
       "level": "information"
     },
-    "message": "An account was logged off.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x104A4A6\n\nLogon Type:\t\t\t3\n\nThis event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.",
     "user": {
       "domain": "WIN-41OB2LO92CR",
       "id": "S-1-5-21-101361758-2486510592-3018839910-500",
 
@@ -14,7 +14,6 @@
     "log": {
       "level": "information"
     },
-    "message": "A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAttributes:\n\tSAM Account Name:\telastictest1\n\tDisplay Name:\t\t\u003cvalue not set\u003e\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t\u003cnever\u003e\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x15\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t'Password Not Required' - Enabled\n\t\t'Normal Account' - Enabled\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges\t\t-",
     "process": {
       "name": "null"
     },
@@ -98,7 +97,6 @@
     "log": {
       "level": "information"
     },
-    "message": "A user account was created.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nNew Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAttributes:\n\tSAM Account Name:\taudittest0609\n\tDisplay Name:\t\t\u003cvalue not set\u003e\n\tUser Principal Name:\t-\n\tHome Directory:\t\t\u003cvalue not set\u003e\n\tHome Drive:\t\t\u003cvalue not set\u003e\n\tScript Path:\t\t\u003cvalue not set\u003e\n\tProfile Path:\t\t\u003cvalue not set\u003e\n\tUser Workstations:\t\u003cvalue not set\u003e\n\tPassword Last Set:\t\u003cnever\u003e\n\tAccount Expires:\t\t\u003cnever\u003e\n\tPrimary Group ID:\t513\n\tAllowed To Delegate To:\t-\n\tOld UAC Value:\t\t0x0\n\tNew UAC Value:\t\t0x15\n\tUser Account Control:\t\n\t\tAccount Disabled\n\t\t'Password Not Required' - Enabled\n\t\t'Normal Account' - Enabled\n\tUser Parameters:\t\u003cvalue not set\u003e\n\tSID History:\t\t-\n\tLogon Hours:\t\tAll\n\nAdditional Information:\n\tPrivileges\t\t-",
     "process": {
       "name": "null"
     },
 
@@ -14,7 +14,6 @@
     "log": {
       "level": "information"
     },
-    "message": "A user account was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR",
     "process": {
       "name": "null"
     },
@@ -71,7 +70,6 @@
     "log": {
       "level": "information"
     },
-    "message": "A user account was enabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR",
     "process": {
       "name": "null"
     },
 
@@ -14,7 +14,6 @@
     "log": {
       "level": "information"
     },
-    "message": "An attempt was made to change an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t\t-",
     "process": {
       "name": "null"
     },
@@ -72,7 +71,6 @@
     "log": {
       "level": "information"
     },
-    "message": "An attempt was made to change an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t\t-",
     "process": {
       "name": "null"
     },
 
@@ -14,7 +14,6 @@
     "log": {
       "level": "information"
     },
-    "message": "An attempt was made to reset an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1005\n\tAccount Name:\t\telastictest1\n\tAccount Domain:\t\tWIN-41OB2LO92CR",
     "process": {
       "name": "null"
     },
@@ -71,7 +70,6 @@
     "log": {
       "level": "information"
     },
-    "message": "An attempt was made to reset an account's password.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR",
     "process": {
       "name": "null"
     },
 
@@ -14,7 +14,6 @@
     "log": {
       "level": "information"
     },
-    "message": "A user account was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR",
     "process": {
       "name": "null"
     },
@@ -71,7 +70,6 @@
     "log": {
       "level": "information"
     },
-    "message": "A user account was disabled.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1006\n\tAccount Name:\t\taudittest0609\n\tAccount Domain:\t\tWIN-41OB2LO92CR",
     "process": {
       "name": "null"
     },
 
@@ -14,7 +14,6 @@
     "log": {
       "level": "information"
     },
-    "message": "A user account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1001\n\tAccount Name:\t\taudittest23\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t-",
     "process": {
       "name": "null"
     },
@@ -72,7 +71,6 @@
     "log": {
       "level": "information"
     },
-    "message": "A user account was deleted.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\tLogon ID:\t\t0x264B2\n\nTarget Account:\n\tSecurity ID:\t\tS-1-5-21-101361758-2486510592-3018839910-1000\n\tAccount Name:\t\taudittest\n\tAccount Domain:\t\tWIN-41OB2LO92CR\n\nAdditional Information:\n\tPrivileges\t-",
     "process": {
       "name": "null"
     },
Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,13 @@ import (`
`14`	`14`	`_ "github.com/elastic/beats/libbeat/processors/timestamp"`
`15`	`15`	`)`
`16`	`16`
	`17`	`+// Ignore these fields because they can be different on different versions`
	`18`	`+// of windows.`
	`19`	`+var ignoreFields = []string{`
	`20`	`+ "message",`
	`21`	`+}`
	`22`	`+`
`17`	`23`	`func TestSecurity(t *testing.T) {`
`18`		`- module.TestPipeline(t, "testdata/*.evtx", "../config/winlogbeat-security.js")`
	`24`	`+ module.TestPipeline(t, "testdata/*.evtx", "../config/winlogbeat-security.js",`
	`25`	`+ module.WithFieldFilter(ignoreFields))`
`19`	`26`	`}`