Winlogbeat: Fix compatibility problems with newer OS versions in CI#22362
Merged
adriansr merged 8 commits intoelastic:masterfrom Nov 11, 2020
Merged
Winlogbeat: Fix compatibility problems with newer OS versions in CI#22362adriansr merged 8 commits intoelastic:masterfrom
adriansr merged 8 commits intoelastic:masterfrom
Conversation
5c6b19e to
833b5d0
Compare
Contributor
💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
Contributor
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
|
Contributor
Author
|
jenkins, test this |
a1e53f2 to
50b5421
Compare
The first field of the structure, a union, didn't have the proper size when compiled for 32-bits, causing "invalid argument" errors when the struct was passed to an API. Also, some EVT_VARIANT types weren't being handled properly.
Under most Windows versions, GUID values cannot be substituted with string values. However, this is not the case under at least Win7 32bit. Just disable the testing assertion as it has no impact.
Go's mkwinsyscall is generating syscall invocations that don't work properly under GOARCH=386 (or any 32-bit arch). This only affects functions that receive a 64-bit parameter, in this case only EvtSeek is affected. This replaces `mkwinsyscall` with a patched one that adds some workaround code.
Under Windows 10, event formatting is not failing with an error even though not metadata is being passed.
Under Windows 7 and Windows 10, writes to a newly created event log fail occasionally. It seems that there is a delay between when an event log is created and publishing events to it is allowed. This commit updates the tests to retry on failure when creating an event log for testing.
For some reason, the following fields:
- winlog.user.type
- winlog.user.name
- winlog.user.domain
are not populated by the Sysmon module under Windows 7 32-bit. I couldn't
reproduce outside of CI, where it's failing to lookup SID `S-1-5-18`:
```
testing_windows.go:69: Expected and actual are different:
--- Expected
+++ Actual
@@ -47,6 +47,3 @@
"user": {
- "domain": "NT AUTHORITY",
- "identifier": "S-1-5-18",
- "name": "SYSTEM",
- "type": "Well Known Group"
+ "identifier": "S-1-5-18"
},
```
This commit updates the test to ignore those fields and removes them from
the golden files.
Under Windows 10, writing large events (31800 bytes) results in an empty event log. Seems that the events are being silently dropped due to being too big.
50b5421 to
6834315
Compare
Contributor
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
andrewkroh
approved these changes
Nov 10, 2020
Member
andrewkroh
left a comment
There was a problem hiding this comment.
LGTM. Thank you for tackling this.
| func safeWriteEvent(t testing.TB, log *eventlog.Log, etype uint16, eid uint32, msgs []string) { | ||
| deadline := time.Now().Add(time.Second * 10) | ||
| for { | ||
| err := log.Report(etype, eid, msgs) |
Member
There was a problem hiding this comment.
Curious what the story is behind this. What kind of temporary errors were you seeing?
Contributor
Author
There was a problem hiding this comment.
You get an access denied error if you try to publish too shortly after creating the event log
adriansr
added a commit
to adriansr/beats
that referenced
this pull request
Nov 24, 2020
…lastic#22362) * Fix EVT_VARIANT struct definition for GOARCH=386 The first field of the structure, a union, didn't have the proper size when compiled for 32-bits, causing "invalid argument" errors when the struct was passed to an API. Also, some EVT_VARIANT types weren't being handled properly. * Remove formatting assertion in TestFormatMessage Under most Windows versions, GUID values cannot be substituted with string values. However, this is not the case under at least Win7 32bit. Just disable the testing assertion as it has no impact. * Update generated syscalls to avoid bug under 32-bit Go's mkwinsyscall is generating syscall invocations that don't work properly under GOARCH=386 (or any 32-bit arch). This only affects functions that receive a 64-bit parameter, in this case only EvtSeek is affected. This replaces `mkwinsyscall` with a patched one that adds some workaround code. * Enable all windows tests * Disable TestFormatMessage/no_metadata tests Under Windows 10, event formatting is not failing with an error even though not metadata is being passed. * Testing: Error check on publishing events to an event log Under Windows 7 and Windows 10, writes to a newly created event log fail occasionally. It seems that there is a delay between when an event log is created and publishing events to it is allowed. This commit updates the tests to retry on failure when creating an event log for testing. * Sysmon: Ignore winlog.user.* fields during test For some reason, the following fields: - winlog.user.type - winlog.user.name - winlog.user.domain are not populated by the Sysmon module under Windows 7 32-bit. I couldn't reproduce outside of CI, where it's failing to lookup SID `S-1-5-18`: ``` testing_windows.go:69: Expected and actual are different: --- Expected +++ Actual @@ -47,6 +47,3 @@ "user": { - "domain": "NT AUTHORITY", - "identifier": "S-1-5-18", - "name": "SYSTEM", - "type": "Well Known Group" + "identifier": "S-1-5-18" }, ``` This commit updates the test to ignore those fields and removes them from the golden files. * Testing: limit event size in testWindowsEventLog Under Windows 10, writing large events (31800 bytes) results in an empty event log. Seems that the events are being silently dropped due to being too big. (cherry picked from commit d97fe08)
adriansr
added a commit
to adriansr/beats
that referenced
this pull request
Nov 24, 2020
…lastic#22362) * Fix EVT_VARIANT struct definition for GOARCH=386 The first field of the structure, a union, didn't have the proper size when compiled for 32-bits, causing "invalid argument" errors when the struct was passed to an API. Also, some EVT_VARIANT types weren't being handled properly. * Remove formatting assertion in TestFormatMessage Under most Windows versions, GUID values cannot be substituted with string values. However, this is not the case under at least Win7 32bit. Just disable the testing assertion as it has no impact. * Update generated syscalls to avoid bug under 32-bit Go's mkwinsyscall is generating syscall invocations that don't work properly under GOARCH=386 (or any 32-bit arch). This only affects functions that receive a 64-bit parameter, in this case only EvtSeek is affected. This replaces `mkwinsyscall` with a patched one that adds some workaround code. * Enable all windows tests * Disable TestFormatMessage/no_metadata tests Under Windows 10, event formatting is not failing with an error even though not metadata is being passed. * Testing: Error check on publishing events to an event log Under Windows 7 and Windows 10, writes to a newly created event log fail occasionally. It seems that there is a delay between when an event log is created and publishing events to it is allowed. This commit updates the tests to retry on failure when creating an event log for testing. * Sysmon: Ignore winlog.user.* fields during test For some reason, the following fields: - winlog.user.type - winlog.user.name - winlog.user.domain are not populated by the Sysmon module under Windows 7 32-bit. I couldn't reproduce outside of CI, where it's failing to lookup SID `S-1-5-18`: ``` testing_windows.go:69: Expected and actual are different: --- Expected +++ Actual @@ -47,6 +47,3 @@ "user": { - "domain": "NT AUTHORITY", - "identifier": "S-1-5-18", - "name": "SYSTEM", - "type": "Well Known Group" + "identifier": "S-1-5-18" }, ``` This commit updates the test to ignore those fields and removes them from the golden files. * Testing: limit event size in testWindowsEventLog Under Windows 10, writing large events (31800 bytes) results in an empty event log. Seems that the events are being silently dropped due to being too big. (cherry picked from commit d97fe08)
adriansr
added a commit
that referenced
this pull request
Nov 24, 2020
…22362) (#22727) * Fix EVT_VARIANT struct definition for GOARCH=386 The first field of the structure, a union, didn't have the proper size when compiled for 32-bits, causing "invalid argument" errors when the struct was passed to an API. Also, some EVT_VARIANT types weren't being handled properly. * Remove formatting assertion in TestFormatMessage Under most Windows versions, GUID values cannot be substituted with string values. However, this is not the case under at least Win7 32bit. Just disable the testing assertion as it has no impact. * Update generated syscalls to avoid bug under 32-bit Go's mkwinsyscall is generating syscall invocations that don't work properly under GOARCH=386 (or any 32-bit arch). This only affects functions that receive a 64-bit parameter, in this case only EvtSeek is affected. This replaces `mkwinsyscall` with a patched one that adds some workaround code. * Enable all windows tests * Disable TestFormatMessage/no_metadata tests Under Windows 10, event formatting is not failing with an error even though not metadata is being passed. * Testing: Error check on publishing events to an event log Under Windows 7 and Windows 10, writes to a newly created event log fail occasionally. It seems that there is a delay between when an event log is created and publishing events to it is allowed. This commit updates the tests to retry on failure when creating an event log for testing. * Sysmon: Ignore winlog.user.* fields during test For some reason, the following fields: - winlog.user.type - winlog.user.name - winlog.user.domain are not populated by the Sysmon module under Windows 7 32-bit. I couldn't reproduce outside of CI, where it's failing to lookup SID `S-1-5-18`: ``` testing_windows.go:69: Expected and actual are different: --- Expected +++ Actual @@ -47,6 +47,3 @@ "user": { - "domain": "NT AUTHORITY", - "identifier": "S-1-5-18", - "name": "SYSTEM", - "type": "Well Known Group" + "identifier": "S-1-5-18" }, ``` This commit updates the test to ignore those fields and removes them from the golden files. * Testing: limit event size in testWindowsEventLog Under Windows 10, writing large events (31800 bytes) results in an empty event log. Seems that the events are being silently dropped due to being too big. (cherry picked from commit d97fe08)
adriansr
added a commit
that referenced
this pull request
Nov 24, 2020
…22362) (#22728) * Fix EVT_VARIANT struct definition for GOARCH=386 The first field of the structure, a union, didn't have the proper size when compiled for 32-bits, causing "invalid argument" errors when the struct was passed to an API. Also, some EVT_VARIANT types weren't being handled properly. * Remove formatting assertion in TestFormatMessage Under most Windows versions, GUID values cannot be substituted with string values. However, this is not the case under at least Win7 32bit. Just disable the testing assertion as it has no impact. * Update generated syscalls to avoid bug under 32-bit Go's mkwinsyscall is generating syscall invocations that don't work properly under GOARCH=386 (or any 32-bit arch). This only affects functions that receive a 64-bit parameter, in this case only EvtSeek is affected. This replaces `mkwinsyscall` with a patched one that adds some workaround code. * Enable all windows tests * Disable TestFormatMessage/no_metadata tests Under Windows 10, event formatting is not failing with an error even though not metadata is being passed. * Testing: Error check on publishing events to an event log Under Windows 7 and Windows 10, writes to a newly created event log fail occasionally. It seems that there is a delay between when an event log is created and publishing events to it is allowed. This commit updates the tests to retry on failure when creating an event log for testing. * Sysmon: Ignore winlog.user.* fields during test For some reason, the following fields: - winlog.user.type - winlog.user.name - winlog.user.domain are not populated by the Sysmon module under Windows 7 32-bit. I couldn't reproduce outside of CI, where it's failing to lookup SID `S-1-5-18`: ``` testing_windows.go:69: Expected and actual are different: --- Expected +++ Actual @@ -47,6 +47,3 @@ "user": { - "domain": "NT AUTHORITY", - "identifier": "S-1-5-18", - "name": "SYSTEM", - "type": "Well Known Group" + "identifier": "S-1-5-18" }, ``` This commit updates the test to ignore those fields and removes them from the golden files. * Testing: limit event size in testWindowsEventLog Under Windows 10, writing large events (31800 bytes) results in an empty event log. Seems that the events are being silently dropped due to being too big. (cherry picked from commit d97fe08)
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR includes a collection of fixes for different issues found in Winlogbeat after enabling CI testing for previously untested versions of Windows.
Two bugs have been fixed (only affected 32bit binaries):
Bad EVT_VARIANT struct definition, caused errors formatting events.
The first field of the structure, a union, didn't have the right size when compiled for 32-bits, causing "invalid argument" errors when the struct was passed to an API. Also, some EVT_VARIANT types weren't being handled properly.
Failed to seek to a saved state in an
.evtxfile.This is caused by a helper tool in Go (mkwinsyscall) not generating correct syscall calls under GOARCH=386 (or any 32-bit arch). This only affects functions that receive a 64-bit parameter, in the case of Beats, only EvtSeek is affected. (Bug report).
The rest are changes to tests due to inconsistent behaviors of different Windows versions:
Remove formatting assertion in TestFormatMessage
Under most Windows versions, GUID values cannot be substituted with string values. However, this is not the case under at least Win7 32bit. Just disable the testing assertion as it has no impact.
Disable TestFormatMessage/no_metadata tests
Under Windows 10, event formatting is not failing with an error even though not metadata is being passed.
Check for errors on publishing events to an event log
Under Windows 7 and Windows 10, writes to a newly created event log fail occasionally. It seems that there is a delay between when an event log is created and publishing events to it is allowed.
Sysmon: Ignore winlog.user.* fields during test
For some reason, the following fields:
are not populated by the Sysmon module under Windows 7 32-bit. I couldn't reproduce outside of CI, where it's failing to lookup SID
S-1-5-18.Fixes #19798
Fixes #19829
Fixes #22046
Fixes #22302