winlogbeat/sys/wineventlog: extend testing and fix bugs

[efd6]

What does this PR do?

This fixes a couple of bug identified in #30621 and extends the test fixture to allow addition of further test cases.

This fixes failures in event handling on Windows 2022 where parts of
events available from the Windows API are not reflected in the events recovered by winlogbeat.

There is unfortunately quite a lot of movement in this change due to the
need to satisfy linter requirements. Beyond those changes, the substantive
changes here are:

1. Addition of new testing infrastructure to allow addition of evtx files
   and comparison with there expected XML renderings, and adding some test
   cases.
2. Fixing a buffer length parameter in the call to _EvtFormatMessage in
   evtFormatMessage that was the result of a lack of clarity in the API
   documentation for that syscall.
3. Fixing a var shadowing decl of the publisher handle EvtHandle in
   FormatEventString.
4. Providing a call back for the legacy (non-experimental) API through
   wineventlog.Message to allow it to obtain the event message in the case
   that the RenderingInfo element is not available via the Windows API.
5. Ensure that keyword, opcode and level are obtained by the non-experimental
   API by calling winevent.EnrichRawValuesWithNames in buildRecordFromXML.
   This change also required making winevent.Event.OpcodeRaw a pointer to
   allow an absent System>Opcode element to be distinquished from the zero,
   but present element.

The change also enables testing on Windows 2022.

Why is it important?

The bugs look to have caused CI failure when adding Windows2022 to the build matrix #30622.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
  - [ ] I have made corresponding changes to the documentation
  - [ ] I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

• [ ]

How to test this PR locally

Related issues

• Closes winlogbeat: system.test_wineventlog failures for Windows-2022 #30621
• Relates ci: enable windows-2022 for winlogbeat #30622

Use cases

Screenshots

Logs

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-03-30T05:54:53.556+0000

• Duration: 76 min 36 sec

Test stats 🧪

Test	Results
Failed	0
Passed	22268
Skipped	1937
Total	24205

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[andrewkroh]

I pushed in a change to see how the tests react with Windows 2022.

[efd6]

[](https://beats-ci.elastic.co/blue/organizations/jenkins/Beats%2Fbeats/detail/PR-30942/6/pipeline#step-5772-log-25)[](https://beats-ci.elastic.co/blue/organizations/jenkins/Beats%2Fbeats/detail/PR-30942/6/pipeline#step-5772-log-26)[2022-03-22T21:17:16.590Z] winlogbeat/sys/wineventlog/format_message.go:26:2: import of package `github.com/pkg/errors` is blocked because the module is in the blocked modules list. `errors` and `fmt` are recommended modules. This package is deprecated, use `fmt.Errorf` with `%!w(MISSING)` instead. (gomodguard)
[2022-03-22T21:17:16.590Z] 	"github.com/pkg/errors"
[2022-03-22T21:17:16.590Z] 	^

🤣

I'll fix this.

Note: funny that the linter gets the format string wrong use `fmt.Errorf` with `%!w(MISSING)`. (There are some very dubious linter warnings here).

[andrewkroh]

It looks like there is progress on the message front 👍 . Now the python tests are failing because other rendering info from the XML is missing such as the winlog.keywords and winlog.opcode

[andrewkroh]

IIRC the modulo on L186 is bad. The eventcreate event ID values should range on [1-1000] instead of [0-1000]. Saw this too when I was hacking.

Specifies the event ID for the event. A valid ID is any number from 1 to 1000.

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/eventcreate

[efd6]

Now the python tests are failing because other rendering info from the XML is missing such as the winlog.keywords and winlog.opcode

Yea. It's not clear to me how to get that. The change in 7c44687 does the majority of that, but the keywords are not obtainable through that path.

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b wineventlog upstream/wineventlog
git merge upstream/main
git push upstream wineventlog

[andrewkroh]

The tests are passing on Windows 2022 🍾

[efd6]

Because of the amount of delint spam, I'll write a fairly detailed commit message since the actual fix was only really two minor changes.

[andrewkroh]

That would be helpful, and can you add that message somewhere in the PR description too.

[efd6]

Do we want to backport to 7.17 and 8.2 as well now?

[andrewkroh]

Yeah, let's backport this bugfix into both 8.2 and 7.17.