wintest: new package to provide support for winlogbeat ingest node pipeline testing

[efd6]

What does this PR do?

This adds infrastructure for testing ingest pipelines in winlogbeat.

Why is it important?

Winlogbeat's ingest pipelines are currently untested and provisional testing shows that there will be failures when testing is instituted. Tests will make it possible to fix these problems.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

• Testing needs to be run with -p 1, otherwise there is contention for the container's network port if package test globbing is used.
• The linter complaint can be completely ignored; it is due to staticcheck knowing that a t.Skip is a terminating statement and so that later uses are not ever executed. Tests are now passing, so no Skip is being done.
• The tests are currently in unittest, but it could be argued they should be in integ test. I'm not wedded to either, but it was easier to work without build constraints. I don't believe that the CI is currently running the tests here, and I'm not sure how to wire them in. So help there would be appreciated.

Failing in Powershell:

--- FAIL: TestPowerShellIngest (25.85s)
    --- FAIL: TestPowerShellIngest/800.evtx.golden.json (0.00s)
        testing.go:158: unexpected ingest error for event 2: unexpected pipeline error: [scripting] Regular expression considered too many characters, pattern: [^(.+)\\((.+)\\)\\:\\s*(.+)?$], limit factor: [6], char limit: [1386], count: [1387], wrapped: [NonTerminatingError(Import-LocalizedData): \"Cannot find the W...], this limit can be changed by changed by the [script.painless.regex.limit-factor] setting
        testing.go:165: 
            	Error Trace:	testing.go:328
            	            				testing.go:165
            	Error:      	Field not documented
            	Test:       	TestPowerShellIngest/800.evtx.golden.json
            	Messages:   	Key '_temp.details' found in event is not documented.
        testing.go:165: 
            	Error Trace:	testing.go:328
            	            				testing.go:165
            	Error:      	Field not documented
            	Test:       	TestPowerShellIngest/800.evtx.golden.json
            	Messages:   	Key '_temp.user_parts' found in event is not documented.
        testing.go:158: unexpected ingest error for event 3: unexpected pipeline error: [scripting] Regular expression considered too many characters, pattern: [^(.+)\\((.+)\\)\\:\\s*(.+)?$], limit factor: [6], char limit: [1470], count: [1471], wrapped: [ParameterBinding(Out-Default): name=\"InputObject\"; value=\"Can...], this limit can be changed by changed by the [script.painless.regex.limit-factor] setting
        testing.go:165: 
            	Error Trace:	testing.go:328
            	            				testing.go:165
            	Error:      	Field not documented
            	Test:       	TestPowerShellIngest/800.evtx.golden.json
            	Messages:   	Key '_temp.details' found in event is not documented.
        testing.go:165: 
            	Error Trace:	testing.go:328
            	            				testing.go:165
            	Error:      	Field not documented
            	Test:       	TestPowerShellIngest/800.evtx.golden.json
            	Messages:   	Key '_temp.user_parts' found in event is not documented.
FAIL

Failing in Security:

--- FAIL: TestSecurityIngest (26.16s)
    --- FAIL: TestSecurityIngest/4706_WindowsSrv2016.evtx.golden.json (0.00s)
        testing.go:165: 
            	Error Trace:	testing.go:328
            	            				testing.go:165
            	Error:      	Field not documented
            	Test:       	TestSecurityIngest/4706_WindowsSrv2016.evtx.golden.json
            	Messages:   	Key 'winlog.trustAttribute' found in event is not documented.
        testing.go:165: 
            	Error Trace:	testing.go:328
            	            				testing.go:165
            	Error:      	Field not documented
            	Test:       	TestSecurityIngest/4706_WindowsSrv2016.evtx.golden.json
            	Messages:   	Key 'winlog.trustDirection' found in event is not documented.
        testing.go:165: 
            	Error Trace:	testing.go:328
            	            				testing.go:165
            	Error:      	Field not documented
            	Test:       	TestSecurityIngest/4706_WindowsSrv2016.evtx.golden.json
            	Messages:   	Key 'winlog.trustType' found in event is not documented.
    --- FAIL: TestSecurityIngest/4716_WindowsSrv2016.evtx.golden.json (0.00s)
        testing.go:165: 
            	Error Trace:	testing.go:328
            	            				testing.go:165
            	Error:      	Field not documented
            	Test:       	TestSecurityIngest/4716_WindowsSrv2016.evtx.golden.json
            	Messages:   	Key 'winlog.trustDirection' found in event is not documented.
        testing.go:165: 
            	Error Trace:	testing.go:328
            	            				testing.go:165
            	Error:      	Field not documented
            	Test:       	TestSecurityIngest/4716_WindowsSrv2016.evtx.golden.json
            	Messages:   	Key 'winlog.trustType' found in event is not documented.
        testing.go:165: 
            	Error Trace:	testing.go:328
            	            				testing.go:165
            	Error:      	Field not documented
            	Test:       	TestSecurityIngest/4716_WindowsSrv2016.evtx.golden.json
            	Messages:   	Key 'winlog.trustAttribute' found in event is not documented.
    --- FAIL: TestSecurityIngest/4741.evtx.golden.json (0.00s)
        testing.go:165: 
            	Error Trace:	testing.go:328
            	            				testing.go:165
            	Error:      	Field not documented
            	Test:       	TestSecurityIngest/4741.evtx.golden.json
            	Messages:   	Key 'winlog.computerObject.domain' found in event is not documented.
        testing.go:165: 
            	Error Trace:	testing.go:328
            	            				testing.go:165
            	Error:      	Field not documented
            	Test:       	TestSecurityIngest/4741.evtx.golden.json
            	Messages:   	Key 'winlog.computerObject.id' found in event is not documented.
        testing.go:165: 
            	Error Trace:	testing.go:328
            	            				testing.go:165
            	Error:      	Field not documented
            	Test:       	TestSecurityIngest/4741.evtx.golden.json
            	Messages:   	Key 'winlog.computerObject.name' found in event is not documented.
    --- FAIL: TestSecurityIngest/4742.evtx.golden.json (0.00s)
        testing.go:165: 
            	Error Trace:	testing.go:328
            	            				testing.go:165
            	Error:      	Field not documented
            	Test:       	TestSecurityIngest/4742.evtx.golden.json
            	Messages:   	Key 'winlog.computerObject.name' found in event is not documented.
        testing.go:165: 
            	Error Trace:	testing.go:328
            	            				testing.go:165
            	Error:      	Field not documented
            	Test:       	TestSecurityIngest/4742.evtx.golden.json
            	Messages:   	Key 'winlog.computerObject.id' found in event is not documented.
        testing.go:165: 
            	Error Trace:	testing.go:328
            	            				testing.go:165
            	Error:      	Field not documented
            	Test:       	TestSecurityIngest/4742.evtx.golden.json
            	Messages:   	Key 'winlog.computerObject.domain' found in event is not documented.
    --- FAIL: TestSecurityIngest/4743.evtx.golden.json (0.00s)
        testing.go:165: 
            	Error Trace:	testing.go:328
            	            				testing.go:165
            	Error:      	Field not documented
            	Test:       	TestSecurityIngest/4743.evtx.golden.json
            	Messages:   	Key 'winlog.computerObject.id' found in event is not documented.
        testing.go:165: 
            	Error Trace:	testing.go:328
            	            				testing.go:165
            	Error:      	Field not documented
            	Test:       	TestSecurityIngest/4743.evtx.golden.json
            	Messages:   	Key 'winlog.computerObject.name' found in event is not documented.
        testing.go:165: 
            	Error Trace:	testing.go:328
            	            				testing.go:165
            	Error:      	Field not documented
            	Test:       	TestSecurityIngest/4743.evtx.golden.json
            	Messages:   	Key 'winlog.computerObject.domain' found in event is not documented.
    --- FAIL: TestSecurityIngest/4908_WindowsSrv2016.evtx.golden.json (0.00s)
        testing.go:150: unexpected error: unexpected response status for simulate: 400 Bad Request (400): elasticsearch error (type=illegal_argument_exception): unexpected value type [class [Ljava.lang.String;]
            Root cause:
            [
              {
                "type": "illegal_argument_exception",
                "reason": "unexpected value type [class [Ljava.lang.String;]",
                "position": {
                  "offset": 0,
                  "start": 0,
                  "end": 0
                }
              }
            ]
    --- FAIL: TestSecurityIngest/security-windows2012_4674.evtx.golden.json (0.00s)
        testing.go:158: unexpected ingest error for event 0: unexpected pipeline error: Processor "script" with tag "Decode message table" in pipeline "" failed with message "For input string: \"%%1538\n\t\t\t\t%%1542\n\t\t\t\t\""
    --- FAIL: TestSecurityIngest/security-windows2012_4768.evtx.golden.json (0.00s)
        testing.go:197: Expected and actual are different:
            --- Expected
            +++ Actual
            @@ -63,4 +63,4 @@
                     "Forwardable",
            +        "Renewable",
                     "Renewable-ok",
            -        "Renewable",
                     "Name-canonicalize"
    --- FAIL: TestSecurityIngest/security-windows2012_4771.evtx.golden.json (0.00s)
        testing.go:197: Expected and actual are different:
            --- Expected
            +++ Actual
            @@ -58,4 +58,4 @@
                     "Forwardable",
            +        "Renewable",
                     "Renewable-ok",
            -        "Renewable",
                     "Name-canonicalize"
FAIL

Note that the final two failures in Security look to be due to instability in the ordering of addition to an array and this may need a fix in the comparison code in the module test.

How to test this PR locally

Related issues

• For [Winlogbeat] add tests for ingest node pipelines #30406
• Depends x-pack/winlogbeat: move module tests #31817
• Depends winlogbeat: disentangle test data from x-pack/winlogbeat #31858

Use cases

Screenshots

Logs

[elasticmachine]

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[andrewkroh]

I'm part way through the changes. I'll finish up tomorrow. Looks good.

[efd6]

The inconsistency in this could be avoided by using bit operations in the painless rather than the map iteration that is currently done.

I expect, but have not observed, that the same issue will be present in the AccessMaskDescription processing.

[efd6]

The fix would be to iterate over the word size of the flags, e.g. for the AccessMaskDescription case

for (def b = 0; b < 32; b++) {
    long accessFlag = 1L << b;
    if (accessMask&accessFlag == accessFlag) {

and an appropriate access to the parameter map — maybe via a hex string format of the accessFlag if an integer map key is not possible.

The equivalent change can be made for TicketOptionsDescription at line 876 in this file.

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b wintest/docker upstream/wintest/docker
git merge upstream/main
git push upstream wintest/docker

[efd6]

AFAICS the E2E failures are unrelated.

[cmacknz]

AFAICS the E2E failures are unrelated.

Yes the E2E tests have been unstable for a few weeks, I am looking into disabling the flakiest ones when triggered from beats but not from agent.

[efd6]

Rebased with the hope that the tests pass.

[efd6]

E2E failure is unrelated, End-To-End Tests / fleet_ debian_10_arm64_fleet_mode_agent:

[2022-06-23T02:24:58.636Z] [INFO] withAPMEnv: is enabled.
Cannot get property 'shell_type' on null object