[Winlogbeat] Add missing query while reading .evtx file (#36173)

* Add missing query for evtx processing * update pr num * update changelog * Add test * fix CI * add eventID as string * update query * fix expected in test * fix golangci-lint * Address PR comment * Add nolint:prealloc directives
elastic · Aug 8, 2023 · 1fe462c · 1fe462c
1 parent 1f4051f
commit 1fe462c
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 2 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -33,6 +33,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 *Winlogbeat*
 
 - Add "event.category" and "event.type" to Sysmon module for EventIDs 8, 9, 19, 20, 27, 28, 255 {pull}35193[35193]
+- Fix the ability to use filtering features (e.g. `ignore_older`, `event_id`, `provider`, `level`) while reading `.evtx` files. {issue}16826[16826] {pull}36173[36173]
 
 *Functionbeat*
 

diff --git a/winlogbeat/eventlog/wineventlog.go b/winlogbeat/eventlog/wineventlog.go
@@ -332,7 +332,7 @@ func (l *winEventLog) Open(state checkpoint.EventLogState) error {
 func (l *winEventLog) openFile(state checkpoint.EventLogState, bookmark win.EvtHandle) error {
 	path := l.channelName
 
-	h, err := win.EvtQuery(0, path, "", win.EvtQueryFilePath|win.EvtQueryForwardDirection)
+	h, err := win.EvtQuery(0, path, l.query, win.EvtQueryFilePath|win.EvtQueryForwardDirection)
 	if err != nil {
 		l.metrics.logError(err)
 		return fmt.Errorf("failed to get handle to event log file %v: %w", path, err)
@@ -424,6 +424,7 @@ func (l *winEventLog) Read() ([]Record, error) {
 		return nil, err
 	}
 
+	//nolint:prealloc // Avoid unnecessary preallocation for each reader every second when event log is inactive.
 	var records []Record
 	defer func() {
 		l.metrics.log(records)

diff --git a/winlogbeat/eventlog/wineventlog_experimental.go b/winlogbeat/eventlog/wineventlog_experimental.go
@@ -182,7 +182,7 @@ func (l *winEventLogExp) open(state checkpoint.EventLogState) (win.EvtHandle, er
 func (l *winEventLogExp) openFile(state checkpoint.EventLogState, bookmark win.Bookmark) (win.EvtHandle, error) {
 	path := l.channelName
 
-	h, err := win.EvtQuery(0, path, "", win.EvtQueryFilePath|win.EvtQueryForwardDirection)
+	h, err := win.EvtQuery(0, path, l.query, win.EvtQueryFilePath|win.EvtQueryForwardDirection)
 	if err != nil {
 		return win.NilHandle, fmt.Errorf("failed to get handle to event log file %v: %w", path, err)
 	}
@@ -256,6 +256,7 @@ func (l *winEventLogExp) openChannel(bookmark win.Bookmark) (win.EvtHandle, erro
 }
 
 func (l *winEventLogExp) Read() ([]Record, error) {
+	//nolint:prealloc // Avoid unnecessary preallocation for each reader every second when event log is inactive.
 	var records []Record
 	defer func() {
 		l.metrics.log(records)

diff --git a/winlogbeat/eventlog/wineventlog_test.go b/winlogbeat/eventlog/wineventlog_test.go
@@ -270,6 +270,7 @@ func testWindowsEventLog(t *testing.T, api string) {
 		assert.Equal(t, totalEvents, eventCount)
 	})
 
+	// Test reading .evtx file without any query filters
 	t.Run("evtx_file", func(t *testing.T) {
 		path, err := filepath.Abs("../sys/wineventlog/testdata/sysmon-9.01.evtx")
 		if err != nil {
@@ -295,6 +296,34 @@ func testWindowsEventLog(t *testing.T, api string) {
 
 		assert.Len(t, records, 32)
 	})
+
+	// Test reading .evtx file with event_id filter
+	t.Run("evtx_file_with_query", func(t *testing.T) {
+		path, err := filepath.Abs("../sys/wineventlog/testdata/sysmon-9.01.evtx")
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		log := openLog(t, map[string]interface{}{
+			"name":           path,
+			"no_more_events": "stop",
+			"event_id":       "3, 5",
+		})
+		defer log.Close()
+
+		records, err := log.Read()
+
+		// This implementation returns the EOF on the next call.
+		if err == nil && api == winEventLogAPIName {
+			_, err = log.Read()
+		}
+
+		if assert.Error(t, err, "no_more_events=stop requires io.EOF to be returned") {
+			assert.Equal(t, io.EOF, err)
+		}
+
+		assert.Len(t, records, 21)
+	})
 }
 
 // ---- Utility Functions -----