Skip to content

fix(x-pack/winlogbeat): run ingest pipeline tests on CI #47395

Closed
andrewkroh wants to merge 5 commits into
elastic:mainfrom
andrewkroh:fix/winlogbeat/linux-pipeline-tests
Closed

fix(x-pack/winlogbeat): run ingest pipeline tests on CI #47395
andrewkroh wants to merge 5 commits into
elastic:mainfrom
andrewkroh:fix/winlogbeat/linux-pipeline-tests

Conversation

@andrewkroh

@andrewkroh andrewkroh commented Oct 29, 2025

Copy link
Copy Markdown
Member

Reviewer note: First commit contains code changes. Second commit is the generated golden file changes.

Proposed commit message

At some point the CI tests for the ingest pipeline in Winlogbeat stopped
being tested on CI because there was no linux host running the unit tests.
The unit tests for the ingest pipelines require Docker for running Elasticsearch.

This adds a new Buildkite step for x-pack/winlogbeat.
It fixes the tests that were broken.
It removes the request body from an eslegclient debug statement that was very
noisy, and in some cases extremely lengthy.
It removes the deprecated 'version' from the docker-compose.yaml file used to run ES.

The pipelines were mostly fine because they have been copied from elastic/integrations
where they are independently tested.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
  • I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

At some point the CI tests for the ingest pipeline in Winlogbeat stopped
being tested on CI because there was no linux host running the unit tests.
The unit tests for the pipeline tests require Docker for running Elasticsearch.

This adds a new Buildkite step for x-pack/winlogbeat.
It fixes the tests there broken.
It removes the request body from an eslegclient debug statement that was very
noisy, and in some cases extremely lengthy.
It removes the deprecated 'version' from the docker-compose.yaml file used to run ES.

The pipelines were mostly fine because they have been copied from elastic/integrations
where they are independently testing.
[git-generate]
go -C ./x-pack/winlogbeat/module/security test ./... -v -update
go -C ./x-pack/winlogbeat/module/sysmon test ./... -v -update
go -C ./x-pack/winlogbeat/module/powershell test ./... -v -update
@botelastic botelastic Bot added the needs_team Indicates that the issue/PR needs a Team:* label label Oct 29, 2025
@github-actions

Copy link
Copy Markdown
Contributor

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

@mergify

mergify Bot commented Oct 29, 2025

Copy link
Copy Markdown
Contributor

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @andrewkroh? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

@andrewkroh andrewkroh added the Team:Security-Windows Platform Windows Platform Team in Security Solution label Oct 29, 2025
@botelastic botelastic Bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Oct 29, 2025
@andrewkroh andrewkroh added Winlogbeat ci needs_team Indicates that the issue/PR needs a Team:* label labels Oct 29, 2025
@botelastic botelastic Bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Oct 29, 2025
@botelastic

botelastic Bot commented Oct 29, 2025

Copy link
Copy Markdown

This pull request doesn't have a Team:<team> label.

@github-actions

github-actions Bot commented Oct 29, 2025

Copy link
Copy Markdown
Contributor

🔍 Preview links for changed docs

@andrewkroh andrewkroh marked this pull request as ready for review October 29, 2025 23:55
@andrewkroh andrewkroh requested review from a team as code owners October 29, 2025 23:55
@elasticmachine

Copy link
Copy Markdown
Contributor

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

@andrewkroh andrewkroh added backport-skip Skip notification from the automated backport with mergify skip-changelog labels Oct 30, 2025
@pierrehilbert pierrehilbert added the Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team label Oct 30, 2025
@elasticmachine

Copy link
Copy Markdown
Contributor

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@colleenmcginnis colleenmcginnis left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Docs change looks okay.

@leehinman leehinman left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. One question with SidList but it isn't blocking.

"computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
"event_data": {
"SidList": [
"",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this expected in the SidList?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, but the intention is for the "standard" pipeline to match what's in the Fleet integration at https://github.com/elastic/integrations/blob/80b968725f9c769f86522c69a9cdc52a30d9e231/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml.

And currently this is how the windows.forwarded pipeline is behaving as per https://github.com/elastic/integrations/pull/15797/files#diff-a31adecc2e9c3b480a32c5672cf718fe6d4777d94c8939c1d52d16953a0c6a2aR42

However, also as identified in my integrations PR, the system.security pipeline does not have this problem. The solution will be to get Fleet's system and windows pipelines synced up by using the file reference feature and then sync beats. https://github.com/elastic/integrations/pull/15797/files#r2474625479 🤯

@pierrehilbert

Copy link
Copy Markdown
Contributor

@nfritts Your review is needed here :-)

@pierrehilbert

Copy link
Copy Markdown
Contributor

@nfritts we still need your approval here

@pierrehilbert pierrehilbert requested a review from nfritts December 8, 2025 08:01
@mergify

mergify Bot commented Feb 10, 2026

Copy link
Copy Markdown
Contributor

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b fix/winlogbeat/linux-pipeline-tests upstream/fix/winlogbeat/linux-pipeline-tests
git merge upstream/main
git push upstream fix/winlogbeat/linux-pipeline-tests

@github-actions

github-actions Bot commented Feb 20, 2026

Copy link
Copy Markdown
Contributor

✅ Vale Linting Results

No issues found on modified lines!


The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

@coderabbitai

coderabbitai Bot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

This PR updates Winlogbeat to ECS 8.17.0 across all test fixtures, adds a powershell.file.script_block_hash field, refactors security ingest pipelines for improved Kerberos and SID handling, extends test infrastructure for the new security_standard pipeline, and adds a mandatory Linux unit test to the build pipeline.

Suggested labels

Team:Security-Linux Platform, enhancement

🚥 Pre-merge checks | ✅ 2
✅ Passed checks (2 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • 🛠️ Update Documentation

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
x-pack/winlogbeat/module/wintest/simulate.go (1)

137-157: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Per-document simulate failures are now silently ignored by the existing checks.

Lines 138-140 append the raw Elasticsearch simulate error object, but downstream validation still calls wintest.ErrorMessage, which only recognizes processed events carrying error.message (see x-pack/winlogbeat/module/testing.go Lines 159-162 and x-pack/winlogbeat/module/wintest/simulate_test.go Lines 153-156). A simulate failure returned as {"type": "...", "reason": "..."} will therefore normalize successfully and be treated as a passing event. Please either convert per-doc simulate errors into the same error.message shape the rest of the harness expects, or teach ErrorMessage to parse Elasticsearch simulate error objects too.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@x-pack/winlogbeat/module/wintest/simulate.go` around lines 137 - 157, The
per-document simulate failures (pipelineIngestedDocument.Error) are being
appended as raw ES error objects so downstream ErrorMessage doesn't recognize
them; change the loop in simulate.go that iterates response.Docs to, when
doc.Error != nil, convert the raw ES error into the harness-expected shape (an
object with error.message) before appending to events (e.g. build an event where
"error": {"message": "<type>: <reason>" or use the raw error JSON merged into
"error.message"}), keeping the rest of the logic the same; reference
simulatePipelineResponse, pipelineIngestedDocument, and ErrorMessage to ensure
the produced shape matches what ErrorMessage expects.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.buildkite/x-pack/pipeline.xpack.winlogbeat.yml:
- Line 95: The pipeline references an undeclared env var
GCP_DEFAULT_MACHINE_TYPE; fix by declaring GCP_DEFAULT_MACHINE_TYPE in the env
section (set it to the desired machine type) or update the step to use an
existing env var such as GCP_WIN_MACHINE_TYPE or GCP_HI_PERF_MACHINE_TYPE so the
step uses a defined variable; ensure the change touches the env block and the
step that currently uses GCP_DEFAULT_MACHINE_TYPE.

---

Outside diff comments:
In `@x-pack/winlogbeat/module/wintest/simulate.go`:
- Around line 137-157: The per-document simulate failures
(pipelineIngestedDocument.Error) are being appended as raw ES error objects so
downstream ErrorMessage doesn't recognize them; change the loop in simulate.go
that iterates response.Docs to, when doc.Error != nil, convert the raw ES error
into the harness-expected shape (an object with error.message) before appending
to events (e.g. build an event where "error": {"message": "<type>: <reason>" or
use the raw error JSON merged into "error.message"}), keeping the rest of the
logic the same; reference simulatePipelineResponse, pipelineIngestedDocument,
and ErrorMessage to ensure the produced shape matches what ErrorMessage expects.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 574ae3ed-3eeb-4479-a415-31b7e48ab208

📥 Commits

Reviewing files that changed from the base of the PR and between 1ffa325 and 0fbcc21.

📒 Files selected for processing (126)
  • .buildkite/x-pack/pipeline.xpack.winlogbeat.yml
  • docs/reference/winlogbeat/exported-fields-powershell.md
  • libbeat/esleg/eslegclient/connection.go
  • x-pack/winlogbeat/module/.gitignore
  • x-pack/winlogbeat/module/powershell/_meta/fields.yml
  • x-pack/winlogbeat/module/powershell/fields.go
  • x-pack/winlogbeat/module/powershell/test/testdata/ingest/400.golden.json
  • x-pack/winlogbeat/module/powershell/test/testdata/ingest/403.golden.json
  • x-pack/winlogbeat/module/powershell/test/testdata/ingest/4103.golden.json
  • x-pack/winlogbeat/module/powershell/test/testdata/ingest/4104.golden.json
  • x-pack/winlogbeat/module/powershell/test/testdata/ingest/4105.golden.json
  • x-pack/winlogbeat/module/powershell/test/testdata/ingest/4106.golden.json
  • x-pack/winlogbeat/module/powershell/test/testdata/ingest/600.golden.json
  • x-pack/winlogbeat/module/powershell/test/testdata/ingest/800.golden.json
  • x-pack/winlogbeat/module/security/ingest/security.yml
  • x-pack/winlogbeat/module/security/ingest/security_standard.yml
  • x-pack/winlogbeat/module/security/test/testdata/ingest/1100.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/1102.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/1104.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/1105.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4670_WindowsSrv2016.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4706_WindowsSrv2016.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4707_WindowsSrv2016.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4713_WindowsSrv2016.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4716_WindowsSrv2016.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4717_WindowsSrv2016.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4718_WindowsSrv2016.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4719.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4719_WindowsSrv2016.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4739_WindowsSrv2016.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4741.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4742.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4743.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4744.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4745.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4746.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4747.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4748.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4749.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4750.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4751.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4752.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4753.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4759.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4760.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4761.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4762.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4763.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4778.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4779.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4797.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4817_WindowsSrv2016.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4902_WindowsSrv2016.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4904_WindowsSrv2016.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4905_WindowsSrv2016.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4906_WindowsSrv2016.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4907_WindowsSrv2016.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4908_WindowsSrv2016.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/5379.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/5380.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/5381.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/5382.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4673.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4674.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4697.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4698.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4699.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4700.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4701.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4702.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4768.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4769.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4770.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4771.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4776.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4778.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012_4779.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2012r2-logon.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016-4672.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016-logoff.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4720_Account_Created.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4722_Account_Enabled.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4723_Password_Change.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4724_Password_Reset.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4725_Account_Disabled.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4726_Account_Deleted.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4727.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4728.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4729.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4730.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4731.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4732.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4733.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4734.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4735.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4737.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4738_Account_Changed.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4740_Account_Locked_Out.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4754.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4755.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4756.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4757.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4758.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4764.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4767_Account_Unlocked.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4781_Account_Renamed.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4798.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4799.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2016_4964.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4688_Process_Created.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4689_Process_Exited.golden.json
  • x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-10.2-dns.golden.json
  • x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedelete.golden.json
  • x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedeletedetected.golden.json
  • x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-registry.golden.json
  • x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-loadimage.golden.json
  • x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-processcreate.golden.json
  • x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-clipboardchange.golden.json
  • x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-processtampering.golden.json
  • x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-9.01.golden.json
  • x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-no-evtx.golden.json
  • x-pack/winlogbeat/module/testing.go
  • x-pack/winlogbeat/module/wintest/docker.go
  • x-pack/winlogbeat/module/wintest/docker_test.go
  • x-pack/winlogbeat/module/wintest/simulate.go
  • x-pack/winlogbeat/module/wintest/simulate_test.go
👮 Files not reviewed due to content moderation or server errors (16)
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4706_WindowsSrv2016.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4707_WindowsSrv2016.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4713_WindowsSrv2016.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4716_WindowsSrv2016.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4717_WindowsSrv2016.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4718_WindowsSrv2016.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4719.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4719_WindowsSrv2016.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4739_WindowsSrv2016.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4741.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4742.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4743.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4744.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4745.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4746.golden.json
  • x-pack/winlogbeat/module/security/test/testdata/ingest/4747.golden.json

agents:
provider: "gcp"
image: "${IMAGE_UBUNTU_X86_64}"
machineType: "${GCP_DEFAULT_MACHINE_TYPE}"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Undefined variable: GCP_DEFAULT_MACHINE_TYPE is not defined in the env section.

This variable is referenced but not declared (lines 4-28 define GCP_WIN_MACHINE_TYPE and GCP_HI_PERF_MACHINE_TYPE but not GCP_DEFAULT_MACHINE_TYPE). The step will fail or use unexpected defaults.

Suggested fix

Add to env section:

  GCP_WIN_MACHINE_TYPE: "n2-standard-8"
  GCP_HI_PERF_MACHINE_TYPE: "c2d-highcpu-16"
+ GCP_DEFAULT_MACHINE_TYPE: "n2-standard-8"

Or use an existing variable:

-        machineType: "${GCP_DEFAULT_MACHINE_TYPE}"
+        machineType: "${GCP_WIN_MACHINE_TYPE}"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
machineType: "${GCP_DEFAULT_MACHINE_TYPE}"
machineType: "${GCP_WIN_MACHINE_TYPE}"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.buildkite/x-pack/pipeline.xpack.winlogbeat.yml at line 95, The pipeline
references an undeclared env var GCP_DEFAULT_MACHINE_TYPE; fix by declaring
GCP_DEFAULT_MACHINE_TYPE in the env section (set it to the desired machine type)
or update the step to use an existing env var such as GCP_WIN_MACHINE_TYPE or
GCP_HI_PERF_MACHINE_TYPE so the step uses a defined variable; ensure the change
touches the env block and the step that currently uses GCP_DEFAULT_MACHINE_TYPE.

@github-actions

github-actions Bot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

TL;DR

The failing Buildkite step is a security ingest golden mismatch: the pipeline now emits process.args_count for event 4688, but the expected golden for security-windows2019_4688_Process_Created does not include it. Update/regenerate the affected ingest golden(s) and re-run the x-pack winlogbeat unit test step.

Remediation

  • Regenerate/update the security ingest golden data so process.args_count is present for 4688 process-creation events (at minimum x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4688_Process_Created.golden.json).
  • Re-run:
    • cd x-pack/winlogbeat && go test ./module/security/test -run TestSecurityIngest -update
    • cd x-pack/winlogbeat && mage unitTest
Investigation details

Root Cause

TestSecurityIngest compares simulated ingest output to checked-in goldens (x-pack/winlogbeat/module/security/test/security_ingest_test.go:27, comparison in x-pack/winlogbeat/module/testing.go:192-203).

The security ingest pipeline explicitly adds process.args_count when CommandLine is parsed (x-pack/winlogbeat/module/security/ingest/security_standard.yml:3695-3723, especially ctx.process.put("args_count", al.size()); at line 3722).

But the expected fixture for the failing case lacks this field (x-pack/winlogbeat/module/security/test/testdata/ingest/security-windows2019_4688_Process_Created.golden.json:28-43 shows process.args and process.command_line but no process.args_count).

Evidence

  • Build: https://buildkite.com/elastic/beats/builds/47203
  • Job/step: :ubuntu: x-pack/winlogbeat: Ubuntu x86_64 Unit Tests
  • Key log excerpt:
    • === FAIL: ... TestSecurityIngest/security-windows2019_4688_Process_Created.evtx.golden.json
    • Diff includes:
      • + "args_count": 3,
      • next line: "command_line": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security",

Verification

  • Not run in this environment (ingest test harness requires Docker/Elasticsearch; local runner here does not support Docker-in-Docker).

Follow-up

If additional 4688 or command-line cases were regenerated in a prior commit, re-run TestSecurityIngest -update across all security fixtures to avoid partial golden drift.

Note

🔒 Integrity filter blocked 2 items

The following items were blocked because they don't meet the GitHub integrity level.

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

@andrewkroh

Copy link
Copy Markdown
Member Author

This problem is being taken up in #51913.

The PR never received the necessary code owner reviews and is very stale so closing.

@andrewkroh andrewkroh closed this Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport-skip Skip notification from the automated backport with mergify ci skip-changelog Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team Team:Security-Windows Platform Windows Platform Team in Security Solution Winlogbeat

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants