winlogbeat: replace Python system tests with Go testscript tests#49012
Draft
andrewkroh wants to merge 2 commits intoelastic:mainfrom
Draft
winlogbeat: replace Python system tests with Go testscript tests#49012andrewkroh wants to merge 2 commits intoelastic:mainfrom
andrewkroh wants to merge 2 commits intoelastic:mainfrom
Conversation
andrewkroh
added
Winlogbeat
backport-skip
botelastic
bot
added
the
needs_team
Contributor
🤖 GitHub commentsJust comment with:
|
andrewkroh
force-pushed
the
winlogbeat/feat/replace-python-tests
branch
3 times, most recently
from
a851dbf to
6e8efe9
Compare
andrewkroh
added
the
Team:Security-Windows Platform
botelastic
bot
removed
the
needs_team
andrewkroh
force-pushed
the
winlogbeat/feat/replace-python-tests
branch
4 times, most recently
from
d6ff03a to
c43682c
Compare
Delete the Python-based system test suite (tests/system/) and replace it with pure Go tests using rogpeppe/go-internal/testscript. There is no more Python in Winlogbeat's test infrastructure. The new test suite lives in winlogbeat/tests/testscript/ with txtar scripts organized into subdirectories: export/ (cross-platform), config/ (Windows), eventlog/ (Windows), and evtx/ (Windows). Each subdirectory runs as a subtest for targeted execution. Test commands implemented for txtar scripts: - write-event, write-multiline-event, clear-event-log: event log setup - check-event-count, check-event-field, check-event-field-exists, check-event-field-absent, check-event-field-contains: assertions - wait-for-event-count: polling for async event delivery - envsubst, sleep: utilities The write-event command defaults to the current process user's SID, matching the Python write_event_log() behavior, so that user identity fields (winlog.user.*) are present in events and testable. While developing these tests, we identified and fixed a bug in runner.go where io.EOF from no_more_events: stop was checked after the backoff handler rather than before it. Since IsRecoverable() returns true for io.EOF, this caused infinite retries and silently dropped the final batch of events returned alongside the EOF. This turned out to be the same issue reported in elastic#47388. An evtx test (read_all_events.txtar) reads sysmon-9.01.evtx with batch_read_size=5, forcing 7 Read() calls where the final call returns 2 records with io.EOF, proving the fix end-to-end. Additional changes: - Remove Python mage targets from winlogbeat and x-pack/winlogbeat - Simplify make.bat to use 'go run' for mage - Remove TestSystem from main_test.go Fixes elastic#47388
andrewkroh
force-pushed
the
winlogbeat/feat/replace-python-tests
branch
from
c43682c to
36516b9
Compare
On busy CI agents (observed on Windows 2019), events written by ReportEvent may not be immediately visible to event log readers. If winlogbeat starts before the events are committed, it sees an empty channel, triggers no_more_events: stop, and exits with 0 events — causing spurious test failures. Add a wait-for-event-log command that polls the Windows event log via EvtQuery until the expected number of events are visible. Insert it between write-event and exec winlogbeat in all eventlog tests. Also add explanations to all //nolint:errcheck directives to satisfy the nolintlint linter.
andrewkroh
force-pushed
the
winlogbeat/feat/replace-python-tests
branch
from
36516b9 to
dea09cd
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed commit message
Checklist
stresstest.shscript to run them under stress conditions and race detector to verify their stability../changelog/fragmentsusing the changelog tool.How to test this PR locally
Related issues