Skip to content

x-pack/winlogbeat/module: fix and enable ingest pipeline tests#51913

Open
efd6 wants to merge 1 commit into
elastic:mainfrom
efd6:windows_module_tests
Open

x-pack/winlogbeat/module: fix and enable ingest pipeline tests#51913
efd6 wants to merge 1 commit into
elastic:mainfrom
efd6:windows_module_tests

Conversation

@efd6

@efd6 efd6 commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Proposed commit message

x-pack/winlogbeat/module: fix and enable ingest pipeline tests

The module ingest pipeline tests (security, sysmon, powershell) were
never run in CI. The test files are tagged //go:build !windows but
all CI steps ran on Windows agents, so the tests were structurally
excluded. This resulted in several issues accumulating undetected:

- Pipeline count assertions were stale (5 pipelines, but
  security_standard was added as a 6th).
- The ECS version in golden files drifted from 1.12.0 to 8.17.0.
- The splitSidList Painless function in security_standard.yml used
  splitOnToken which returns a String[] incompatible with ES 9.x
  document context, causing event 4908 to fail with
  illegal_argument_exception.
- The powershell.file.script_block_hash field produced by the
  fingerprint processor was undocumented in fields.yml.

Fix the pipeline script to split on \s+ with regex and store results
as ArrayList. Add the missing field definition. Update test assertions
and regenerate golden files against the current ES. Add a Linux CI
step to the x-pack/winlogbeat Buildkite pipeline so these tests
run on every build.

Assisted-By: Cursor

Note

Not user-facing, so no changelog entry.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
  • I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

@efd6 efd6 self-assigned this Jul 14, 2026
@efd6 efd6 added Winlogbeat backport-skip Skip notification from the automated backport with mergify bugfix skip-changelog labels Jul 14, 2026
@botelastic botelastic Bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jul 14, 2026
@github-actions

Copy link
Copy Markdown
Contributor

🤖 GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)
  • /test : Run the Buildkite pipeline.

@efd6 efd6 added Team:Security-Service Integrations Security Service Integrations Team Team:Security-Windows Platform Windows Platform Team in Security Solution labels Jul 14, 2026
@botelastic botelastic Bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jul 14, 2026
@efd6 efd6 force-pushed the windows_module_tests branch from b9acf9b to 7763b54 Compare July 14, 2026 04:14
@github-actions

This comment has been minimized.

@efd6 efd6 force-pushed the windows_module_tests branch from 7763b54 to 8a68e39 Compare July 14, 2026 04:38
@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

🔍 Preview links for changed docs

@github-actions

Copy link
Copy Markdown
Contributor

✅ Elastic Docs Style Checker (Vale)

No issues found on modified lines!


The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale.

@github-actions

Copy link
Copy Markdown
Contributor

TL;DR

The Linux x-pack/winlogbeat: Module Ingest Tests job is a completed test failure, not an infrastructure timeout: the runner reports DONE 125 tests, 4 failures in 395.319s and exits with status 1. The supplied Buildkite log is truncated before the individual failing test names, assertion diffs, and ingest errors, so a source-level root cause cannot be identified defensibly from the available evidence.

Remediation

  • Re-run the job with the complete test output, or attach/read x-pack/winlogbeat/build/TEST-go-unit.xml and TEST-go-unit.out.json from the failed build artifacts.
  • Capture the four failing test case names and their assertion or Elasticsearch simulate errors; those details are required to map the failures to the changed fixtures or security_standard.yml.
  • After applying the targeted fix, rerun cd x-pack/winlogbeat && mage build goUnitTest.
Investigation details

Root Cause

Inconclusive from the prefetched log. The job completed 125 tests and recorded four failures, but the available log ends with a serialized ingest-pipeline dump and the aggregate result. It does not include the failing subtest names, expected-versus-actual diffs, or pipeline execution errors needed to trace the failure to a changed source file.

Evidence

Verification

Not run locally. These ingest tests require the test Elasticsearch container and the missing failing-case details would still be needed to validate a specific fix.

Follow-up

Please provide the full test-collector output or the uploaded JUnit/JSON artifacts before making a source change; diagnosing from the aggregate count would risk attributing the failure to the wrong PR change.


What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

The module ingest pipeline tests (security, sysmon, powershell) were
never run in CI. The test files are tagged //go:build !windows but
all CI steps ran on Windows agents, so the tests were structurally
excluded. This resulted in several issues accumulating undetected:

- Pipeline count assertions were stale (5 pipelines, but
  security_standard was added as a 6th).
- The ECS version in golden files drifted from 1.12.0 to 8.17.0.
- The splitSidList Painless function in security_standard.yml used
  splitOnToken which returns a String[] incompatible with ES 9.x
  document context, causing event 4908 to fail with
  illegal_argument_exception.
- The powershell.file.script_block_hash field produced by the
  fingerprint processor was undocumented in fields.yml.

Fix the pipeline script to split on \s+ with regex and store results
as ArrayList. Add the missing field definition. Update test assertions
and regenerate golden files against the current ES. Add a Linux CI
step to the x-pack/winlogbeat Buildkite pipeline so these tests
run on every build.

Assisted-By: Cursor
@efd6 efd6 force-pushed the windows_module_tests branch from 8a68e39 to 0c8cb76 Compare July 14, 2026 05:27
@efd6 efd6 marked this pull request as ready for review July 14, 2026 06:09
@efd6 efd6 requested review from a team as code owners July 14, 2026 06:09
@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

@andrewkroh andrewkroh left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. :shipit:

The PR I mentioned when we were talking is #47395. I don't remember exactly what I was debugging but when I was looking at this so long ago, but I added error checking on the simulate pipeline API response in pipelineIngestedDocument of x-pack/winlogbeat/module/wintest/simulate.go (probably for when the Painless is bad and a pipeline won't even load). Just mentioning it in case it helps debugging failures.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport-skip Skip notification from the automated backport with mergify bugfix skip-changelog Team:Security-Service Integrations Security Service Integrations Team Team:Security-Windows Platform Windows Platform Team in Security Solution Winlogbeat

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants