[Winlogbeat] Add support for custom XML queries

[taylor-swanson]

What does this PR do?

• Added new configuration field (xml_query) to support custom XML queries
• This new configuration item will conflict with existing simple
  query configuration items (ignore_older, event_id, level, provider)
• Validator has been updated to check for key conflicts and XML syntax,
  but does not check for correctness of XML schema.

Why is it important?

The existing filtering options for Winlogbeat don't provide enough control when trying to filter out unwanted events. A user may want to include multiple channels in the same query or filter out certain SIDs. Custom XML queries provide a very powerful mechanism for fine tuning what events should be searched.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

• A quick way to generate XML queries is to create a custom view in Event Viewer and export the XML. This can be pasted as-is into a winlogbeat config:

winlogbeat.event_logs:
  - name: dhcp-server
    xml_query: >
      <QueryList>
        <Query Id="0" Path="DhcpAdminEvents">
          <Select Path="DhcpAdminEvents">*</Select>
          <Select Path="Microsoft-Windows-Dhcp-Server/FilterNotifications">*</Select>
          <Select Path="Microsoft-Windows-Dhcp-Server/Operational">*</Select>
        </Query>
      </QueryList>

• The bookmark should be written to the registry file:

- name: microsoft-dhcp
  record_number: 10
  timestamp: 2021-12-06T20:40:54.198229Z
  bookmark: "<BookmarkList>\r\n  <Bookmark Channel='DhcpAdminEvents' RecordId='0'/>\r\n
    \ <Bookmark Channel='Microsoft-Windows-Dhcp-Server/FilterNotifications' RecordId='0'/>\r\n
    \ <Bookmark Channel='Microsoft-Windows-Dhcp-Server/Operational' RecordId='10'
    IsCurrent='true'/>\r\n</BookmarkList>"

• There should be one bookmark per channel at minimum. I believe this is being generated by Windows, so in theory it should always do the right thing here, regardless of how complicated the query becomes. The record_number at the top-level registry entry is irrelevant here, since winlogbeat will always select the bookmark value(s) first. The record_number is only used in cases where custom queries are NOT given and no bookmark was produced previously (I've never seen this occur, so I'm not sure under what circumstances this will happen).

Related issues

• Closes [Winlogbeat] XML filtering #1054

[mergify]

This pull request does not have a backport label. Could you fix it @taylor-swanson? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 7./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2021-12-15T15:06:26.533+0000

• Duration: 64 min 1 sec

• Commit: 4ac59de

Test stats 🧪

Test	Results
Failed	0
Passed	2161
Skipped	26
Total	2187

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[taylor-swanson]

/test

[taylor-swanson]

run elasticsearch-ci/docs

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[andrewkroh]

This part looks good. Can you please add some tests for this. We should have something added to the system tests (https://github.com/elastic/beats/blob/master/winlogbeat/tests/system/test_wineventlog.py) and I imagine there's a Go test that can be added that using xml_query. And a config validation test to check the assertions on the config.

There's a wineventlog-experimental reader that I expect needs to be updated as well. Check https://github.com/elastic/beats/blob/master/winlogbeat/eventlog/wineventlog_experimental.go#L47.

[andrewkroh]

There should be one bookmark per channel at minimum.

Per event log reader rather than "channel" is how I would describe it.

The record_number is only used in cases where custom queries are NOT given and no bookmark was produced previously (I've never seen this occur, so I'm not sure under what circumstances this will happen).

record_number is legacy. It was kept to help users migrating from an older version of the registry file that did not contain bookmark. That was a very long time ago so that field and the associated logic could be removed now.

[efd6]

I know that this is pre-existing, but is it ever likely that a user will specify a file log destination with a file scheme?

[taylor-swanson]

I'm not entirely sure, perhaps someone else can elaborate on that more (@andrewkroh ?). We do support providing a filename and reading from it, that much I do know.

[andrewkroh]

In the docs we say they need to pass an absolute path so I don't think users will pass a file URI.

To read events from an archived .evtx file you can specify the name as the absolute path (it cannot be relative) to the file.

https://www.elastic.co/guide/en/beats/winlogbeat/7.16/configuration-winlogbeat-options.html#configuration-winlogbeat-options-event_logs-name

[andrewkroh]

LGTM