[7.17](backport #36173) [Winlogbeat] Add missing query while reading …

….evtx file (#36255)

* [Winlogbeat] Add missing query while reading .evtx file (#36173)

* Add missing query for evtx processing

* update pr num

* update changelog

* Add test

* fix CI

* add eventID as string

* update query

* fix expected in test

* fix golangci-lint

* Address PR comment

* Add nolint:prealloc directives

(cherry picked from commit 1fe462c)

# Conflicts:
#	winlogbeat/eventlog/wineventlog.go
#	winlogbeat/eventlog/wineventlog_experimental.go

* add query to evtx file open

* remove unnecessary change log

---------

Co-authored-by: Krishna Chaitanya Reddy Burri <[email protected]>
Co-authored-by: kcreddy <[email protected]>

CHANGELOG.next.asciidoc

@@ -23,6 +23,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 *Winlogbeat*
 
+- Fix the ability to use filtering features (e.g. `ignore_older`, `event_id`, `provider`, `level`) while reading `.evtx` files. {issue}16826[16826] {pull}36173[36173]
+
 *Functionbeat*
 
 ==== Bugfixes

winlogbeat/eventlog/wineventlog.go

@@ -279,7 +279,7 @@ func (l *winEventLog) openChannel(bookmark win.EvtHandle) error {
 func (l *winEventLog) openFile(state checkpoint.EventLogState, bookmark win.EvtHandle) error {
 	path := l.channelName
 
-	h, err := win.EvtQuery(0, path, "", win.EvtQueryFilePath|win.EvtQueryForwardDirection)
+	h, err := win.EvtQuery(0, path, l.query, win.EvtQueryFilePath|win.EvtQueryForwardDirection)
 	if err != nil {
 		return fmt.Errorf("failed to get handle to event log file %v: %w", path, err)
 	}

winlogbeat/eventlog/wineventlog_experimental.go

@@ -152,7 +152,7 @@ func (l *winEventLogExp) openChannel(bookmark win.Bookmark) (win.EvtHandle, erro
 func (l *winEventLogExp) openFile(state checkpoint.EventLogState, bookmark win.Bookmark) (win.EvtHandle, error) {
 	path := l.channelName
 
-	h, err := win.EvtQuery(0, path, "", win.EvtQueryFilePath|win.EvtQueryForwardDirection)
+	h, err := win.EvtQuery(0, path, l.query, win.EvtQueryFilePath|win.EvtQueryForwardDirection)
 	if err != nil {
 		return win.NilHandle, fmt.Errorf("failed to get handle to event log file %v: %w", path, err)
 	}
@@ -187,7 +187,7 @@ func (l *winEventLogExp) openFile(state checkpoint.EventLogState, bookmark win.B
 }
 
 func (l *winEventLogExp) Read() ([]Record, error) {
-	var records []Record
+	var records []Record //nolint:prealloc // Avoid unnecessary preallocation for each reader every second when event log is inactive.
 
 	for h, ok := l.iterator.Next(); ok; h, ok = l.iterator.Next() {
 		record, err := l.processHandle(h)

winlogbeat/eventlog/wineventlog_test.go

@@ -276,6 +276,7 @@ func testWindowsEventLog(t *testing.T, api string) {
 		assert.Equal(t, totalEvents, eventCount)
 	})
 
+	// Test reading .evtx file without any query filters
 	t.Run("evtx_file", func(t *testing.T) {
 		path, err := filepath.Abs("../sys/wineventlog/testdata/sysmon-9.01.evtx")
 		if err != nil {
@@ -301,6 +302,34 @@ func testWindowsEventLog(t *testing.T, api string) {
 
 		assert.Len(t, records, 32)
 	})
+
+	// Test reading .evtx file with event_id filter
+	t.Run("evtx_file_with_query", func(t *testing.T) {
+		path, err := filepath.Abs("../sys/wineventlog/testdata/sysmon-9.01.evtx")
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		log := openLog(t, map[string]interface{}{
+			"name":           path,
+			"no_more_events": "stop",
+			"event_id":       "3, 5",
+		})
+		defer log.Close()
+
+		records, err := log.Read()
+
+		// This implementation returns the EOF on the next call.
+		if err == nil && api == winEventLogAPIName {
+			_, err = log.Read()
+		}
+
+		if assert.Error(t, err, "no_more_events=stop requires io.EOF to be returned") {
+			assert.Equal(t, io.EOF, err)
+		}
+
+		assert.Len(t, records, 21)
+	})
 }
 
 // ---- Utility Functions -----