[Winlogbeat] Filter parameters don't work with .evtx files

[andrewkroh]

None of the event log filtering config options work with .evtx files. This includes ignore_older, event_id, level, and provider.

For confirmed bugs, please report:

• Version: 7.6.0

The causes is that the generated XML query is not passed into the API call opening the evtx file at

beats/winlogbeat/eventlog/wineventlog.go

Line 200 in 57ee56e

h, err := win.EvtQuery(0, path, "", win.EvtQueryFilePath|win.EvtQueryForwardDirection)

One special thing to note is that a file URI must be used in the XML (discovered this last week when using querys with evtx files for testing). The current code does not do this automatically. For example the XML will need to use file://C:\some\file.evtx for it's Log value.

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.