[winlogbeat] Disable Winlogbeat record ID gap detection when using xml_query

[marc-gr]

Proposed commit message

Disable Winlogbeat record ID gap detection when using xml_query so filtered queries do not loop on non-contiguous record IDs.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
• I have added an entry in ./changelog/fragments using the changelog tool.

[infra-vault-gh-plugin-prod]

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

[github-actions]

🤖 GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)
• /test : Run the Buildkite pipeline.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: ee1d734e-9d70-4114-b862-ecf976cdf2e4

📥 Commits

Reviewing files that changed from the base of the PR and between 036ecc9 and 4cf578a.

📒 Files selected for processing (3)

• changelog/fragments/1777582712-winlogbeat-xml-query-gap-detection.yaml
• winlogbeat/eventlog/wineventlog.go
• winlogbeat/eventlog/wineventlog_retry_test.go

---

📝 Walkthrough

Walkthrough

Record ID gap detection in Winlogbeat has been modified to suppress detection when custom XML queries are configured. The change updates the gap detection logic in the wineventlog processing handler and includes a corresponding unit test to verify the behavior. A changelog fragment documents this bug fix, noting that filtered XML queries can produce non-contiguous record IDs without indicating genuine gaps requiring recovery.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

• 🛠️ Update Documentation: Commit on current branch
• 🛠️ Update Documentation: Create PR

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 6/8 reviews remaining, refill in 13 minutes and 7 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

@Mergifyio backport 9.3 9.4

[mergify]

backport 9.3 9.4

✅ Backports have been created

Details

• #50459 [9.3](backport #50443) [winlogbeat] Disable Winlogbeat record ID gap detection when using xml_query has been created for branch 9.3
• #50460 [9.4](backport #50443) [winlogbeat] Disable Winlogbeat record ID gap detection when using xml_query has been created for branch 9.4