fix(x-pack/winlogbeat): run ingest pipeline tests on CI

[andrewkroh]

Reviewer note: First commit contains code changes. Second commit is the generated golden file changes.

Proposed commit message

At some point the CI tests for the ingest pipeline in Winlogbeat stopped
being tested on CI because there was no linux host running the unit tests.
The unit tests for the ingest pipelines require Docker for running Elasticsearch.

This adds a new Buildkite step for x-pack/winlogbeat.
It fixes the tests that were broken.
It removes the request body from an eslegclient debug statement that was very
noisy, and in some cases extremely lengthy.
It removes the deprecated 'version' from the docker-compose.yaml file used to run ES.

The pipelines were mostly fine because they have been copied from elastic/integrations
where they are independently tested.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
• I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

Author's Checklist

• [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

[github-actions]

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @andrewkroh? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[botelastic]

This pull request doesn't have a Team:<team> label.

[github-actions]

🔍 Preview links for changed docs

• docs/reference/winlogbeat/exported-fields-powershell.md

[elasticmachine]

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

[colleenmcginnis]

Docs change looks okay.

[leehinman]

LGTM. One question with SidList but it isn't blocking.

[leehinman]

Is this expected in the SidList?

[andrewkroh]

No, but the intention is for the "standard" pipeline to match what's in the Fleet integration at https://github.com/elastic/integrations/blob/80b968725f9c769f86522c69a9cdc52a30d9e231/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml.

And currently this is how the windows.forwarded pipeline is behaving as per https://github.com/elastic/integrations/pull/15797/files#diff-a31adecc2e9c3b480a32c5672cf718fe6d4777d94c8939c1d52d16953a0c6a2aR42

However, also as identified in my integrations PR, the system.security pipeline does not have this problem. The solution will be to get Fleet's system and windows pipelines synced up by using the file reference feature and then sync beats. https://github.com/elastic/integrations/pull/15797/files#r2474625479 🤯