fix(x-pack/winlogbeat): run ingest pipeline tests on CI

.buildkite/x-pack/pipeline.xpack.winlogbeat.yml

@@ -5,15 +5,17 @@ env:
   AWS_ARM_INSTANCE_TYPE: "m6g.xlarge"
   AWS_IMAGE_UBUNTU_ARM_64: "platform-ingest-beats-ubuntu-2204-aarch64"
 
+  GCP_DEFAULT_MACHINE_TYPE: "c2d-highcpu-8"
+  GCP_HI_PERF_MACHINE_TYPE: "c2d-highcpu-16"
+  GCP_WIN_MACHINE_TYPE: "n2-standard-8"
+
   IMAGE_UBUNTU_X86_64: "family/platform-ingest-beats-ubuntu-2204"
   IMAGE_WIN_10: "family/platform-ingest-beats-windows-10"
   IMAGE_WIN_11: "family/platform-ingest-beats-windows-11"
   IMAGE_WIN_2016: "family/platform-ingest-beats-windows-2016"
   IMAGE_WIN_2019: "family/platform-ingest-beats-windows-2019"
   IMAGE_WIN_2022: "family/platform-ingest-beats-windows-2022"
   IMAGE_WIN_2025: "family/platform-ingest-beats-windows-2025"
-  GCP_WIN_MACHINE_TYPE: "n2-standard-8"
-  GCP_HI_PERF_MACHINE_TYPE: "c2d-highcpu-16"
 
   IMAGE_BEATS_WITH_HOOKS_LATEST: "docker.elastic.co/ci-agent-images/platform-ingest/buildkite-agent-beats-ci-with-hooks:latest"
 
@@ -66,6 +68,32 @@ steps:
     key: "x-pack-winlogbeat-mandatory-tests"
 
     steps:
+      # Linux is required to execute ingest pipeline tests with dockerized Elasticsearch.
+      - label: ":ubuntu: x-pack/winlogbeat: Ubuntu x86_64 Unit Tests"
+        key: "mandatory-linux-unit-tests"
+        command: |
+          cd x-pack/winlogbeat
+          mage build unitTest
+        retry:
+          automatic:
+            - limit: 1
+        agents:
+          provider: "gcp"
+          image: "${IMAGE_UBUNTU_X86_64}"
+          machineType: "${GCP_DEFAULT_MACHINE_TYPE}"
+        artifact_paths:
+          - "x-pack/winlogbeat/build/*.xml"
+          - "x-pack/winlogbeat/build/*.json"
+        plugins:
+          - test-collector#v1.10.2:
+              files: "x-pack/winlogbeat/build/TEST-*.xml"
+              format: "junit"
+              branches: "main"
+              debug: true
+        notify:
+          - github.amrom.workers.devmit_status:
+              context: "x-pack/winlogbeat: Ubuntu x86_64 Unit Tests"
+
       - label: ":windows: x-pack/winlogbeat Win 2019 Unit Tests"
         key: "mandatory-win-2019-unit-tests"
         command: |

docs/reference/winlogbeat/exported-fields-powershell.md

@@ -177,6 +177,12 @@ Data related to the PowerShell engine.
 
 Data related to the executed script file.
 
+**`powershell.file.script_block_hash`**
+:   A hash of the script to be used in rules.
+
+    type: keyword
+
+
 **`powershell.file.script_block_id`**
 :   Id of the executed script block.
 

libbeat/esleg/eslegclient/connection.go

@@ -378,7 +378,7 @@
 ) (int, []byte, error) {
 
 	url := addToURL(conn.URL, path, pipeline, params)
-	conn.log.Debugf("%s %s %s %v", method, url, pipeline, body)
+	conn.log.Debugf("%s %s %s", method, url, pipeline)
 
 	return conn.RequestURL(method, url, body)
 }
@@ -444,7 +444,7 @@
 		conn.version = *v
 	}
 
 	if versionData.Version.BuildFlavor == "serverless" {
 		conn.log.Info("build flavor of es is serverless, marking connection as serverless")
 		conn.isServerless = true
 	} else if versionData.Version.BuildFlavor == "default" {

x-pack/winlogbeat/module/.gitignore

@@ -1 +1,2 @@
 build
+docker-compose.yaml

x-pack/winlogbeat/module/powershell/_meta/fields.yml

@@ -120,6 +120,10 @@
       type: group
       description: Data related to the executed script file.
       fields:
+        - name: script_block_hash
+          type: keyword
+          description: A hash of the script to be used in rules.
+
         - name: script_block_id
           type: keyword
           description: Id of the executed script block.

x-pack/winlogbeat/module/powershell/test/testdata/ingest/400.golden.json

@@ -2,18 +2,22 @@
   {
     "@timestamp": "2020-05-14T07:00:30.8914235Z",
     "ecs": {
-      "version": "1.12.0"
+      "version": "8.17.0"
     },
     "event": {
       "action": "Engine Lifecycle",
-      "category": "process",
+      "category": [
+        "process"
+      ],
       "code": "400",
-      "ingested": "2025-01-15T10:02:22.041691914Z",
+      "ingested": "2025-10-29T18:18:28.904269377Z",
       "kind": "event",
       "module": "powershell",
       "provider": "PowerShell",
       "sequence": 13,
-      "type": "start"
+      "type": [
+        "start"
+      ]
     },
     "host": {
       "name": "vagrant",
@@ -62,18 +66,22 @@
   {
     "@timestamp": "2020-05-14T07:01:14.3715076Z",
     "ecs": {
-      "version": "1.12.0"
+      "version": "8.17.0"
     },
     "event": {
       "action": "Engine Lifecycle",
-      "category": "process",
+      "category": [
+        "process"
+      ],
       "code": "400",
-      "ingested": "2025-01-15T10:02:22.042381068Z",
+      "ingested": "2025-10-29T18:18:28.904567044Z",
       "kind": "event",
       "module": "powershell",
       "provider": "PowerShell",
       "sequence": 13,
-      "type": "start"
+      "type": [
+        "start"
+      ]
     },
     "host": {
       "name": "vagrant",
@@ -124,18 +132,22 @@
   {
     "@timestamp": "2020-05-14T11:32:51.9892568Z",
     "ecs": {
-      "version": "1.12.0"
+      "version": "8.17.0"
     },
     "event": {
       "action": "Engine Lifecycle",
-      "category": "process",
+      "category": [
+        "process"
+      ],
       "code": "400",
-      "ingested": "2025-01-15T10:02:22.042395560Z",
+      "ingested": "2025-10-29T18:18:28.904575669Z",
       "kind": "event",
       "module": "powershell",
       "provider": "PowerShell",
       "sequence": 13,
-      "type": "start"
+      "type": [
+        "start"
+      ]
     },
     "host": {
       "name": "vagrant",
@@ -184,18 +196,22 @@
   {
     "@timestamp": "2020-06-04T07:20:27.7472275Z",
     "ecs": {
-      "version": "1.12.0"
+      "version": "8.17.0"
     },
     "event": {
       "action": "Engine Lifecycle",
-      "category": "process",
+      "category": [
+        "process"
+      ],
       "code": "400",
-      "ingested": "2025-01-15T10:02:22.042402302Z",
+      "ingested": "2025-10-29T18:18:28.904580210Z",
       "kind": "event",
       "module": "powershell",
       "provider": "PowerShell",
       "sequence": 9,
-      "type": "start"
+      "type": [
+        "start"
+      ]
     },
     "host": {
       "name": "vagrant",

x-pack/winlogbeat/module/powershell/test/testdata/ingest/403.golden.json

@@ -2,18 +2,22 @@
   {
     "@timestamp": "2020-05-14T15:31:22.4269238Z",
     "ecs": {
-      "version": "1.12.0"
+      "version": "8.17.0"
     },
     "event": {
       "action": "Engine Lifecycle",
-      "category": "process",
+      "category": [
+        "process"
+      ],
       "code": "403",
-      "ingested": "2025-01-15T10:02:22.075700098Z",
+      "ingested": "2025-10-29T18:18:28.942849919Z",
       "kind": "event",
       "module": "powershell",
       "provider": "PowerShell",
       "sequence": 33,
-      "type": "end"
+      "type": [
+        "end"
+      ]
     },
     "host": {
       "name": "vagrant",
@@ -61,18 +65,22 @@
   {
     "@timestamp": "2020-05-15T08:11:47.932007Z",
     "ecs": {
-      "version": "1.12.0"
+      "version": "8.17.0"
     },
     "event": {
       "action": "Engine Lifecycle",
-      "category": "process",
+      "category": [
+        "process"
+      ],
       "code": "403",
-      "ingested": "2025-01-15T10:02:22.075721610Z",
+      "ingested": "2025-10-29T18:18:28.942869960Z",
       "kind": "event",
       "module": "powershell",
       "provider": "PowerShell",
       "sequence": 37,
-      "type": "end"
+      "type": [
+        "end"
+      ]
     },
     "host": {
       "name": "vagrant",
@@ -121,18 +129,22 @@
   {
     "@timestamp": "2020-05-15T08:28:53.6266982Z",
     "ecs": {
-      "version": "1.12.0"
+      "version": "8.17.0"
     },
     "event": {
       "action": "Engine Lifecycle",
-      "category": "process",
+      "category": [
+        "process"
+      ],
       "code": "403",
-      "ingested": "2025-01-15T10:02:22.075728323Z",
+      "ingested": "2025-10-29T18:18:28.942874294Z",
       "kind": "event",
       "module": "powershell",
       "provider": "PowerShell",
       "sequence": 37,
-      "type": "end"
+      "type": [
+        "end"
+      ]
     },
     "host": {
       "name": "vagrant",
@@ -188,18 +200,22 @@
   {
     "@timestamp": "2020-06-04T07:20:28.6861939Z",
     "ecs": {
-      "version": "1.12.0"
+      "version": "8.17.0"
     },
     "event": {
       "action": "Engine Lifecycle",
-      "category": "process",
+      "category": [
+        "process"
+      ],
       "code": "403",
-      "ingested": "2025-01-15T10:02:22.075733622Z",
+      "ingested": "2025-10-29T18:18:28.942877752Z",
       "kind": "event",
       "module": "powershell",
       "provider": "PowerShell",
       "sequence": 10,
-      "type": "end"
+      "type": [
+        "end"
+      ]
     },
     "host": {
       "name": "vagrant",

x-pack/winlogbeat/module/powershell/test/testdata/ingest/4103.golden.json

@@ -8,18 +8,22 @@
       }
     },
     "ecs": {
-      "version": "1.12.0"
+      "version": "8.17.0"
     },
     "event": {
       "action": "Executing Pipeline",
-      "category": "process",
+      "category": [
+        "process"
+      ],
       "code": "4103",
-      "ingested": "2025-01-15T10:02:22.083664757Z",
+      "ingested": "2025-10-29T18:18:28.958489585Z",
       "kind": "event",
       "module": "powershell",
       "provider": "Microsoft-Windows-PowerShell",
       "sequence": 34,
-      "type": "info"
+      "type": [
+        "info"
+      ]
     },
     "host": {
       "name": "vagrant",
@@ -117,18 +121,22 @@
   {
     "@timestamp": "2020-05-15T08:13:06.7032939Z",
     "ecs": {
-      "version": "1.12.0"
+      "version": "8.17.0"
     },
     "event": {
       "action": "Executing Pipeline",
-      "category": "process",
+      "category": [
+        "process"
+      ],
       "code": "4103",
-      "ingested": "2025-01-15T10:02:22.083688734Z",
+      "ingested": "2025-10-29T18:18:28.958508877Z",
       "kind": "event",
       "module": "powershell",
       "provider": "Microsoft-Windows-PowerShell",
       "sequence": 22,
-      "type": "info"
+      "type": [
+        "info"
+      ]
     },
     "host": {
       "name": "vagrant",