The goal is to separate the XML processing capability of the winlog input from the ability to read XML event logs from Windows. This will allow event log XML to be processed from a variety of sources. One use case is to be able to process Windows event logs that have been written to an S3 bucket as XML.

As a nice side-effect we should be to make testing of Windows modules a little easier since we can use XML instead of .evtx as the source data for tests. And these tests should be able to run on non-Windows machines.

The XML processing code is currently part of a Winlogbeat package that interacts with Windows API (using cgo). So we will want to cleanly separate this code to break any dependency in the xml event log decoder package on Windows APIs.

Example config:

processors:
- rename:
    - from: message
      to: event.original
- decode_xml_wineventlog:
    field: event.original
    target_field: winlog
- script:
    lang: javascript
    id: security
    file: ${path.home}/module/security/config/winlogbeat-security.js