Add support for event language selection from config file (#19818)

* Add support for event language selection from config file

* fix - set default value of the EventLanguage variable in the winlogbeat/eventlog/eventlogging.go file

* fix mistakes made during upstream merge

* move entry in changelog to the end of the section and add reference to pull request id

* Add default value and docs

* Make suggested changes

Co-authored-by: Marc Guasch <marc.guasch@elastic.co>

CHANGELOG.next.asciidoc

@@ -914,6 +914,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add additional event categorization for security and sysmon modules. {pull}22988[22988]
 - Add dns.question.subdomain fields for sysmon DNS events. {pull}22999[22999]
 - Add dns.question.top_level_domain fields for sysmon DNS events. {pull}23046[23046]
+- Add support for event language selection from config file {pull}19818[19818]
 
 *Elastic Log Driver*
 

winlogbeat/docs/modules.asciidoc

@@ -22,6 +22,9 @@ a `script` processor to your configuration file and point it at the included
 script file for the module. The documentation for each module includes an
 example.
 
+NOTE: The provided modules only support events in English. For more information
+about how to configure the language in `winlogbeat`, refer to <<configuration-winlogbeat-options>>.
+
 [float]
 === Usage with Forwarded Events
 
@@ -34,6 +37,7 @@ script processors that are guarded by a conditional `when` statement.
 winlogbeat.event_logs:
 - name: ForwardedEvents
   tags: [forwarded]
+  language: 0x0409 # en-US
   processors:
     - script:
         when.equals.winlog.channel: Security

winlogbeat/docs/winlogbeat-options.asciidoc

@@ -232,6 +232,21 @@ winlogbeat.event_logs:
 
 =======================================
 
+[float]
+==== `event_logs.language`
+
+The language ID the events will be rendered in. The language will be forced regardless
+of the system language. A complete list of language IDs can be found
+https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-lcid/a9eac961-e77d-41a6-90a5-ce1a8b0cdb9c[here].
+It defaults to `0`, which indicates to use the system language.
+
+[source,yaml]
+--------------------------------------------------------------------------------
+winlogbeat.event_logs:
+  - name: Security
+    event_id: 4624, 4625, 4700-4800, -4735
+    language: 0x0409 # en-US
+--------------------------------------------------------------------------------
 
 [float]
 ==== `event_logs.level`

winlogbeat/eventlog/wineventlog.go

@@ -60,6 +60,7 @@ type winEventLogConfig struct {
 	Forwarded     *bool              `config:"forwarded"`
 	SimpleQuery   query              `config:",inline"`
 	NoMoreEvents  NoMoreEventsAction `config:"no_more_events"` // Action to take when no more events are available - wait or stop.
+	EventLanguage uint32             `config:"language"`
 }
 
 // NoMoreEventsAction defines what action for the reader to take when
@@ -390,7 +391,7 @@ func newWinEventLog(options *common.Config) (EventLog, error) {
 
 	eventMetadataHandle := func(providerName, sourceName string) sys.MessageFiles {
 		mf := sys.MessageFiles{SourceName: sourceName}
-		h, err := win.OpenPublisherMetadata(0, sourceName, 0)
+		h, err := win.OpenPublisherMetadata(0, sourceName, c.EventLanguage)
 		if err != nil {
 			mf.Err = err
 			return mf
@@ -431,7 +432,7 @@ func newWinEventLog(options *common.Config) (EventLog, error) {
 		}
 	default:
 		l.render = func(event win.EvtHandle, out io.Writer) error {
-			return win.RenderEvent(event, 0, l.renderBuf, l.cache.get, out)
+			return win.RenderEvent(event, c.EventLanguage, l.renderBuf, l.cache.get, out)
 		}
 	}
 

winlogbeat/sys/wineventlog/wineventlog_windows.go

@@ -384,7 +384,7 @@ func FormatEventString(
 	// Open a publisher handle if one was not provided.
 	ph := publisherHandle
 	if ph == 0 {
-		ph, err := OpenPublisherMetadata(0, publisher, 0)
+		ph, err := OpenPublisherMetadata(0, publisher, lang)
 		if err != nil {
 			return err
 		}