From b607b92b134b4275ff8c7ecfd674c385212cca4e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Chema=20Mart=C3=ADnez?= <chema.martinez@elastic.co>
Date: Fri, 9 Feb 2024 17:18:55 +0100
Subject: [PATCH] specs/filebeat.spec.yml - make ETW input available (#4037)

This PR adds it to the Filebeat spec so it can be run by the elastic-agent.
---
 .../1707481157-etw-filebeat-spec.yaml         | 32 +++++++++++++++++++
 specs/filebeat.spec.yml                       |  6 ++++
 2 files changed, 38 insertions(+)
 create mode 100644 changelog/fragments/1707481157-etw-filebeat-spec.yaml

diff --git a/changelog/fragments/1707481157-etw-filebeat-spec.yaml b/changelog/fragments/1707481157-etw-filebeat-spec.yaml
new file mode 100644
index 00000000000..2f6b37f616f
--- /dev/null
+++ b/changelog/fragments/1707481157-etw-filebeat-spec.yaml
@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: feature
+
+# Change summary; a 80ish characters long description of the change.
+summary: Add ETW input mapping to the Filebeat spec.
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+#description:
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: spec
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+#pr: https://github.com/owner/repo/1234
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+#issue: https://github.com/owner/repo/1234
diff --git a/specs/filebeat.spec.yml b/specs/filebeat.spec.yml
index 2d0a1534eae..4e496a65590 100644
--- a/specs/filebeat.spec.yml
+++ b/specs/filebeat.spec.yml
@@ -95,6 +95,12 @@ inputs:
     outputs: *outputs
     shippers: *shippers
     command: *command
+  - name: etw
+    description: "Event Tracing for Windows"
+    platforms: *platforms
+    outputs: *outputs
+    shippers: *shippers
+    command: *command
   - name: gcp-pubsub
     description: "GCP Pub-Sub"
     platforms: *platforms