Fix Windows Log Event XML parsing

[armstrmi]

Describe the bug
Using the windows input operator, it has been noticed that with the introduction of Windows 2022, it has recently failed to receive some of the fields in a windows event log. Particularly level, message, opcode, keywords, etc. What appears to be the issue is that the input operator is attempting to parse out the XML format with a header of RenderingInfo. Unfortunately that RenderingInfo header only applies to events that have been collected by the Windows Event Collector, otherwise it simply does not exist in the XML of the log. For some unknown reason, it does not have this effect on previous versions of Windows server. Nonetheless, versions of this cannot be viewed.

Steps to reproduce

1. Setup Input operator to read from applications channel in windows event log
2. Send an event log to the windows event log
3. attempt to read the newly sent logs using the windows Input operator

What did you expect to see?

I expected to see the full response of the windows event log, including all fields included in this xml format which is specified here

// EventXML is the rendered xml of an event.
type EventXML struct {
	EventID     EventID     `xml:"System>EventID"`
	Provider    Provider    `xml:"System>Provider"`
	Computer    string      `xml:"System>Computer"`
	Channel     string      `xml:"System>Channel"`
	RecordID    uint64      `xml:"System>EventRecordID"`
	TimeCreated TimeCreated `xml:"System>TimeCreated"`
	Message     string      `xml:"RenderingInfo>Message"`
	Level       string      `xml:"RenderingInfo>Level"`
	Task        string      `xml:"RenderingInfo>Task"`
	Opcode      string      `xml:"RenderingInfo>Opcode"`
	Keywords    []string    `xml:"RenderingInfo>Keywords>Keyword"`
}

go test
1S C:\Users\xxx\Documents\gitfolder\opentelemetry-collector-contrib\receiver\windowseventlogreceiver>
map[channel:Application computer:xxxx event_id:map[id:10 qualifiers:0] keywords:[Classic] level:Error message:Test log opcode:Info provider:map[event_source: guid: name:EventCreate] record_id:26901 system_time:2022-04-22T19:07:04.687756100Z task:]
PASS
ok      github.com/open-telemetry/opentelemetry-collector-contrib/receiver/windowseventlogreceiver      1.298s

What did you see instead?
Input operator failed to retrieve message, level, opcode, and keywords

1
map[channel:Application computer:fv-az253-111 event_id:map[id:10 qualifiers:0] keywords:[] level: message: opcode: provider:map[event_source: guid: name:EventCreate] record_id:5110 system_time:2022-04-20T20:40:14.6541126Z task:]
--- FAIL: TestReadWindowsEventLogger (1.14s)
    windowslog_test.go:[11](https://github.com/observIQ/opentelemetry-collector-contrib/runs/6102064741?check_suite_focus=true#step:7:11)5: 
        	Error Trace:	windowslog_test.go:115
        	Error:      	Not equal: 
        	            	expected: "Test log"
        	            	actual  : ""
        	            	
        	            	Diff:
        	            	--- Expected
        	            	+++ Actual
        	            	@@ -1 +1 @@
        	            	-Test log
        	            	+
        	Test:       	TestReadWindowsEventLogger
FAIL
FAIL	github.com/open-telemetry/opentelemetry-collector-contrib/receiver/windowseventlogreceiver	1.[18](https://github.com/observIQ/opentelemetry-collector-contrib/runs/6102064741?check_suite_focus=true#step:7:18)6s
FAIL
Error: Process completed with exit code 1.

What version did you use?
Version: v0.29.1

What config did you use?
Config is based upon the logs receiver that was attempted to be added to collector-contrib here
Config:

receivers:
  windowseventlog:
    start_at: end
    channel: application

processors:
  nop:

exporters:
  nop:

service:
  pipelines:
    logs:
      receivers: [windowseventlog]
      processors: [nop]
      exporters: [nop]

Environment
OS: (Windows 2022)
Compiler(if manually compiled): (go1.18 windows/amd64)

Proposed Fix
The intended fix for this issue is to change the field header RenderingInfo and instead will be parsing from the EventData header field. As shown in fluentd mapping you can see that is the field they are using to parse out message data from. You can also see in the windows event log itself, that the RenderingInfo field does not exist unless it calls upon the service

<Event>
    <System> 
      <Provider Name="EventCreate" /> 
      <EventID Qualifiers="0">10</EventID> 
        <Version>0</Version> 
        <Level>2</Level> 
        <Task>0</Task> 
        <Opcode>0</Opcode> 
        <Keywords>0x80000000000000</Keywords> 
        <TimeCreated SystemTime="2022-04-22T19:17:07.3273279Z" /> 
        <EventRecordID>23420</EventRecordID> 
        <Correlation /> 
        <Execution ProcessID="0" ThreadID="0" /> 
        <Channel>Application</Channel> 
        <Computer>xxxxxxx</Computer> 
        <Security UserID="" /> 
    </System> 
    <EventData> 
        <Data>Test log</Data> 
    </EventData> 
</Event>

Therefore, it makes sense to switch the xml header from RenderingInfo to EventData

Additional context
This issue is currently blocking an additional PR that implements this input operator as a logs receiver here

[djaglowski]

Closed by #478