diff --git a/test/packages/apache/_dev/build/build.yml b/test/packages/apache/_dev/build/build.yml
new file mode 100644
index 0000000000..08d85edcf9
--- /dev/null
+++ b/test/packages/apache/_dev/build/build.yml
@@ -0,0 +1,3 @@
+dependencies:
+ ecs:
+ reference: git@1.12
diff --git a/test/packages/apache/_dev/build/docs/README.md b/test/packages/apache/_dev/build/docs/README.md
index 61402727a9..f57e928c13 100644
--- a/test/packages/apache/_dev/build/docs/README.md
+++ b/test/packages/apache/_dev/build/docs/README.md
@@ -5,8 +5,8 @@ logs created by the Apache server.
## Compatibility
-The Apache datasets were tested with Apache 2.4.12 and 2.4.20 and are expected to work with
-all versions >= 2.2.31 and >= 2.4.16.
+The Apache datasets were tested with Apache 2.4.12 and 2.4.46 and are expected to work with
+all versions >= 2.2.31 and >= 2.4.16 (independent from operating system).
## Logs
@@ -31,4 +31,4 @@ generated by the `mod_status` module.
{{event "status"}}
-{{fields "status"}}
\ No newline at end of file
+{{fields "status"}}
diff --git a/test/packages/apache/_dev/deploy/docker/Dockerfile b/test/packages/apache/_dev/deploy/docker/Dockerfile
index 16a87baed7..d6a2916a3c 100644
--- a/test/packages/apache/_dev/deploy/docker/Dockerfile
+++ b/test/packages/apache/_dev/deploy/docker/Dockerfile
@@ -1,4 +1,4 @@
-ARG SERVICE_VERSION=${SERVICE_VERSION:-2.4.20}
+ARG SERVICE_VERSION=${SERVICE_VERSION:-2.4.46}
FROM httpd:$SERVICE_VERSION
RUN sed -i "/jessie-updates/d" /etc/apt/sources.list
RUN apt-get update && apt-get install -y curl
diff --git a/test/packages/apache/_dev/deploy/docker/docker-compose.yml b/test/packages/apache/_dev/deploy/docker/docker-compose.yml
index 0c20270dd2..6feb176f98 100644
--- a/test/packages/apache/_dev/deploy/docker/docker-compose.yml
+++ b/test/packages/apache/_dev/deploy/docker/docker-compose.yml
@@ -4,10 +4,7 @@ services:
# Commented out `image:` below until we have a process to refresh the hosted images from
# Dockerfiles in this repo. Until then, we build the image locally using `build:` below.
# image: docker.elastic.co/integrations-ci/beats-apache:${SERVICE_VERSION:-2.4.20}-1
- build:
- context: .
- args:
- SERVICE_VERSION: ${SERVICE_VERSION}
+ build: .
ports:
- 80
volumes:
diff --git a/test/packages/apache/_dev/deploy/docker/httpd.conf b/test/packages/apache/_dev/deploy/docker/httpd.conf
index f801678890..f402947317 100644
--- a/test/packages/apache/_dev/deploy/docker/httpd.conf
+++ b/test/packages/apache/_dev/deploy/docker/httpd.conf
@@ -149,6 +149,7 @@ LoadModule dir_module modules/mod_dir.so
#LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
#LoadModule rewrite_module modules/mod_rewrite.so
+LoadModule mpm_event_module modules/mod_mpm_event.so
#
@@ -507,4 +508,4 @@ SSLRandomSeed connect builtin
-
\ No newline at end of file
+
diff --git a/test/packages/apache/_dev/deploy/variants.yml b/test/packages/apache/_dev/deploy/variants.yml
index d4a4d65d6f..a4f638620c 100644
--- a/test/packages/apache/_dev/deploy/variants.yml
+++ b/test/packages/apache/_dev/deploy/variants.yml
@@ -1,6 +1,4 @@
variants:
- v2420:
- SERVICE_VERSION: 2.4.20
- v2423:
- SERVICE_VERSION: 2.4.23
-default: v2420
+ v2:
+ SERVICE_VERSION: 2.4.46
+default: v2
diff --git a/test/packages/apache/changelog.yml b/test/packages/apache/changelog.yml
index 49d5938bf6..89cff330bc 100644
--- a/test/packages/apache/changelog.yml
+++ b/test/packages/apache/changelog.yml
@@ -1,6 +1,111 @@
# newer versions go on top
-- version: "0.0.1"
+- version: "999.999.999"
+ changes:
+ - description: Change test public IPs to the supported subset
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2327
+- version: "1.3.2"
+ changes:
+ - description: Fix ML module manifest query to ignore frozen and cold tiers
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2217
+- version: "1.3.1"
+ changes:
+ - description: Fix parsing of trace log levels
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2064
+- version: "1.3.0"
+ changes:
+ - description: Support Kibana 8.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2122
+- version: "1.2.0"
+ changes:
+ - description: Uniform with guidelines
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2001
+- version: "1.1.1"
+ changes:
+ - description: Fix logic that checks for the 'forwarded' tag
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1794
+- version: "1.1.0"
+ changes:
+ - description: Update to ECS 1.12.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1686
+- version: "1.0.0"
+ changes:
+ - description: Release Apache as GA
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1607
+- version: "0.9.2"
+ changes:
+ - description: Convert to generated ECS fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1463
+- version: '0.9.1'
+ changes:
+ - description: update to ECS 1.11.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1369
+- version: "0.9.0"
+ changes:
+ - description: Update integration description
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1364
+- version: "0.8.1"
+ changes:
+ - description: Add support for Splunk authorization tokens
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1147
+- version: "0.8.0"
+ changes:
+ - description: Set event.module and event.dataset
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1230
+- version: "0.7.1"
+ changes:
+ - description: Fix bug in Third Party REST API ingest pipeline
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1201
+- version: "0.7.0"
+ changes:
+ - description: Update to ECS 1.10.0 and adding items that all packages should have
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1068
+- version: "0.6.0"
+ changes:
+ - description: Render units and metric types in exported fields table
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1028
+- version: "0.5.1"
+ changes:
+ - description: Move ecs.version to the ingest pipeline and make event.original optional
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1025
+- version: "0.5.0"
+ changes:
+ - description: Adds ML jobs for finding unusual activity in HTTP access logs
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/910
+- version: "0.4.1"
+ changes:
+ - description: update to ECS 1.9.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/832
+- version: "0.3.5"
+ changes:
+ - description: Updating package owner
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/766
+- version: "0.3.4"
+ changes:
+ - description: Use correct types for `source.port` and `source.ip`
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/737
+- version: "0.1.0"
changes:
- description: initial release
type: enhancement # can be one of: enhancement, bugfix, breaking-change
- link: https://github.com/elastic/elastic-package/pull/109
+ link: https://github.com/elastic/integrations/pull/98
diff --git a/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-basic.log b/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-basic.log
new file mode 100644
index 0000000000..4e2cbbe7e5
--- /dev/null
+++ b/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-basic.log
@@ -0,0 +1,7 @@
+::1 - - [26/Dec/2016:16:16:29 +0200] "GET /favicon.ico HTTP/1.1" 404 209
+192.168.33.1 - - [26/Dec/2016:16:22:13 +0000] "GET /hello HTTP/1.1" 404 499 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0"
+::1 - - [26/Dec/2016:16:16:48 +0200] "-" 408 -
+172.17.0.1 - - [29/May/2017:19:02:48 +0000] "GET /stringpatch HTTP/1.1" 404 612 "-" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2" "-"
+monitoring-server - - [29/May/2017:19:02:48 +0000] "GET /status HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2" "-"
+127.0.0.1 - - [02/Feb/2019:05:38:45 +0100] "-" 408 152 "-" "-"
+monitoring-server - - [29/May/2017:19:02:48 +0000] "GET /A%20Beka%20G1%20Howe/029_AND_30/15%20reading%20elephants.mp4 HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2" "-"
\ No newline at end of file
diff --git a/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-basic.log-expected.json b/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-basic.log-expected.json
new file mode 100644
index 0000000000..481ed5c4e5
--- /dev/null
+++ b/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-basic.log-expected.json
@@ -0,0 +1,354 @@
+{
+ "expected": [
+ {
+ "apache": {
+ "access": {}
+ },
+ "@timestamp": "2016-12-26T14:16:29.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "request": {
+ "method": "GET"
+ },
+ "version": "1.1",
+ "response": {
+ "body": {
+ "bytes": 209
+ },
+ "status_code": 404
+ }
+ },
+ "source": {
+ "address": "::1",
+ "ip": "::1"
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:29.903774500Z",
+ "original": "::1 - - [26/Dec/2016:16:16:29 +0200] \"GET /favicon.ico HTTP/1.1\" 404 209",
+ "category": "web",
+ "kind": "event",
+ "created": "2020-04-28T11:07:58.223Z",
+ "outcome": "failure"
+ },
+ "user": {
+ "name": "-"
+ },
+ "url": {
+ "path": "/favicon.ico",
+ "extension": "ico",
+ "original": "/favicon.ico"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "source": {
+ "address": "192.168.33.1",
+ "ip": "192.168.33.1"
+ },
+ "url": {
+ "path": "/hello",
+ "original": "/hello"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "apache": {
+ "access": {}
+ },
+ "@timestamp": "2016-12-26T16:22:13.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "request": {
+ "method": "GET",
+ "referrer": "-"
+ },
+ "version": "1.1",
+ "response": {
+ "body": {
+ "bytes": 499
+ },
+ "status_code": 404
+ }
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:29.903783200Z",
+ "original": "192.168.33.1 - - [26/Dec/2016:16:22:13 +0000] \"GET /hello HTTP/1.1\" 404 499 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"",
+ "category": "web",
+ "kind": "event",
+ "created": "2020-04-28T11:07:58.223Z",
+ "outcome": "failure"
+ },
+ "user": {
+ "name": "-"
+ },
+ "user_agent": {
+ "name": "Firefox",
+ "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0",
+ "os": {
+ "name": "Mac OS X",
+ "version": "10.12",
+ "full": "Mac OS X 10.12"
+ },
+ "device": {
+ "name": "Mac"
+ },
+ "version": "50.0."
+ }
+ },
+ {
+ "apache": {
+ "access": {}
+ },
+ "@timestamp": "2016-12-26T14:16:48.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "response": {
+ "status_code": 408
+ }
+ },
+ "source": {
+ "address": "::1",
+ "ip": "::1"
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:29.903788600Z",
+ "original": "::1 - - [26/Dec/2016:16:16:48 +0200] \"-\" 408 -",
+ "category": "web",
+ "kind": "event",
+ "created": "2020-04-28T11:07:58.223Z",
+ "outcome": "failure"
+ },
+ "user": {
+ "name": "-"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "source": {
+ "address": "172.17.0.1",
+ "ip": "172.17.0.1"
+ },
+ "url": {
+ "path": "/stringpatch",
+ "original": "/stringpatch"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "apache": {
+ "access": {}
+ },
+ "@timestamp": "2017-05-29T19:02:48.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "request": {
+ "method": "GET",
+ "referrer": "-"
+ },
+ "version": "1.1",
+ "response": {
+ "body": {
+ "bytes": 612
+ },
+ "status_code": 404
+ }
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:29.903792500Z",
+ "original": "172.17.0.1 - - [29/May/2017:19:02:48 +0000] \"GET /stringpatch HTTP/1.1\" 404 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"",
+ "category": "web",
+ "kind": "event",
+ "created": "2020-04-28T11:07:58.223Z",
+ "outcome": "failure"
+ },
+ "user": {
+ "name": "-"
+ },
+ "user_agent": {
+ "name": "Firefox Alpha",
+ "original": "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2",
+ "os": {
+ "name": "Windows",
+ "version": "7",
+ "full": "Windows 7"
+ },
+ "device": {
+ "name": "Other"
+ },
+ "version": "15.0.a2"
+ }
+ },
+ {
+ "source": {
+ "address": "monitoring-server",
+ "domain": "monitoring-server"
+ },
+ "url": {
+ "path": "/status",
+ "original": "/status"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "apache": {
+ "access": {}
+ },
+ "@timestamp": "2017-05-29T19:02:48.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "request": {
+ "method": "GET",
+ "referrer": "-"
+ },
+ "version": "1.1",
+ "response": {
+ "body": {
+ "bytes": 612
+ },
+ "status_code": 200
+ }
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:29.903797600Z",
+ "original": "monitoring-server - - [29/May/2017:19:02:48 +0000] \"GET /status HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"",
+ "category": "web",
+ "kind": "event",
+ "created": "2020-04-28T11:07:58.223Z",
+ "outcome": "success"
+ },
+ "user": {
+ "name": "-"
+ },
+ "user_agent": {
+ "name": "Firefox Alpha",
+ "original": "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2",
+ "os": {
+ "name": "Windows",
+ "version": "7",
+ "full": "Windows 7"
+ },
+ "device": {
+ "name": "Other"
+ },
+ "version": "15.0.a2"
+ }
+ },
+ {
+ "apache": {
+ "access": {}
+ },
+ "@timestamp": "2019-02-02T04:38:45.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "request": {
+ "referrer": "-"
+ },
+ "response": {
+ "body": {
+ "bytes": 152
+ },
+ "status_code": 408
+ }
+ },
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:29.903803900Z",
+ "original": "127.0.0.1 - - [02/Feb/2019:05:38:45 +0100] \"-\" 408 152 \"-\" \"-\"",
+ "category": "web",
+ "kind": "event",
+ "created": "2020-04-28T11:07:58.223Z",
+ "outcome": "failure"
+ },
+ "user": {
+ "name": "-"
+ },
+ "user_agent": {
+ "name": "Other",
+ "device": {
+ "name": "Other"
+ },
+ "original": "-"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "source": {
+ "address": "monitoring-server",
+ "domain": "monitoring-server"
+ },
+ "url": {
+ "path": "/A Beka G1 Howe/029_AND_30/15 reading elephants.mp4",
+ "extension": "mp4",
+ "original": "/A%20Beka%20G1%20Howe/029_AND_30/15%20reading%20elephants.mp4"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "apache": {
+ "access": {}
+ },
+ "@timestamp": "2017-05-29T19:02:48.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "request": {
+ "method": "GET",
+ "referrer": "-"
+ },
+ "version": "1.1",
+ "response": {
+ "body": {
+ "bytes": 612
+ },
+ "status_code": 200
+ }
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:29.903809300Z",
+ "original": "monitoring-server - - [29/May/2017:19:02:48 +0000] \"GET /A%20Beka%20G1%20Howe/029_AND_30/15%20reading%20elephants.mp4 HTTP/1.1\" 200 612 \"-\" \"Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2\" \"-\"",
+ "category": "web",
+ "kind": "event",
+ "created": "2020-04-28T11:07:58.223Z",
+ "outcome": "success"
+ },
+ "user": {
+ "name": "-"
+ },
+ "user_agent": {
+ "name": "Firefox Alpha",
+ "original": "Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2",
+ "os": {
+ "name": "Windows",
+ "version": "7",
+ "full": "Windows 7"
+ },
+ "device": {
+ "name": "Other"
+ },
+ "version": "15.0.a2"
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-darwin.log b/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-darwin.log
new file mode 100644
index 0000000000..6b1ba50b17
--- /dev/null
+++ b/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-darwin.log
@@ -0,0 +1,6 @@
+::1 - - [26/Dec/2016:16:16:28 +0200] "GET / HTTP/1.1" 200 45
+::1 - - [26/Dec/2016:16:16:29 +0200] "GET /favicon.ico HTTP/1.1" 404 209
+::1 - - [26/Dec/2016:16:16:48 +0200] "-" 408 -
+89.160.20.156 - - [26/Dec/2016:18:23:35 +0200] "GET / HTTP/1.1" 200 45
+89.160.20.156 - - [26/Dec/2016:18:23:41 +0200] "GET /notfound HTTP/1.1" 404 206
+89.160.20.156 - - [26/Dec/2016:18:23:45 +0200] "GET /hmm HTTP/1.1" 404 201
diff --git a/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-darwin.log-expected.json b/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-darwin.log-expected.json
new file mode 100644
index 0000000000..c893102f46
--- /dev/null
+++ b/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-darwin.log-expected.json
@@ -0,0 +1,306 @@
+{
+ "expected": [
+ {
+ "apache": {
+ "access": {}
+ },
+ "@timestamp": "2016-12-26T14:16:28.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "request": {
+ "method": "GET"
+ },
+ "version": "1.1",
+ "response": {
+ "body": {
+ "bytes": 45
+ },
+ "status_code": 200
+ }
+ },
+ "source": {
+ "address": "::1",
+ "ip": "::1"
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:30.879403900Z",
+ "original": "::1 - - [26/Dec/2016:16:16:28 +0200] \"GET / HTTP/1.1\" 200 45",
+ "category": "web",
+ "kind": "event",
+ "created": "2020-04-28T11:07:58.223Z",
+ "outcome": "success"
+ },
+ "user": {
+ "name": "-"
+ },
+ "url": {
+ "path": "/",
+ "original": "/"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "apache": {
+ "access": {}
+ },
+ "@timestamp": "2016-12-26T14:16:29.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "request": {
+ "method": "GET"
+ },
+ "version": "1.1",
+ "response": {
+ "body": {
+ "bytes": 209
+ },
+ "status_code": 404
+ }
+ },
+ "source": {
+ "address": "::1",
+ "ip": "::1"
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:30.879409400Z",
+ "original": "::1 - - [26/Dec/2016:16:16:29 +0200] \"GET /favicon.ico HTTP/1.1\" 404 209",
+ "category": "web",
+ "kind": "event",
+ "created": "2020-04-28T11:07:58.223Z",
+ "outcome": "failure"
+ },
+ "user": {
+ "name": "-"
+ },
+ "url": {
+ "path": "/favicon.ico",
+ "extension": "ico",
+ "original": "/favicon.ico"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "apache": {
+ "access": {}
+ },
+ "@timestamp": "2016-12-26T14:16:48.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "response": {
+ "status_code": 408
+ }
+ },
+ "source": {
+ "address": "::1",
+ "ip": "::1"
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:30.879413800Z",
+ "original": "::1 - - [26/Dec/2016:16:16:48 +0200] \"-\" 408 -",
+ "category": "web",
+ "kind": "event",
+ "created": "2020-04-28T11:07:58.223Z",
+ "outcome": "failure"
+ },
+ "user": {
+ "name": "-"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "apache": {
+ "access": {}
+ },
+ "@timestamp": "2016-12-26T16:23:35.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "request": {
+ "method": "GET"
+ },
+ "version": "1.1",
+ "response": {
+ "body": {
+ "bytes": 45
+ },
+ "status_code": 200
+ }
+ },
+ "source": {
+ "geo": {
+ "continent_name": "Europe",
+ "region_iso_code": "SE-AB",
+ "city_name": "Tumba",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "region_name": "Stockholm",
+ "location": {
+ "lon": 17.8167,
+ "lat": 59.2
+ }
+ },
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "address": "89.160.20.156",
+ "ip": "89.160.20.156"
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:30.879418Z",
+ "original": "89.160.20.156 - - [26/Dec/2016:18:23:35 +0200] \"GET / HTTP/1.1\" 200 45",
+ "category": "web",
+ "kind": "event",
+ "created": "2020-04-28T11:07:58.223Z",
+ "outcome": "success"
+ },
+ "user": {
+ "name": "-"
+ },
+ "url": {
+ "path": "/",
+ "original": "/"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "apache": {
+ "access": {}
+ },
+ "@timestamp": "2016-12-26T16:23:41.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "request": {
+ "method": "GET"
+ },
+ "version": "1.1",
+ "response": {
+ "body": {
+ "bytes": 206
+ },
+ "status_code": 404
+ }
+ },
+ "source": {
+ "geo": {
+ "continent_name": "Europe",
+ "region_iso_code": "SE-AB",
+ "city_name": "Tumba",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "region_name": "Stockholm",
+ "location": {
+ "lon": 17.8167,
+ "lat": 59.2
+ }
+ },
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "address": "89.160.20.156",
+ "ip": "89.160.20.156"
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:30.879422100Z",
+ "original": "89.160.20.156 - - [26/Dec/2016:18:23:41 +0200] \"GET /notfound HTTP/1.1\" 404 206",
+ "category": "web",
+ "kind": "event",
+ "created": "2020-04-28T11:07:58.223Z",
+ "outcome": "failure"
+ },
+ "user": {
+ "name": "-"
+ },
+ "url": {
+ "path": "/notfound",
+ "original": "/notfound"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "apache": {
+ "access": {}
+ },
+ "@timestamp": "2016-12-26T16:23:45.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "request": {
+ "method": "GET"
+ },
+ "version": "1.1",
+ "response": {
+ "body": {
+ "bytes": 201
+ },
+ "status_code": 404
+ }
+ },
+ "source": {
+ "geo": {
+ "continent_name": "Europe",
+ "region_iso_code": "SE-AB",
+ "city_name": "Tumba",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "region_name": "Stockholm",
+ "location": {
+ "lon": 17.8167,
+ "lat": 59.2
+ }
+ },
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "address": "89.160.20.156",
+ "ip": "89.160.20.156"
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:30.879427100Z",
+ "original": "89.160.20.156 - - [26/Dec/2016:18:23:45 +0200] \"GET /hmm HTTP/1.1\" 404 201",
+ "category": "web",
+ "kind": "event",
+ "created": "2020-04-28T11:07:58.223Z",
+ "outcome": "failure"
+ },
+ "user": {
+ "name": "-"
+ },
+ "url": {
+ "path": "/hmm",
+ "original": "/hmm"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ssl-request.log b/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ssl-request.log
new file mode 100644
index 0000000000..0a59aed766
--- /dev/null
+++ b/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ssl-request.log
@@ -0,0 +1,2 @@
+[10/Aug/2018:09:45:56 +0200] 172.30.0.119 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /nagiosxi/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_admin_tasks_html%22%2C%22args%22%3A%22%22%7D&nsp=b5c7d5d4b6f7d0cf0c92f9cbdf737f6a5c838218425e6ae21 HTTP/1.1" 1375
+[16/Oct/2019:11:53:47 +0200] 89.160.20.156 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "GET /appl/ajaxhelper.php?cmd=getxicoreajax&opts=%7B%22func%22%3A%22get_pagetop_alert_content_html%22%2C%22args%22%3A%22%22%7D&nsp=c2700eab9797eda8a9f65a3ab17a6adbceccd60a6cca7708650a5923950d HTTP/1.1" -
diff --git a/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ssl-request.log-expected.json b/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ssl-request.log-expected.json
new file mode 100644
index 0000000000..0964c3ba0d
--- /dev/null
+++ b/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ssl-request.log-expected.json
@@ -0,0 +1,117 @@
+{
+ "expected": [
+ {
+ "apache": {
+ "access": {
+ "ssl": {
+ "cipher": "ECDHE-RSA-AES128-GCM-SHA256",
+ "protocol": "TLSv1.2"
+ }
+ }
+ },
+ "@timestamp": "2018-08-10T07:45:56.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "request": {
+ "method": "GET"
+ },
+ "version": "1.1",
+ "response": {
+ "body": {
+ "bytes": 1375
+ }
+ }
+ },
+ "tls": {
+ "cipher": "ECDHE-RSA-AES128-GCM-SHA256",
+ "version": "1.2",
+ "version_protocol": "tls"
+ },
+ "source": {
+ "address": "172.30.0.119",
+ "ip": "172.30.0.119"
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:31.533065900Z",
+ "original": "[10/Aug/2018:09:45:56 +0200] 172.30.0.119 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 \"GET /nagiosxi/ajaxhelper.php?cmd=getxicoreajax\u0026amp;opts=%7B%22func%22%3A%22get_admin_tasks_html%22%2C%22args%22%3A%22%22%7D\u0026amp;nsp=b5c7d5d4b6f7d0cf0c92f9cbdf737f6a5c838218425e6ae21 HTTP/1.1\" 1375",
+ "category": "web",
+ "kind": "event",
+ "created": "2020-04-28T11:07:58.223Z"
+ },
+ "url": {
+ "path": "/nagiosxi/ajaxhelper.php",
+ "extension": "php",
+ "original": "/nagiosxi/ajaxhelper.php?cmd=getxicoreajax\u0026amp;opts=%7B%22func%22%3A%22get_admin_tasks_html%22%2C%22args%22%3A%22%22%7D\u0026amp;nsp=b5c7d5d4b6f7d0cf0c92f9cbdf737f6a5c838218425e6ae21",
+ "query": "cmd=getxicoreajax\u0026amp;opts={\"func\":\"get_admin_tasks_html\",\"args\":\"\"}\u0026amp;nsp=b5c7d5d4b6f7d0cf0c92f9cbdf737f6a5c838218425e6ae21"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "apache": {
+ "access": {
+ "ssl": {
+ "cipher": "ECDHE-RSA-AES128-GCM-SHA256",
+ "protocol": "TLSv1.2"
+ }
+ }
+ },
+ "@timestamp": "2019-10-16T09:53:47.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "request": {
+ "method": "GET"
+ },
+ "version": "1.1"
+ },
+ "tls": {
+ "cipher": "ECDHE-RSA-AES128-GCM-SHA256",
+ "version": "1.2",
+ "version_protocol": "tls"
+ },
+ "source": {
+ "geo": {
+ "continent_name": "Europe",
+ "region_iso_code": "SE-AB",
+ "city_name": "Tumba",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "region_name": "Stockholm",
+ "location": {
+ "lon": 17.8167,
+ "lat": 59.2
+ }
+ },
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "address": "89.160.20.156",
+ "ip": "89.160.20.156"
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:31.533074100Z",
+ "original": "[16/Oct/2019:11:53:47 +0200] 89.160.20.156 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 \"GET /appl/ajaxhelper.php?cmd=getxicoreajax\u0026opts=%7B%22func%22%3A%22get_pagetop_alert_content_html%22%2C%22args%22%3A%22%22%7D\u0026nsp=c2700eab9797eda8a9f65a3ab17a6adbceccd60a6cca7708650a5923950d HTTP/1.1\" -",
+ "category": "web",
+ "kind": "event",
+ "created": "2020-04-28T11:07:58.223Z"
+ },
+ "url": {
+ "path": "/appl/ajaxhelper.php",
+ "extension": "php",
+ "original": "/appl/ajaxhelper.php?cmd=getxicoreajax\u0026opts=%7B%22func%22%3A%22get_pagetop_alert_content_html%22%2C%22args%22%3A%22%22%7D\u0026nsp=c2700eab9797eda8a9f65a3ab17a6adbceccd60a6cca7708650a5923950d",
+ "query": "cmd=getxicoreajax\u0026opts={\"func\":\"get_pagetop_alert_content_html\",\"args\":\"\"}\u0026nsp=c2700eab9797eda8a9f65a3ab17a6adbceccd60a6cca7708650a5923950d"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ubuntu.log b/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ubuntu.log
new file mode 100644
index 0000000000..92d1bdd85a
--- /dev/null
+++ b/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ubuntu.log
@@ -0,0 +1,9 @@
+127.0.0.1 - - [26/Dec/2016:16:18:09 +0000] "GET / HTTP/1.1" 200 491 "-" "Wget/1.13.4 (linux-gnu)"
+192.168.33.1 - - [26/Dec/2016:16:22:00 +0000] "GET / HTTP/1.1" 200 484 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
+192.168.33.1 - - [26/Dec/2016:16:22:00 +0000] "GET /favicon.ico HTTP/1.1" 404 504 "http://192.168.33.72/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36"
+192.168.33.1 - - [26/Dec/2016:16:22:08 +0000] "GET / HTTP/1.1" 200 484 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0"
+192.168.33.1 - - [26/Dec/2016:16:22:08 +0000] "GET /favicon.ico HTTP/1.1" 404 504 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0"
+192.168.33.1 - - [26/Dec/2016:16:22:08 +0000] "GET /favicon.ico HTTP/1.1" 404 504 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0"
+192.168.33.1 - - [26/Dec/2016:16:22:10 +0000] "GET /test HTTP/1.1" 404 498 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0"
+192.168.33.1 - - [26/Dec/2016:16:22:13 +0000] "GET /hello HTTP/1.1" 404 499 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0"
+192.168.33.1 - - [26/Dec/2016:16:22:17 +0000] "GET /crap HTTP/1.1" 404 499 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0"
diff --git a/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ubuntu.log-expected.json b/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ubuntu.log-expected.json
new file mode 100644
index 0000000000..92c297c4b3
--- /dev/null
+++ b/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-ubuntu.log-expected.json
@@ -0,0 +1,518 @@
+{
+ "expected": [
+ {
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "url": {
+ "path": "/",
+ "original": "/"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "apache": {
+ "access": {}
+ },
+ "@timestamp": "2016-12-26T16:18:09.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "request": {
+ "method": "GET",
+ "referrer": "-"
+ },
+ "version": "1.1",
+ "response": {
+ "body": {
+ "bytes": 491
+ },
+ "status_code": 200
+ }
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:31.835525800Z",
+ "original": "127.0.0.1 - - [26/Dec/2016:16:18:09 +0000] \"GET / HTTP/1.1\" 200 491 \"-\" \"Wget/1.13.4 (linux-gnu)\"",
+ "category": "web",
+ "kind": "event",
+ "created": "2020-04-28T11:07:58.223Z",
+ "outcome": "success"
+ },
+ "user": {
+ "name": "-"
+ },
+ "user_agent": {
+ "name": "Wget",
+ "original": "Wget/1.13.4 (linux-gnu)",
+ "os": {
+ "name": "Linux"
+ },
+ "device": {
+ "name": "Other"
+ },
+ "version": "1.13.4"
+ }
+ },
+ {
+ "source": {
+ "address": "192.168.33.1",
+ "ip": "192.168.33.1"
+ },
+ "url": {
+ "path": "/",
+ "original": "/"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "apache": {
+ "access": {}
+ },
+ "@timestamp": "2016-12-26T16:22:00.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "request": {
+ "method": "GET",
+ "referrer": "-"
+ },
+ "version": "1.1",
+ "response": {
+ "body": {
+ "bytes": 484
+ },
+ "status_code": 200
+ }
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:31.835534600Z",
+ "original": "192.168.33.1 - - [26/Dec/2016:16:22:00 +0000] \"GET / HTTP/1.1\" 200 484 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"",
+ "category": "web",
+ "kind": "event",
+ "created": "2020-04-28T11:07:58.223Z",
+ "outcome": "success"
+ },
+ "user": {
+ "name": "-"
+ },
+ "user_agent": {
+ "name": "Chrome",
+ "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36",
+ "os": {
+ "name": "Mac OS X",
+ "version": "10.12.0",
+ "full": "Mac OS X 10.12.0"
+ },
+ "device": {
+ "name": "Mac"
+ },
+ "version": "54.0.2840.98"
+ }
+ },
+ {
+ "source": {
+ "address": "192.168.33.1",
+ "ip": "192.168.33.1"
+ },
+ "url": {
+ "path": "/favicon.ico",
+ "extension": "ico",
+ "original": "/favicon.ico"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "apache": {
+ "access": {}
+ },
+ "@timestamp": "2016-12-26T16:22:00.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "request": {
+ "method": "GET",
+ "referrer": "http://192.168.33.72/"
+ },
+ "version": "1.1",
+ "response": {
+ "body": {
+ "bytes": 504
+ },
+ "status_code": 404
+ }
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:31.835540100Z",
+ "original": "192.168.33.1 - - [26/Dec/2016:16:22:00 +0000] \"GET /favicon.ico HTTP/1.1\" 404 504 \"http://192.168.33.72/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"",
+ "category": "web",
+ "kind": "event",
+ "created": "2020-04-28T11:07:58.223Z",
+ "outcome": "failure"
+ },
+ "user": {
+ "name": "-"
+ },
+ "user_agent": {
+ "name": "Chrome",
+ "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36",
+ "os": {
+ "name": "Mac OS X",
+ "version": "10.12.0",
+ "full": "Mac OS X 10.12.0"
+ },
+ "device": {
+ "name": "Mac"
+ },
+ "version": "54.0.2840.98"
+ }
+ },
+ {
+ "source": {
+ "address": "192.168.33.1",
+ "ip": "192.168.33.1"
+ },
+ "url": {
+ "path": "/",
+ "original": "/"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "apache": {
+ "access": {}
+ },
+ "@timestamp": "2016-12-26T16:22:08.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "request": {
+ "method": "GET",
+ "referrer": "-"
+ },
+ "version": "1.1",
+ "response": {
+ "body": {
+ "bytes": 484
+ },
+ "status_code": 200
+ }
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:31.835543600Z",
+ "original": "192.168.33.1 - - [26/Dec/2016:16:22:08 +0000] \"GET / HTTP/1.1\" 200 484 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"",
+ "category": "web",
+ "kind": "event",
+ "created": "2020-04-28T11:07:58.223Z",
+ "outcome": "success"
+ },
+ "user": {
+ "name": "-"
+ },
+ "user_agent": {
+ "name": "Firefox",
+ "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0",
+ "os": {
+ "name": "Mac OS X",
+ "version": "10.12",
+ "full": "Mac OS X 10.12"
+ },
+ "device": {
+ "name": "Mac"
+ },
+ "version": "50.0."
+ }
+ },
+ {
+ "source": {
+ "address": "192.168.33.1",
+ "ip": "192.168.33.1"
+ },
+ "url": {
+ "path": "/favicon.ico",
+ "extension": "ico",
+ "original": "/favicon.ico"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "apache": {
+ "access": {}
+ },
+ "@timestamp": "2016-12-26T16:22:08.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "request": {
+ "method": "GET",
+ "referrer": "-"
+ },
+ "version": "1.1",
+ "response": {
+ "body": {
+ "bytes": 504
+ },
+ "status_code": 404
+ }
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:31.835548Z",
+ "original": "192.168.33.1 - - [26/Dec/2016:16:22:08 +0000] \"GET /favicon.ico HTTP/1.1\" 404 504 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"",
+ "category": "web",
+ "kind": "event",
+ "created": "2020-04-28T11:07:58.223Z",
+ "outcome": "failure"
+ },
+ "user": {
+ "name": "-"
+ },
+ "user_agent": {
+ "name": "Firefox",
+ "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0",
+ "os": {
+ "name": "Mac OS X",
+ "version": "10.12",
+ "full": "Mac OS X 10.12"
+ },
+ "device": {
+ "name": "Mac"
+ },
+ "version": "50.0."
+ }
+ },
+ {
+ "source": {
+ "address": "192.168.33.1",
+ "ip": "192.168.33.1"
+ },
+ "url": {
+ "path": "/favicon.ico",
+ "extension": "ico",
+ "original": "/favicon.ico"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "apache": {
+ "access": {}
+ },
+ "@timestamp": "2016-12-26T16:22:08.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "request": {
+ "method": "GET",
+ "referrer": "-"
+ },
+ "version": "1.1",
+ "response": {
+ "body": {
+ "bytes": 504
+ },
+ "status_code": 404
+ }
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:31.835553700Z",
+ "original": "192.168.33.1 - - [26/Dec/2016:16:22:08 +0000] \"GET /favicon.ico HTTP/1.1\" 404 504 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"",
+ "category": "web",
+ "kind": "event",
+ "created": "2020-04-28T11:07:58.223Z",
+ "outcome": "failure"
+ },
+ "user": {
+ "name": "-"
+ },
+ "user_agent": {
+ "name": "Firefox",
+ "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0",
+ "os": {
+ "name": "Mac OS X",
+ "version": "10.12",
+ "full": "Mac OS X 10.12"
+ },
+ "device": {
+ "name": "Mac"
+ },
+ "version": "50.0."
+ }
+ },
+ {
+ "source": {
+ "address": "192.168.33.1",
+ "ip": "192.168.33.1"
+ },
+ "url": {
+ "path": "/test",
+ "original": "/test"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "apache": {
+ "access": {}
+ },
+ "@timestamp": "2016-12-26T16:22:10.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "request": {
+ "method": "GET",
+ "referrer": "-"
+ },
+ "version": "1.1",
+ "response": {
+ "body": {
+ "bytes": 498
+ },
+ "status_code": 404
+ }
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:31.835559600Z",
+ "original": "192.168.33.1 - - [26/Dec/2016:16:22:10 +0000] \"GET /test HTTP/1.1\" 404 498 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"",
+ "category": "web",
+ "kind": "event",
+ "created": "2020-04-28T11:07:58.223Z",
+ "outcome": "failure"
+ },
+ "user": {
+ "name": "-"
+ },
+ "user_agent": {
+ "name": "Firefox",
+ "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0",
+ "os": {
+ "name": "Mac OS X",
+ "version": "10.12",
+ "full": "Mac OS X 10.12"
+ },
+ "device": {
+ "name": "Mac"
+ },
+ "version": "50.0."
+ }
+ },
+ {
+ "source": {
+ "address": "192.168.33.1",
+ "ip": "192.168.33.1"
+ },
+ "url": {
+ "path": "/hello",
+ "original": "/hello"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "apache": {
+ "access": {}
+ },
+ "@timestamp": "2016-12-26T16:22:13.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "request": {
+ "method": "GET",
+ "referrer": "-"
+ },
+ "version": "1.1",
+ "response": {
+ "body": {
+ "bytes": 499
+ },
+ "status_code": 404
+ }
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:31.835563600Z",
+ "original": "192.168.33.1 - - [26/Dec/2016:16:22:13 +0000] \"GET /hello HTTP/1.1\" 404 499 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"",
+ "category": "web",
+ "kind": "event",
+ "created": "2020-04-28T11:07:58.223Z",
+ "outcome": "failure"
+ },
+ "user": {
+ "name": "-"
+ },
+ "user_agent": {
+ "name": "Firefox",
+ "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0",
+ "os": {
+ "name": "Mac OS X",
+ "version": "10.12",
+ "full": "Mac OS X 10.12"
+ },
+ "device": {
+ "name": "Mac"
+ },
+ "version": "50.0."
+ }
+ },
+ {
+ "source": {
+ "address": "192.168.33.1",
+ "ip": "192.168.33.1"
+ },
+ "url": {
+ "path": "/crap",
+ "original": "/crap"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "apache": {
+ "access": {}
+ },
+ "@timestamp": "2016-12-26T16:22:17.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "request": {
+ "method": "GET",
+ "referrer": "-"
+ },
+ "version": "1.1",
+ "response": {
+ "body": {
+ "bytes": 499
+ },
+ "status_code": 404
+ }
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:31.835568100Z",
+ "original": "192.168.33.1 - - [26/Dec/2016:16:22:17 +0000] \"GET /crap HTTP/1.1\" 404 499 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"",
+ "category": "web",
+ "kind": "event",
+ "created": "2020-04-28T11:07:58.223Z",
+ "outcome": "failure"
+ },
+ "user": {
+ "name": "-"
+ },
+ "user_agent": {
+ "name": "Firefox",
+ "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0",
+ "os": {
+ "name": "Mac OS X",
+ "version": "10.12",
+ "full": "Mac OS X 10.12"
+ },
+ "device": {
+ "name": "Mac"
+ },
+ "version": "50.0."
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-vhost.log b/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-vhost.log
new file mode 100644
index 0000000000..64a432e4a8
--- /dev/null
+++ b/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-vhost.log
@@ -0,0 +1 @@
+vhost1.domaine.fr 192.168.33.2 - - [26/Dec/2016:16:22:14 +0000] "GET /hello HTTP/1.1" 404 499 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0"
diff --git a/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-vhost.log-expected.json b/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-vhost.log-expected.json
new file mode 100644
index 0000000000..8b6a8cbbef
--- /dev/null
+++ b/test/packages/apache/data_stream/access/_dev/test/pipeline/test-access-vhost.log-expected.json
@@ -0,0 +1,64 @@
+{
+ "expected": [
+ {
+ "destination": {
+ "domain": "vhost1.domaine.fr"
+ },
+ "source": {
+ "ip": "192.168.33.2"
+ },
+ "url": {
+ "path": "/hello",
+ "original": "/hello",
+ "domain": "vhost1.domaine.fr"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "apache": {
+ "access": {}
+ },
+ "@timestamp": "2016-12-26T16:22:14.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "request": {
+ "method": "GET",
+ "referrer": "-"
+ },
+ "version": "1.1",
+ "response": {
+ "body": {
+ "bytes": 499
+ },
+ "status_code": 404
+ }
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:33.387841500Z",
+ "original": "vhost1.domaine.fr 192.168.33.2 - - [26/Dec/2016:16:22:14 +0000] \"GET /hello HTTP/1.1\" 404 499 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0\"",
+ "category": "web",
+ "kind": "event",
+ "created": "2020-04-28T11:07:58.223Z",
+ "outcome": "failure"
+ },
+ "user": {
+ "name": "-"
+ },
+ "user_agent": {
+ "name": "Firefox",
+ "original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0",
+ "os": {
+ "name": "Mac OS X",
+ "version": "10.12",
+ "full": "Mac OS X 10.12"
+ },
+ "device": {
+ "name": "Mac"
+ },
+ "version": "50.0."
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/apache/data_stream/access/_dev/test/pipeline/test-common-config.yml b/test/packages/apache/data_stream/access/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 0000000000..3cabcf9fb8
--- /dev/null
+++ b/test/packages/apache/data_stream/access/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,6 @@
+dynamic_fields:
+ event.ingested: ".*"
+fields:
+ "@timestamp": "2020-04-28T11:07:58.223Z"
+ tags:
+ - preserve_original_event
diff --git a/test/packages/apache/data_stream/access/agent/stream/httpjson.yml.hbs b/test/packages/apache/data_stream/access/agent/stream/httpjson.yml.hbs
new file mode 100644
index 0000000000..96e6d31467
--- /dev/null
+++ b/test/packages/apache/data_stream/access/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,64 @@
+config_version: "2"
+interval: {{interval}}
+{{#unless token}}
+{{#if username}}
+{{#if password}}
+auth.basic.user: {{username}}
+auth.basic.password: {{password}}
+{{/if}}
+{{/if}}
+{{/unless}}
+cursor:
+ index_earliest:
+ value: '[[.last_event.result.max_indextime]]'
+request.url: {{url}}/services/search/jobs/export
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+request.method: POST
+request.transforms:
+ - set:
+ target: url.params.search
+ value: |-
+ {{search}} | streamstats max(_indextime) AS max_indextime
+ - set:
+ target: url.params.output_mode
+ value: "json"
+ - set:
+ target: url.params.index_earliest
+ value: '[[ .cursor.index_earliest ]]'
+ default: '[[(now (parseDuration "-{{interval}}")).Unix]]'
+ - set:
+ target: url.params.index_latest
+ value: '[[(now).Unix]]'
+ - set:
+ target: header.Content-Type
+ value: application/x-www-form-urlencoded
+{{#unless username}}
+{{#unless password}}
+{{#if token}}
+ - set:
+ target: header.Authorization
+ value: {{token}}
+{{/if}}
+{{/unless}}
+{{/unless}}
+response.decode_as: application/x-ndjson
+response.split:
+ target: body.result._raw
+ type: string
+ delimiter: "\n"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/test/packages/apache/data_stream/access/agent/stream/log.yml.hbs b/test/packages/apache/data_stream/access/agent/stream/log.yml.hbs
index 0146a6e9c6..c6e5ed4c73 100644
--- a/test/packages/apache/data_stream/access/agent/stream/log.yml.hbs
+++ b/test/packages/apache/data_stream/access/agent/stream/log.yml.hbs
@@ -2,9 +2,18 @@ paths:
{{#each paths as |path i|}}
- {{path}}
{{/each}}
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
exclude_files: [".gz$"]
+{{#if processors}}
processors:
- - add_fields:
- target: ''
- fields:
- ecs.version: 1.5.0
\ No newline at end of file
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/test/packages/apache/data_stream/access/elasticsearch/ingest_pipeline/default.yml b/test/packages/apache/data_stream/access/elasticsearch/ingest_pipeline/default.yml
index 9e0d5272be..dadfb3a493 100644
--- a/test/packages/apache/data_stream/access/elasticsearch/ingest_pipeline/default.yml
+++ b/test/packages/apache/data_stream/access/elasticsearch/ingest_pipeline/default.yml
@@ -1,101 +1,152 @@
---
description: "Pipeline for parsing Apache HTTP Server access logs. Requires the geoip and user_agent plugins."
-
processors:
-- grok:
- field: message
- patterns:
- - '%{IPORHOST:destination.domain} %{IPORHOST:source.ip} - %{DATA:user.name} \[%{HTTPDATE:apache.access.time}\]
- "(?:%{WORD:http.request.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}|-)?"
- %{NUMBER:http.response.status_code:long} (?:%{NUMBER:http.response.body.bytes:long}|-)(
- "%{DATA:http.request.referrer}")?( "%{DATA:user_agent.original}")?'
- - '%{IPORHOST:source.address} - %{DATA:user.name} \[%{HTTPDATE:apache.access.time}\]
- "(?:%{WORD:http.request.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}|-)?"
- %{NUMBER:http.response.status_code:long} (?:%{NUMBER:http.response.body.bytes:long}|-)(
- "%{DATA:http.request.referrer}")?( "%{DATA:user_agent.original}")?'
- - '%{IPORHOST:source.address} - %{DATA:user.name} \[%{HTTPDATE:apache.access.time}\]
- "-" %{NUMBER:http.response.status_code:long} -'
- - \[%{HTTPDATE:apache.access.time}\] %{IPORHOST:source.address} %{DATA:apache.access.ssl.protocol}
- %{DATA:apache.access.ssl.cipher} "%{WORD:http.request.method} %{DATA:url.original}
- HTTP/%{NUMBER:http.version}" (-|%{NUMBER:http.response.body.bytes:long})
- ignore_missing: true
-- remove:
- field: message
-- set:
- field: event.kind
- value: event
-- set:
- field: event.category
- value: web
-- set:
- field: event.outcome
- value: success
- if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code < 400"
-- set:
- field: event.outcome
- value: failure
- if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code > 399"
-- grok:
- field: source.address
- ignore_missing: true
- patterns:
- - ^(%{IP:source.ip}|%{HOSTNAME:source.domain})$
-- rename:
- field: '@timestamp'
- target_field: event.created
-- date:
- field: apache.access.time
- target_field: '@timestamp'
- formats:
- - dd/MMM/yyyy:H:m:s Z
- ignore_failure: true
-- remove:
- field: apache.access.time
- ignore_failure: true
-- user_agent:
- field: user_agent.original
- ignore_failure: true
-- geoip:
- field: source.ip
- target_field: source.geo
- ignore_missing: true
-- geoip:
- database_file: GeoLite2-ASN.mmdb
- field: source.ip
- target_field: source.as
- properties:
- - asn
- - organization_name
- ignore_missing: true
-- rename:
- field: source.as.asn
- target_field: source.as.number
- ignore_missing: true
-- rename:
- field: source.as.organization_name
- target_field: source.as.organization.name
- ignore_missing: true
-- set:
- field: tls.cipher
- value: '{{apache.access.ssl.cipher}}'
- if: ctx?.apache?.access?.ssl?.cipher != null
-
-- script:
- lang: painless
- if: ctx?.apache?.access?.ssl?.protocol != null
- source: >-
- def parts = ctx.apache.access.ssl.protocol.toLowerCase().splitOnToken("v");
- if (parts.length != 2) {
- return;
- }
- if (parts[1].contains(".")) {
- ctx.tls.version = parts[1];
- } else {
- ctx.tls.version = parts[1] + ".0";
- }
- ctx.tls.version_protocol = parts[0];
-
+ - pipeline:
+ if: ctx.message.startsWith('{')
+ name: '{{ IngestPipeline "third-party" }}'
+ - set:
+ field: event.ingested
+ value: '{{_ingest.timestamp}}'
+ - set:
+ field: ecs.version
+ value: '1.12.0'
+ - rename:
+ field: message
+ target_field: event.original
+ - grok:
+ field: event.original
+ patterns:
+ - '%{IPORHOST:destination.domain} %{IPORHOST:source.ip} - %{DATA:user.name} \[%{HTTPDATE:apache.access.time}\]
+ "(?:%{WORD:http.request.method} %{DATA:_tmp.url_orig} HTTP/%{NUMBER:http.version}|-)?"
+ %{NUMBER:http.response.status_code:long} (?:%{NUMBER:http.response.body.bytes:long}|-)(
+ "%{DATA:http.request.referrer}")?( "%{DATA:user_agent.original}")?'
+ - '%{IPORHOST:source.address} - %{DATA:user.name} \[%{HTTPDATE:apache.access.time}\]
+ "(?:%{WORD:http.request.method} %{DATA:_tmp.url_orig} HTTP/%{NUMBER:http.version}|-)?"
+ %{NUMBER:http.response.status_code:long} (?:%{NUMBER:http.response.body.bytes:long}|-)(
+ "%{DATA:http.request.referrer}")?( "%{DATA:user_agent.original}")?'
+ - '%{IPORHOST:source.address} - %{DATA:user.name} \[%{HTTPDATE:apache.access.time}\]
+ "-" %{NUMBER:http.response.status_code:long} -'
+ - \[%{HTTPDATE:apache.access.time}\] %{IPORHOST:source.address} %{DATA:apache.access.ssl.protocol}
+ %{DATA:apache.access.ssl.cipher} "%{WORD:http.request.method} %{DATA:_tmp.url_orig}
+ HTTP/%{NUMBER:http.version}" (-|%{NUMBER:http.response.body.bytes:long})
+ ignore_missing: true
+ - uri_parts:
+ field: _tmp.url_orig
+ ignore_failure: true
+ - remove:
+ field:
+ - _tmp
+ ignore_missing: true
+ - set:
+ field: url.domain
+ value: "{{destination.domain}}"
+ if: ctx.url?.domain == null && ctx.destination?.domain != null
+ - set:
+ field: event.kind
+ value: event
+ - set:
+ field: event.category
+ value: web
+ - set:
+ field: event.outcome
+ value: success
+ if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code < 400"
+ - set:
+ field: event.outcome
+ value: failure
+ if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code > 399"
+ - grok:
+ field: source.address
+ ignore_missing: true
+ patterns:
+ - ^(%{IP:source.ip}|%{HOSTNAME:source.domain})$
+ - remove:
+ field: event.created
+ ignore_missing: true
+ ignore_failure: true
+ - rename:
+ field: '@timestamp'
+ target_field: event.created
+ - date:
+ field: apache.access.time
+ target_field: '@timestamp'
+ formats:
+ - dd/MMM/yyyy:H:m:s Z
+ ignore_failure: true
+ - remove:
+ field: apache.access.time
+ ignore_failure: true
+ - user_agent:
+ field: user_agent.original
+ ignore_failure: true
+ - geoip:
+ field: source.ip
+ target_field: source.geo
+ ignore_missing: true
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: source.ip
+ target_field: source.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - rename:
+ field: source.as.asn
+ target_field: source.as.number
+ ignore_missing: true
+ - rename:
+ field: source.as.organization_name
+ target_field: source.as.organization.name
+ ignore_missing: true
+ - set:
+ field: tls.cipher
+ value: '{{apache.access.ssl.cipher}}'
+ if: ctx?.apache?.access?.ssl?.cipher != null
+ - script:
+ lang: painless
+ if: ctx?.apache?.access?.ssl?.protocol != null
+ source: >-
+ def parts = ctx.apache.access.ssl.protocol.toLowerCase().splitOnToken("v");
+ if (parts.length != 2) {
+ return;
+ }
+ if (parts[1].contains(".")) {
+ ctx.tls.version = parts[1];
+ } else {
+ ctx.tls.version = parts[1] + ".0";
+ }
+ ctx.tls.version_protocol = parts[0];
+ - script:
+ lang: painless
+ description: This script processor iterates over the whole document to remove fields with null values.
+ source: |
+ void handleMap(Map map) {
+ for (def x : map.values()) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ map.values().removeIf(v -> v == null);
+ }
+ void handleList(List list) {
+ for (def x : list) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ }
+ handleMap(ctx);
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
on_failure:
-- set:
- field: error.message
- value: '{{ _ingest.on_failure_message }}'
+ - set:
+ field: error.message
+ value: '{{ _ingest.on_failure_message }}'
diff --git a/test/packages/apache/data_stream/access/elasticsearch/ingest_pipeline/third-party.yml b/test/packages/apache/data_stream/access/elasticsearch/ingest_pipeline/third-party.yml
new file mode 100644
index 0000000000..42a2ca83ff
--- /dev/null
+++ b/test/packages/apache/data_stream/access/elasticsearch/ingest_pipeline/third-party.yml
@@ -0,0 +1,42 @@
+---
+description: Pipeline for parsing Apache HTTP Server logs from third party api
+processors:
+ - json:
+ field: message
+ target_field: json
+ - drop:
+ if: ctx.json?.result == null
+ - fingerprint:
+ fields:
+ - json.result._cd
+ - json.result._indextime
+ - json.result._raw
+ - json.result._time
+ - json.result.host
+ - json.result.source
+ target_field: '_id'
+ ignore_missing: true
+ - set:
+ copy_from: json.result._raw
+ field: message
+ ignore_empty_value: true
+ - set:
+ copy_from: json.result.host
+ field: host.name
+ ignore_empty_value: true
+ - set:
+ copy_from: json.result.source
+ field: file.path
+ ignore_empty_value: true
+ - remove:
+ field:
+ - json
+ ignore_missing: true
+on_failure:
+ - append:
+ field: error.message
+ value: >-
+ error in third-party pipeline:
+ error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}}
+ with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}}
+ {{ _ingest.on_failure_message }}
diff --git a/test/packages/apache/data_stream/access/fields/agent.yml b/test/packages/apache/data_stream/access/fields/agent.yml
new file mode 100644
index 0000000000..e313ec8287
--- /dev/null
+++ b/test/packages/apache/data_stream/access/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
+- name: input.type
+ type: keyword
+ description: Input type
+- name: log.offset
+ type: long
+ description: Log offset
diff --git a/test/packages/apache/data_stream/access/fields/base-fields.yml b/test/packages/apache/data_stream/access/fields/base-fields.yml
index 7c798f4534..7a1b27e3da 100644
--- a/test/packages/apache/data_stream/access/fields/base-fields.yml
+++ b/test/packages/apache/data_stream/access/fields/base-fields.yml
@@ -10,3 +10,11 @@
- name: '@timestamp'
type: date
description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: apache
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: apache.access
diff --git a/test/packages/apache/data_stream/access/fields/ecs.yml b/test/packages/apache/data_stream/access/fields/ecs.yml
index 53f81b3c85..12993b0268 100644
--- a/test/packages/apache/data_stream/access/fields/ecs.yml
+++ b/test/packages/apache/data_stream/access/fields/ecs.yml
@@ -1,199 +1,104 @@
-- name: message
+- external: ecs
+ name: destination.domain
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error.message
+- external: ecs
+ name: event.category
+- external: ecs
+ name: event.created
+- external: ecs
+ name: event.kind
+- external: ecs
+ name: event.outcome
+- external: ecs
+ name: file.path
+- external: ecs
+ name: http.request.method
+- external: ecs
+ name: http.request.referrer
+- external: ecs
+ name: http.response.body.bytes
+- external: ecs
+ name: http.response.status_code
+- external: ecs
+ name: http.version
+- external: ecs
+ name: log.file.path
+- external: ecs
+ name: log.level
+- external: ecs
+ name: message
+- external: ecs
+ name: process.pid
+- external: ecs
+ name: process.thread.id
+- external: ecs
+ name: source.address
+- external: ecs
+ name: source.as.number
+- external: ecs
+ name: source.as.organization.name
+- external: ecs
+ name: source.domain
+- external: ecs
+ name: source.geo.city_name
+- external: ecs
+ name: source.geo.continent_name
+- external: ecs
+ name: source.geo.country_iso_code
+- external: ecs
+ name: source.geo.country_name
+- description: Longitude and latitude.
level: core
- type: text
- description: |-
- For log events the message field contains the log message, optimized for viewing in a log viewer.
- For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
- If multiple messages exist, they can be combined into one message.
-- name: http
- title: HTTP
- group: 2
- type: group
- fields:
- - name: request.method
- level: extended
- type: keyword
- description: |-
- HTTP request method.
- Prior to ECS 1.6.0 the following guidance was provided:
- "The field value must be normalized to lowercase for querying."
- As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0
- ignore_above: 1024
- - name: request.referrer
- level: extended
- type: keyword
- description: Referrer for this HTTP request.
- ignore_above: 1024
- - name: response.body.bytes
- level: extended
- type: long
- format: bytes
- description: Size in bytes of the response body.
- unit: byte
- metric_type: gauge
- - name: response.status_code
- level: extended
- type: long
- format: string
- description: HTTP response status code.
- - name: version
- level: extended
- type: keyword
- description: HTTP version.
- ignore_above: 1024
-- name: log
- title: Log
- group: 2
- type: group
- fields:
- - name: level
- level: core
- type: keyword
- description: |-
- Original log level of the log event.
- If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity).
- Some examples are `warn`, `err`, `i`, `informational`.
- ignore_above: 1024
-- name: process
- title: Process
- group: 2
- type: group
- fields:
- - name: pid
- level: core
- type: long
- format: string
- description: Process id.
- - name: thread.id
- level: extended
- type: long
- format: string
- description: Thread ID.
-- name: source
- title: Source
- group: 2
- type: group
- fields:
- - name: address
- level: extended
- type: keyword
- description: |-
- Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
- Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
- ignore_above: 1024
- - name: geo.city_name
- level: core
- type: keyword
- description: City name.
- ignore_above: 1024
- - name: geo.continent_name
- level: core
- type: keyword
- description: Name of the continent.
- ignore_above: 1024
- - name: geo.country_iso_code
- level: core
- type: keyword
- description: Country ISO code.
- ignore_above: 1024
- - name: geo.location
- level: core
- type: geo_point
- description: Longitude and latitude.
- - name: geo.region_iso_code
- level: core
- type: keyword
- description: Region ISO code.
- ignore_above: 1024
- - name: geo.region_name
- level: core
- type: keyword
- description: Region name.
- ignore_above: 1024
-- name: url
- title: URL
- group: 2
- type: group
- fields:
- - name: original
- level: extended
- type: keyword
- description: |-
- Unmodified original url as seen in the event source.
- Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
- This field is meant to represent the URL as it was observed, complete or not.
- ignore_above: 1024
- multi_fields:
- - name: text
- type: text
- norms: false
- default_field: false
-- name: user
- title: User
- group: 2
- type: group
- fields:
- - name: name
- level: core
- type: keyword
- description: Short name or login of the user.
- ignore_above: 1024
- multi_fields:
- - name: text
- type: text
- norms: false
- default_field: false
-- name: user_agent
- title: User agent
- group: 2
- type: group
- fields:
- - name: device.name
- level: extended
- type: keyword
- description: Name of the device.
- ignore_above: 1024
- - name: name
- level: extended
- type: keyword
- description: Name of the user agent.
- ignore_above: 1024
- - name: original
- level: extended
- type: keyword
- description: Unparsed user_agent string.
- ignore_above: 1024
- multi_fields:
- - name: text
- type: text
- norms: false
- - name: os.name
- level: extended
- type: keyword
- description: Operating system name, without the version.
- ignore_above: 1024
- multi_fields:
- - name: text
- type: text
- norms: false
- default_field: false
- - name: os.version
- level: extended
- type: keyword
- ignore_above: 1024
- description: Operating system version as a raw string.
- - name: version
- level: extended
- type: keyword
- ignore_above: 1024
- description: Version of the user agent.
-- name: ecs.version
- type: keyword
-- name: source.ip
- type: ip
-- name: log.file.path
- type: keyword
-- name: log.offset
- type: long
-- name: input.type
- type: keyword
+ name: source.geo.location
+ type: geo_point
+- external: ecs
+ name: source.geo.region_iso_code
+- external: ecs
+ name: source.geo.region_name
+- external: ecs
+ name: source.ip
+- external: ecs
+ name: tags
+- external: ecs
+ name: tls.cipher
+- external: ecs
+ name: tls.version
+- external: ecs
+ name: tls.version_protocol
+- external: ecs
+ name: url.domain
+- external: ecs
+ name: url.extension
+- external: ecs
+ name: url.original
+- external: ecs
+ name: url.path
+- external: ecs
+ name: url.query
+- external: ecs
+ name: user.name
+- external: ecs
+ name: user_agent.device.name
+- external: ecs
+ name: user_agent.device.name
+- external: ecs
+ name: user_agent.name
+- external: ecs
+ name: user_agent.name
+- external: ecs
+ name: user_agent.original
+- external: ecs
+ name: user_agent.original
+- external: ecs
+ name: user_agent.os.full
+- external: ecs
+ name: user_agent.os.name
+- external: ecs
+ name: user_agent.os.name
+- external: ecs
+ name: user_agent.os.version
+- external: ecs
+ name: user_agent.version
diff --git a/test/packages/apache/data_stream/access/manifest.yml b/test/packages/apache/data_stream/access/manifest.yml
index a339bc28d7..dc93238a33 100644
--- a/test/packages/apache/data_stream/access/manifest.yml
+++ b/test/packages/apache/data_stream/access/manifest.yml
@@ -1,5 +1,4 @@
title: Apache access logs
-release: experimental
type: logs
streams:
- input: logfile
@@ -14,6 +13,75 @@ streams:
- /var/log/apache2/access.log*
- /var/log/apache2/other_vhosts_access.log*
- /var/log/httpd/access_log*
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - apache-access
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
template_path: log.yml.hbs
title: Apache access logs
description: Collect Apache access logs
+ - input: httpjson
+ title: Apache access logs via Splunk Enterprise REST API
+ description: Collect apache access logs via Splunk Enterprise REST API
+ enabled: false
+ template_path: httpjson.yml.hbs
+ vars:
+ - name: interval
+ type: text
+ title: Interval to query Splunk Enterprise REST API
+ description: Go Duration syntax (eg. 10s)
+ show_user: true
+ required: true
+ default: 10s
+ - name: search
+ type: text
+ title: Splunk search string
+ show_user: true
+ required: true
+ default: "search sourcetype=\"access*\""
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ show_user: false
+ default:
+ - forwarded
+ - apache-access
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
diff --git a/test/packages/apache/data_stream/access/sample_event.json b/test/packages/apache/data_stream/access/sample_event.json
index 04f2842882..faf5bb50af 100644
--- a/test/packages/apache/data_stream/access/sample_event.json
+++ b/test/packages/apache/data_stream/access/sample_event.json
@@ -1,85 +1,84 @@
{
- "@timestamp": "2021-03-11T00:50:31.000Z",
"agent": {
- "ephemeral_id": "c024babb-4b5e-4848-8ab7-808871a3b0e7",
- "hostname": "docker-fleet-agent",
- "id": "998f41ec-bd9a-4eb8-b03e-6b2106ad8a82",
- "name": "docker-fleet-agent",
+ "hostname": "4942ef7a8cfc",
+ "name": "4942ef7a8cfc",
+ "id": "73de002e-d848-49c7-829d-e903959d0d44",
"type": "filebeat",
- "version": "7.13.0"
+ "ephemeral_id": "e8970288-5c73-40e7-8626-8d297104f4eb",
+ "version": "7.11.0"
+ },
+ "log": {
+ "file": {
+ "path": "/tmp/service_logs/access.log"
+ },
+ "offset": 0
+ },
+ "elastic_agent": {
+ "id": "6c69e2bc-7bb3-4bac-b7e9-41f22558321c",
+ "version": "7.11.0",
+ "snapshot": true
+ },
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "url": {
+ "original": "/"
+ },
+ "input": {
+ "type": "log"
},
"apache": {
"access": {}
},
- "data_stream": {
- "dataset": "apache.access",
- "namespace": "ep",
- "type": "logs"
- },
+ "@timestamp": "2020-12-03T16:25:36.000Z",
"ecs": {
"version": "1.5.0"
},
- "elastic_agent": {
- "id": "b34164e3-15e2-4184-9730-2dbe7c8e51d2",
- "snapshot": true,
- "version": "7.13.0"
- },
- "event": {
- "category": "web",
- "created": "2021-03-11T00:50:44.862Z",
- "dataset": "apache.access",
- "kind": "event",
- "outcome": "success"
+ "data_stream": {
+ "namespace": "ep",
+ "type": "logs",
+ "dataset": "apache.access"
},
"host": {
- "architecture": "x86_64",
+ "hostname": "4942ef7a8cfc",
+ "os": {
+ "kernel": "4.9.184-linuxkit",
+ "codename": "Core",
+ "name": "CentOS Linux",
+ "family": "redhat",
+ "version": "7 (Core)",
+ "platform": "centos"
+ },
"containerized": true,
- "hostname": "docker-fleet-agent",
- "id": "c343f2fc9433c580ea642a287d22d011",
"ip": [
- "172.20.0.6"
+ "192.168.0.4"
],
+ "name": "4942ef7a8cfc",
+ "id": "06c26569966fd125c15acac5d7feffb6",
"mac": [
- "02:42:ac:14:00:06"
+ "02:42:c0:a8:00:04"
],
- "name": "docker-fleet-agent",
- "os": {
- "codename": "Core",
- "family": "redhat",
- "kernel": "4.19.121-linuxkit",
- "name": "CentOS Linux",
- "platform": "centos",
- "type": "linux",
- "version": "7 (Core)"
- }
+ "architecture": "x86_64"
},
"http": {
"request": {
"method": "GET"
},
"response": {
+ "status_code": 200,
"body": {
"bytes": 45
- },
- "status_code": 200
+ }
},
"version": "1.1"
},
- "input": {
- "type": "log"
- },
- "log": {
- "file": {
- "path": "/tmp/service_logs/access.log"
- },
- "offset": 0
- },
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
- "url": {
- "original": "/"
+ "event": {
+ "kind": "event",
+ "created": "2020-12-03T16:25:53.907Z",
+ "category": "web",
+ "dataset": "apache.access",
+ "outcome": "success"
},
"user": {
"name": "-"
diff --git a/test/packages/apache/data_stream/error/_dev/test/pipeline/test-common-config.yml b/test/packages/apache/data_stream/error/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 0000000000..91c9eaa210
--- /dev/null
+++ b/test/packages/apache/data_stream/error/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,6 @@
+dynamic_fields:
+ event.ingested: ".*"
+fields:
+ event.timezone: "GMT+2"
+ tags:
+ - preserve_original_event
diff --git a/test/packages/apache/data_stream/error/_dev/test/pipeline/test-error-basic.log b/test/packages/apache/data_stream/error/_dev/test/pipeline/test-error-basic.log
new file mode 100644
index 0000000000..b8120aacfd
--- /dev/null
+++ b/test/packages/apache/data_stream/error/_dev/test/pipeline/test-error-basic.log
@@ -0,0 +1,4 @@
+[Mon Dec 26 16:22:08 2016] [error] [client 192.168.33.1] File does not exist: /var/www/favicon.ico
+[Mon Dec 26 16:15:55.103786 2016] [core:notice] [pid 11379] AH00094: Command line: '/usr/local/Cellar/httpd24/2.4.23_2/bin/httpd'
+[Fri Sep 09 10:42:29.902022 2011] [core:error] [pid 35708:tid 4328636416] [client 89.160.20.156] File does not exist: /usr/local/apache2/htdocs/favicon.ico
+[Thu Jun 27 06:58:09.169510 2019] [include:warn] [pid 15934] [client 89.160.20.156:12345] AH01374: mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed: /test.html
diff --git a/test/packages/apache/data_stream/error/_dev/test/pipeline/test-error-basic.log-expected.json b/test/packages/apache/data_stream/error/_dev/test/pipeline/test-error-basic.log-expected.json
new file mode 100644
index 0000000000..21df2d32d2
--- /dev/null
+++ b/test/packages/apache/data_stream/error/_dev/test/pipeline/test-error-basic.log-expected.json
@@ -0,0 +1,173 @@
+{
+ "expected": [
+ {
+ "apache": {
+ "error": {}
+ },
+ "file": {
+ "path": "/var/www/favicon.ico"
+ },
+ "@timestamp": "2016-12-26T16:22:08.000+02:00",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "log": {
+ "level": "error"
+ },
+ "source": {
+ "address": "192.168.33.1",
+ "ip": "192.168.33.1"
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:33.868254100Z",
+ "original": "[Mon Dec 26 16:22:08 2016] [error] [client 192.168.33.1] File does not exist: /var/www/favicon.ico",
+ "category": "web",
+ "type": "error",
+ "timezone": "GMT+2",
+ "kind": "event"
+ },
+ "message": "File does not exist: /var/www/favicon.ico",
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "process": {
+ "pid": 11379
+ },
+ "apache": {
+ "error": {
+ "module": "core"
+ }
+ },
+ "@timestamp": "2016-12-26T16:15:55.103+02:00",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "log": {
+ "level": "notice"
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:33.868263600Z",
+ "original": "[Mon Dec 26 16:15:55.103786 2016] [core:notice] [pid 11379] AH00094: Command line: '/usr/local/Cellar/httpd24/2.4.23_2/bin/httpd'",
+ "category": "web",
+ "type": "info",
+ "timezone": "GMT+2",
+ "kind": "event"
+ },
+ "message": "AH00094: Command line: '/usr/local/Cellar/httpd24/2.4.23_2/bin/httpd'",
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "process": {
+ "pid": 35708,
+ "thread": {
+ "id": 4328636416
+ }
+ },
+ "log": {
+ "level": "error"
+ },
+ "source": {
+ "geo": {
+ "continent_name": "Europe",
+ "region_iso_code": "SE-AB",
+ "city_name": "Tumba",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "region_name": "Stockholm",
+ "location": {
+ "lon": 17.8167,
+ "lat": 59.2
+ }
+ },
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "address": "89.160.20.156",
+ "ip": "89.160.20.156"
+ },
+ "message": "File does not exist: /usr/local/apache2/htdocs/favicon.ico",
+ "tags": [
+ "preserve_original_event"
+ ],
+ "apache": {
+ "error": {
+ "module": "core"
+ }
+ },
+ "file": {
+ "path": "/usr/local/apache2/htdocs/favicon.ico"
+ },
+ "@timestamp": "2011-09-09T10:42:29.902+02:00",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:33.868270Z",
+ "original": "[Fri Sep 09 10:42:29.902022 2011] [core:error] [pid 35708:tid 4328636416] [client 89.160.20.156] File does not exist: /usr/local/apache2/htdocs/favicon.ico",
+ "category": "web",
+ "type": "error",
+ "timezone": "GMT+2",
+ "kind": "event"
+ }
+ },
+ {
+ "process": {
+ "pid": 15934
+ },
+ "apache": {
+ "error": {
+ "module": "include"
+ }
+ },
+ "@timestamp": "2019-06-27T06:58:09.169+02:00",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "log": {
+ "level": "warn"
+ },
+ "source": {
+ "geo": {
+ "continent_name": "Europe",
+ "region_iso_code": "SE-AB",
+ "city_name": "Tumba",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "region_name": "Stockholm",
+ "location": {
+ "lon": 17.8167,
+ "lat": 59.2
+ }
+ },
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "address": "89.160.20.156",
+ "port": 12345,
+ "ip": "89.160.20.156"
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:33.868275800Z",
+ "original": "[Thu Jun 27 06:58:09.169510 2019] [include:warn] [pid 15934] [client 89.160.20.156:12345] AH01374: mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed: /test.html",
+ "category": "web",
+ "type": "error",
+ "timezone": "GMT+2",
+ "kind": "event"
+ },
+ "message": "AH01374: mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed: /test.html",
+ "tags": [
+ "preserve_original_event"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/apache/data_stream/error/_dev/test/pipeline/test-error-darwin.log b/test/packages/apache/data_stream/error/_dev/test/pipeline/test-error-darwin.log
new file mode 100644
index 0000000000..428ba85a7f
--- /dev/null
+++ b/test/packages/apache/data_stream/error/_dev/test/pipeline/test-error-darwin.log
@@ -0,0 +1,2 @@
+[Mon Dec 26 16:15:55.103522 2016] [mpm_prefork:notice] [pid 11379] AH00163: Apache/2.4.23 (Unix) configured -- resuming normal operations
+[Mon Dec 26 16:15:55.103786 2016] [core:notice] [pid 11379] AH00094: Command line: '/usr/local/Cellar/httpd24/2.4.23_2/bin/httpd'
diff --git a/test/packages/apache/data_stream/error/_dev/test/pipeline/test-error-darwin.log-expected.json b/test/packages/apache/data_stream/error/_dev/test/pipeline/test-error-darwin.log-expected.json
new file mode 100644
index 0000000000..15400a6c97
--- /dev/null
+++ b/test/packages/apache/data_stream/error/_dev/test/pipeline/test-error-darwin.log-expected.json
@@ -0,0 +1,62 @@
+{
+ "expected": [
+ {
+ "process": {
+ "pid": 11379
+ },
+ "apache": {
+ "error": {
+ "module": "mpm_prefork"
+ }
+ },
+ "@timestamp": "2016-12-26T16:15:55.103+02:00",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "log": {
+ "level": "notice"
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:34.149405700Z",
+ "original": "[Mon Dec 26 16:15:55.103522 2016] [mpm_prefork:notice] [pid 11379] AH00163: Apache/2.4.23 (Unix) configured -- resuming normal operations",
+ "category": "web",
+ "type": "info",
+ "timezone": "GMT+2",
+ "kind": "event"
+ },
+ "message": "AH00163: Apache/2.4.23 (Unix) configured -- resuming normal operations",
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "process": {
+ "pid": 11379
+ },
+ "apache": {
+ "error": {
+ "module": "core"
+ }
+ },
+ "@timestamp": "2016-12-26T16:15:55.103+02:00",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "log": {
+ "level": "notice"
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:34.149429600Z",
+ "original": "[Mon Dec 26 16:15:55.103786 2016] [core:notice] [pid 11379] AH00094: Command line: '/usr/local/Cellar/httpd24/2.4.23_2/bin/httpd'",
+ "category": "web",
+ "type": "info",
+ "timezone": "GMT+2",
+ "kind": "event"
+ },
+ "message": "AH00094: Command line: '/usr/local/Cellar/httpd24/2.4.23_2/bin/httpd'",
+ "tags": [
+ "preserve_original_event"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/apache/data_stream/error/_dev/test/pipeline/test-error-trace.log b/test/packages/apache/data_stream/error/_dev/test/pipeline/test-error-trace.log
new file mode 100644
index 0000000000..64a89473fb
--- /dev/null
+++ b/test/packages/apache/data_stream/error/_dev/test/pipeline/test-error-trace.log
@@ -0,0 +1 @@
+[Wed Oct 20 19:20:59.121211 2021] [rewrite:trace3] [pid 121591:tid 140413273032448] mod_rewrite.c(470): [client 10.121.192.8:38350] 10.121.192.8 - - [dev.elastic.co/sid#55a374e851c8][rid#7fb438083ac0/initial] applying pattern '^/import/?(.*)$' to uri '/'
diff --git a/test/packages/apache/data_stream/error/_dev/test/pipeline/test-error-trace.log-expected.json b/test/packages/apache/data_stream/error/_dev/test/pipeline/test-error-trace.log-expected.json
new file mode 100644
index 0000000000..7b5f6e1b4b
--- /dev/null
+++ b/test/packages/apache/data_stream/error/_dev/test/pipeline/test-error-trace.log-expected.json
@@ -0,0 +1,36 @@
+{
+ "expected": [
+ {
+ "process": {
+ "pid": 121591,
+ "thread": {
+ "id": 140413273032448
+ }
+ },
+ "apache": {
+ "error": {
+ "module": "rewrite"
+ }
+ },
+ "@timestamp": "2021-10-20T19:20:59.121+02:00",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "log": {
+ "level": "trace3"
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:34.228018700Z",
+ "original": "[Wed Oct 20 19:20:59.121211 2021] [rewrite:trace3] [pid 121591:tid 140413273032448] mod_rewrite.c(470): [client 10.121.192.8:38350] 10.121.192.8 - - [dev.elastic.co/sid#55a374e851c8][rid#7fb438083ac0/initial] applying pattern '^/import/?(.*)$' to uri '/'",
+ "category": "web",
+ "type": "info",
+ "timezone": "GMT+2",
+ "kind": "event"
+ },
+ "message": "mod_rewrite.c(470): [client 10.121.192.8:38350] 10.121.192.8 - - [dev.elastic.co/sid#55a374e851c8][rid#7fb438083ac0/initial] applying pattern '^/import/?(.*)$' to uri '/'",
+ "tags": [
+ "preserve_original_event"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/apache/data_stream/error/_dev/test/pipeline/test-error-ubuntu.log b/test/packages/apache/data_stream/error/_dev/test/pipeline/test-error-ubuntu.log
new file mode 100644
index 0000000000..e457f0bc78
--- /dev/null
+++ b/test/packages/apache/data_stream/error/_dev/test/pipeline/test-error-ubuntu.log
@@ -0,0 +1,7 @@
+[Mon Dec 26 16:17:53 2016] [notice] Apache/2.2.22 (Ubuntu) configured -- resuming normal operations
+[Mon Dec 26 16:22:00 2016] [error] [client 192.168.33.1] File does not exist: /var/www/favicon.ico, referer: http://192.168.33.72/
+[Mon Dec 26 16:22:08 2016] [error] [client 192.168.33.1] File does not exist: /var/www/favicon.ico
+[Mon Dec 26 16:22:08 2016] [error] [client 192.168.33.1] File does not exist: /var/www/favicon.ico
+[Mon Dec 26 16:22:10 2016] [error] [client 192.168.33.1] File does not exist: /var/www/test
+[Mon Dec 26 16:22:13 2016] [error] [client 192.168.33.1] File does not exist: /var/www/hello
+[Mon Dec 26 16:22:17 2016] [error] [client 192.168.33.1] File does not exist: /var/www/crap
diff --git a/test/packages/apache/data_stream/error/_dev/test/pipeline/test-error-ubuntu.log-expected.json b/test/packages/apache/data_stream/error/_dev/test/pipeline/test-error-ubuntu.log-expected.json
new file mode 100644
index 0000000000..92c843f590
--- /dev/null
+++ b/test/packages/apache/data_stream/error/_dev/test/pipeline/test-error-ubuntu.log-expected.json
@@ -0,0 +1,219 @@
+{
+ "expected": [
+ {
+ "apache": {
+ "error": {}
+ },
+ "@timestamp": "2016-12-26T16:17:53.000+02:00",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "log": {
+ "level": "notice"
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:34.283841100Z",
+ "original": "[Mon Dec 26 16:17:53 2016] [notice] Apache/2.2.22 (Ubuntu) configured -- resuming normal operations",
+ "category": "web",
+ "type": "info",
+ "timezone": "GMT+2",
+ "kind": "event"
+ },
+ "message": "Apache/2.2.22 (Ubuntu) configured -- resuming normal operations",
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "log": {
+ "level": "error"
+ },
+ "source": {
+ "address": "192.168.33.1",
+ "ip": "192.168.33.1"
+ },
+ "message": "File does not exist: /var/www/favicon.ico, referer: http://192.168.33.72/",
+ "tags": [
+ "preserve_original_event"
+ ],
+ "apache": {
+ "error": {}
+ },
+ "file": {
+ "path": "/var/www/favicon.ico"
+ },
+ "@timestamp": "2016-12-26T16:22:00.000+02:00",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "request": {
+ "referrer": "http://192.168.33.72/"
+ }
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:34.283849400Z",
+ "original": "[Mon Dec 26 16:22:00 2016] [error] [client 192.168.33.1] File does not exist: /var/www/favicon.ico, referer: http://192.168.33.72/",
+ "category": "web",
+ "type": "error",
+ "timezone": "GMT+2",
+ "kind": "event"
+ }
+ },
+ {
+ "apache": {
+ "error": {}
+ },
+ "file": {
+ "path": "/var/www/favicon.ico"
+ },
+ "@timestamp": "2016-12-26T16:22:08.000+02:00",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "log": {
+ "level": "error"
+ },
+ "source": {
+ "address": "192.168.33.1",
+ "ip": "192.168.33.1"
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:34.283853Z",
+ "original": "[Mon Dec 26 16:22:08 2016] [error] [client 192.168.33.1] File does not exist: /var/www/favicon.ico",
+ "category": "web",
+ "type": "error",
+ "timezone": "GMT+2",
+ "kind": "event"
+ },
+ "message": "File does not exist: /var/www/favicon.ico",
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "apache": {
+ "error": {}
+ },
+ "file": {
+ "path": "/var/www/favicon.ico"
+ },
+ "@timestamp": "2016-12-26T16:22:08.000+02:00",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "log": {
+ "level": "error"
+ },
+ "source": {
+ "address": "192.168.33.1",
+ "ip": "192.168.33.1"
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:34.283857200Z",
+ "original": "[Mon Dec 26 16:22:08 2016] [error] [client 192.168.33.1] File does not exist: /var/www/favicon.ico",
+ "category": "web",
+ "type": "error",
+ "timezone": "GMT+2",
+ "kind": "event"
+ },
+ "message": "File does not exist: /var/www/favicon.ico",
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "apache": {
+ "error": {}
+ },
+ "file": {
+ "path": "/var/www/test"
+ },
+ "@timestamp": "2016-12-26T16:22:10.000+02:00",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "log": {
+ "level": "error"
+ },
+ "source": {
+ "address": "192.168.33.1",
+ "ip": "192.168.33.1"
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:34.283862600Z",
+ "original": "[Mon Dec 26 16:22:10 2016] [error] [client 192.168.33.1] File does not exist: /var/www/test",
+ "category": "web",
+ "type": "error",
+ "timezone": "GMT+2",
+ "kind": "event"
+ },
+ "message": "File does not exist: /var/www/test",
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "apache": {
+ "error": {}
+ },
+ "file": {
+ "path": "/var/www/hello"
+ },
+ "@timestamp": "2016-12-26T16:22:13.000+02:00",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "log": {
+ "level": "error"
+ },
+ "source": {
+ "address": "192.168.33.1",
+ "ip": "192.168.33.1"
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:34.283867900Z",
+ "original": "[Mon Dec 26 16:22:13 2016] [error] [client 192.168.33.1] File does not exist: /var/www/hello",
+ "category": "web",
+ "type": "error",
+ "timezone": "GMT+2",
+ "kind": "event"
+ },
+ "message": "File does not exist: /var/www/hello",
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "apache": {
+ "error": {}
+ },
+ "file": {
+ "path": "/var/www/crap"
+ },
+ "@timestamp": "2016-12-26T16:22:17.000+02:00",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "log": {
+ "level": "error"
+ },
+ "source": {
+ "address": "192.168.33.1",
+ "ip": "192.168.33.1"
+ },
+ "event": {
+ "ingested": "2021-12-09T13:30:34.283873300Z",
+ "original": "[Mon Dec 26 16:22:17 2016] [error] [client 192.168.33.1] File does not exist: /var/www/crap",
+ "category": "web",
+ "type": "error",
+ "timezone": "GMT+2",
+ "kind": "event"
+ },
+ "message": "File does not exist: /var/www/crap",
+ "tags": [
+ "preserve_original_event"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/apache/data_stream/error/_dev/test/system/test-default-config.yml b/test/packages/apache/data_stream/error/_dev/test/system/test-default-config.yml
index 6304ef30f5..ec7356ee93 100644
--- a/test/packages/apache/data_stream/error/_dev/test/system/test-default-config.yml
+++ b/test/packages/apache/data_stream/error/_dev/test/system/test-default-config.yml
@@ -1,10 +1,5 @@
-skip:
- reason: testing skip
- link: https://github.com/elastic/integrations/issues/123456789
vars: ~
data_stream:
vars:
paths:
- # This path should cause the test to fail if the skip feature
- # stops working as expected.
- - "{{SERVICE_LOGS_DIR}}/non-existent.log*"
+ - "{{SERVICE_LOGS_DIR}}/error.log*"
diff --git a/test/packages/apache/data_stream/error/agent/stream/httpjson.yml.hbs b/test/packages/apache/data_stream/error/agent/stream/httpjson.yml.hbs
new file mode 100644
index 0000000000..d96b2f6048
--- /dev/null
+++ b/test/packages/apache/data_stream/error/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,64 @@
+config_version: 2
+interval: {{interval}}
+{{#unless token}}
+{{#if username}}
+{{#if password}}
+auth.basic.user: {{username}}
+auth.basic.password: {{password}}
+{{/if}}
+{{/if}}
+{{/unless}}
+cursor:
+ index_earliest:
+ value: '[[.last_event.result.max_indextime]]'
+request.url: {{url}}/services/search/jobs/export
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+request.method: POST
+request.transforms:
+ - set:
+ target: url.params.search
+ value: |-
+ {{search}} | streamstats max(_indextime) AS max_indextime
+ - set:
+ target: url.params.output_mode
+ value: "json"
+ - set:
+ target: url.params.index_earliest
+ value: '[[ .cursor.index_earliest ]]'
+ default: '[[(now (parseDuration "-{{interval}}")).Unix]]'
+ - set:
+ target: url.params.index_latest
+ value: '[[(now).Unix]]'
+ - set:
+ target: header.Content-Type
+ value: application/x-www-form-urlencoded
+{{#unless username}}
+{{#unless password}}
+{{#if token}}
+ - set:
+ target: header.Authorization
+ value: {{token}}
+{{/if}}
+{{/unless}}
+{{/unless}}
+response.decode_as: application/x-ndjson
+response.split:
+ target: body.result._raw
+ type: string
+ delimiter: "\n"
+tags:
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/test/packages/apache/data_stream/error/agent/stream/log.yml.hbs b/test/packages/apache/data_stream/error/agent/stream/log.yml.hbs
index 9a26f86f59..781c90981a 100644
--- a/test/packages/apache/data_stream/error/agent/stream/log.yml.hbs
+++ b/test/packages/apache/data_stream/error/agent/stream/log.yml.hbs
@@ -3,9 +3,18 @@ paths:
- {{path}}
{{/each}}
exclude_files: [".gz$"]
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
processors:
- - add_locale: ~
- - add_fields:
- target: ''
- fields:
- ecs.version: 1.5.0
\ No newline at end of file
+- add_locale: ~
+{{#if processors}}
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/test/packages/apache/data_stream/error/elasticsearch/ingest_pipeline/default.yml b/test/packages/apache/data_stream/error/elasticsearch/ingest_pipeline/default.yml
index a39c890f69..6c4bba6c79 100644
--- a/test/packages/apache/data_stream/error/elasticsearch/ingest_pipeline/default.yml
+++ b/test/packages/apache/data_stream/error/elasticsearch/ingest_pipeline/default.yml
@@ -1,86 +1,140 @@
---
description: Pipeline for parsing apache error logs
processors:
-- grok:
- field: message
- patterns:
- - \[%{APACHE_TIME:apache.error.timestamp}\] \[%{LOGLEVEL:log.level}\]( \[client
- %{IPORHOST:source.address}(:%{POSINT:source.port})?\])? %{GREEDYDATA:message}
- - \[%{APACHE_TIME:apache.error.timestamp}\] \[%{DATA:apache.error.module}:%{LOGLEVEL:log.level}\]
- \[pid %{NUMBER:process.pid:long}(:tid %{NUMBER:process.thread.id:long})?\](
- \[client %{IPORHOST:source.address}(:%{POSINT:source.port})?\])? %{GREEDYDATA:message}
- pattern_definitions:
- APACHE_TIME: '%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}'
- ignore_missing: true
-- date:
- if: ctx.event.timezone == null
- field: apache.error.timestamp
- target_field: '@timestamp'
- formats:
- - EEE MMM dd H:m:s yyyy
- - EEE MMM dd H:m:s.SSSSSS yyyy
- on_failure:
- - append:
- field: error.message
- value: '{{ _ingest.on_failure_message }}'
-- date:
- if: ctx.event.timezone != null
- field: apache.error.timestamp
- target_field: '@timestamp'
- formats:
- - EEE MMM dd H:m:s yyyy
- - EEE MMM dd H:m:s.SSSSSS yyyy
- timezone: '{{ event.timezone }}'
- on_failure:
- - append:
- field: error.message
- value: '{{ _ingest.on_failure_message }}'
-- remove:
- field: apache.error.timestamp
- ignore_failure: true
-- set:
- field: event.kind
- value: event
-- set:
- field: event.category
- value: web
-- script:
- if: "ctx?.log?.level != null"
- lang: painless
- source: >-
- def err_levels = ["emerg", "alert", "crit", "error", "warn"];
- if (err_levels.contains(ctx.log.level)) {
- ctx.event.type = "error";
- } else {
- ctx.event.type = "info";
- }
+ - pipeline:
+ if: ctx.message.startsWith('{')
+ name: '{{ IngestPipeline "third-party" }}'
+ - set:
+ field: event.ingested
+ value: '{{_ingest.timestamp}}'
+ - set:
+ field: ecs.version
+ value: '1.12.0'
+ - rename:
+ field: message
+ target_field: event.original
+ - grok:
+ field: event.original
+ patterns:
+ - \[%{APACHE_TIME:apache.error.timestamp}\] \[%{LOGLEVEL:log.level}\]( \[client
+ %{IPORHOST:source.address}(:%{POSINT:source.port})?\])? %{GREEDYDATA:message}
+ - \[%{APACHE_TIME:apache.error.timestamp}\] \[%{DATA:apache.error.module}:%{APACHE_LOGLEVEL:log.level}\]
+ \[pid %{NUMBER:process.pid:long}(:tid %{NUMBER:process.thread.id:long})?\](
+ \[client %{IPORHOST:source.address}(:%{POSINT:source.port})?\])? %{GREEDYDATA:message}
+ pattern_definitions:
+ # Apache log level can have numeric sub-levels such as trace1.
+ APACHE_LOGLEVEL: '%{LOGLEVEL}[0-9]*'
+ APACHE_TIME: '%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}'
+ ignore_missing: true
+ - grok:
+ field: message
+ patterns:
+ - 'File does not exist: %{URIPATH:file.path}, referer: %{URI:http.request.referrer}'
+ - 'File does not exist: %{URIPATH:file.path}'
+ ignore_missing: true
+ ignore_failure: true
+ - date:
+ if: ctx.event.timezone == null
+ field: apache.error.timestamp
+ target_field: '@timestamp'
+ formats:
+ - EEE MMM dd H:m:s yyyy
+ - EEE MMM dd H:m:s.SSSSSS yyyy
+ on_failure:
+ - append:
+ field: error.message
+ value: '{{ _ingest.on_failure_message }}'
+ - date:
+ if: ctx.event.timezone != null
+ field: apache.error.timestamp
+ target_field: '@timestamp'
+ formats:
+ - EEE MMM dd H:m:s yyyy
+ - EEE MMM dd H:m:s.SSSSSS yyyy
+ timezone: '{{ event.timezone }}'
+ on_failure:
+ - append:
+ field: error.message
+ value: '{{ _ingest.on_failure_message }}'
+ - remove:
+ field: apache.error.timestamp
+ ignore_failure: true
+ - set:
+ field: event.kind
+ value: event
+ - set:
+ field: event.category
+ value: web
+ - script:
+ if: "ctx?.log?.level != null"
+ lang: painless
+ source: >-
+ def err_levels = ["emerg", "alert", "crit", "error", "warn"];
+ if (err_levels.contains(ctx.log.level)) {
+ ctx.event.type = "error";
+ } else {
+ ctx.event.type = "info";
+ }
-- grok:
- field: source.address
- ignore_missing: true
- patterns:
- - ^(%{IP:source.ip}|%{HOSTNAME:source.domain})$
-- geoip:
- field: source.ip
- target_field: source.geo
- ignore_missing: true
-- geoip:
- database_file: GeoLite2-ASN.mmdb
- field: source.ip
- target_field: source.as
- properties:
- - asn
- - organization_name
- ignore_missing: true
-- rename:
- field: source.as.asn
- target_field: source.as.number
- ignore_missing: true
-- rename:
- field: source.as.organization_name
- target_field: source.as.organization.name
- ignore_missing: true
+ - grok:
+ field: source.address
+ ignore_missing: true
+ patterns:
+ - ^(%{IP:source.ip}|%{HOSTNAME:source.domain})$
+ - geoip:
+ field: source.ip
+ target_field: source.geo
+ ignore_missing: true
+ - geoip:
+ database_file: GeoLite2-ASN.mmdb
+ field: source.ip
+ target_field: source.as
+ properties:
+ - asn
+ - organization_name
+ ignore_missing: true
+ - rename:
+ field: source.as.asn
+ target_field: source.as.number
+ ignore_missing: true
+ - rename:
+ field: source.as.organization_name
+ target_field: source.as.organization.name
+ ignore_missing: true
+ - convert:
+ field: source.port
+ type: long
+ ignore_missing: true
+ - script:
+ lang: painless
+ description: This script processor iterates over the whole document to remove fields with null values.
+ source: |
+ void handleMap(Map map) {
+ for (def x : map.values()) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ map.values().removeIf(v -> v == null);
+ }
+ void handleList(List list) {
+ for (def x : list) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ }
+ handleMap(ctx);
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
on_failure:
-- set:
- field: error.message
- value: '{{ _ingest.on_failure_message }}'
+ - set:
+ field: error.message
+ value: '{{ _ingest.on_failure_message }}'
diff --git a/test/packages/apache/data_stream/error/elasticsearch/ingest_pipeline/third-party.yml b/test/packages/apache/data_stream/error/elasticsearch/ingest_pipeline/third-party.yml
new file mode 100644
index 0000000000..42a2ca83ff
--- /dev/null
+++ b/test/packages/apache/data_stream/error/elasticsearch/ingest_pipeline/third-party.yml
@@ -0,0 +1,42 @@
+---
+description: Pipeline for parsing Apache HTTP Server logs from third party api
+processors:
+ - json:
+ field: message
+ target_field: json
+ - drop:
+ if: ctx.json?.result == null
+ - fingerprint:
+ fields:
+ - json.result._cd
+ - json.result._indextime
+ - json.result._raw
+ - json.result._time
+ - json.result.host
+ - json.result.source
+ target_field: '_id'
+ ignore_missing: true
+ - set:
+ copy_from: json.result._raw
+ field: message
+ ignore_empty_value: true
+ - set:
+ copy_from: json.result.host
+ field: host.name
+ ignore_empty_value: true
+ - set:
+ copy_from: json.result.source
+ field: file.path
+ ignore_empty_value: true
+ - remove:
+ field:
+ - json
+ ignore_missing: true
+on_failure:
+ - append:
+ field: error.message
+ value: >-
+ error in third-party pipeline:
+ error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}}
+ with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}}
+ {{ _ingest.on_failure_message }}
diff --git a/test/packages/apache/data_stream/error/fields/agent.yml b/test/packages/apache/data_stream/error/fields/agent.yml
new file mode 100644
index 0000000000..e313ec8287
--- /dev/null
+++ b/test/packages/apache/data_stream/error/fields/agent.yml
@@ -0,0 +1,204 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
+- name: input.type
+ type: keyword
+ description: Input type
+- name: log.offset
+ type: long
+ description: Log offset
diff --git a/test/packages/apache/data_stream/error/fields/base-fields.yml b/test/packages/apache/data_stream/error/fields/base-fields.yml
index 7c798f4534..e134277b8e 100644
--- a/test/packages/apache/data_stream/error/fields/base-fields.yml
+++ b/test/packages/apache/data_stream/error/fields/base-fields.yml
@@ -10,3 +10,16 @@
- name: '@timestamp'
type: date
description: Event timestamp.
+- name: tags
+ description: List of keywords used to tag each event.
+ example: '["production", "env2"]'
+ ignore_above: 1024
+ type: keyword
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: apache
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: apache.error
diff --git a/test/packages/apache/data_stream/error/fields/ecs.yml b/test/packages/apache/data_stream/error/fields/ecs.yml
index d78c564de5..0a88a11039 100644
--- a/test/packages/apache/data_stream/error/fields/ecs.yml
+++ b/test/packages/apache/data_stream/error/fields/ecs.yml
@@ -1,185 +1,82 @@
-- name: message
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error.message
+- external: ecs
+ name: event.category
+- external: ecs
+ name: event.kind
+- external: ecs
+ name: event.timezone
+- external: ecs
+ name: event.type
+- external: ecs
+ name: file.path
+- external: ecs
+ name: http.request.method
+- external: ecs
+ name: http.request.referrer
+- external: ecs
+ name: http.response.body.bytes
+- external: ecs
+ name: http.response.status_code
+- external: ecs
+ name: http.version
+- external: ecs
+ name: log.file.path
+- external: ecs
+ name: log.level
+- external: ecs
+ name: message
+- external: ecs
+ name: process.pid
+- external: ecs
+ name: process.thread.id
+- external: ecs
+ name: source.address
+- external: ecs
+ name: source.as.number
+- external: ecs
+ name: source.as.organization.name
+- external: ecs
+ name: source.geo.city_name
+- external: ecs
+ name: source.geo.continent_name
+- external: ecs
+ name: source.geo.country_iso_code
+- external: ecs
+ name: source.geo.country_name
+- description: Longitude and latitude.
level: core
- type: text
- description: |-
- For log events the message field contains the log message, optimized for viewing in a log viewer.
- For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
- If multiple messages exist, they can be combined into one message.
-- name: http
- title: HTTP
- group: 2
- type: group
- fields:
- - name: request.method
- level: extended
- type: keyword
- description: |-
- HTTP request method.
- Prior to ECS 1.6.0 the following guidance was provided:
- "The field value must be normalized to lowercase for querying."
- As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0
- ignore_above: 1024
- - name: request.referrer
- level: extended
- type: keyword
- description: Referrer for this HTTP request.
- ignore_above: 1024
- - name: response.body.bytes
- level: extended
- type: long
- format: bytes
- description: Size in bytes of the response body.
- - name: response.status_code
- level: extended
- type: long
- format: string
- description: HTTP response status code.
- - name: version
- level: extended
- type: keyword
- description: HTTP version.
- ignore_above: 1024
-- name: log
- title: Log
- group: 2
- type: group
- fields:
- - name: level
- level: core
- type: keyword
- description: |-
- Original log level of the log event.
- If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity).
- Some examples are `warn`, `err`, `i`, `informational`.
- ignore_above: 1024
-- name: process
- title: Process
- group: 2
- type: group
- fields:
- - name: pid
- level: core
- type: long
- format: string
- description: Process id.
- - name: thread.id
- level: extended
- type: long
- format: string
- description: Thread ID.
-- name: source
- title: Source
- group: 2
- type: group
- fields:
- - name: address
- level: extended
- type: keyword
- description: |-
- Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
- Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
- ignore_above: 1024
- - name: geo.city_name
- level: core
- type: keyword
- description: City name.
- ignore_above: 1024
- - name: geo.continent_name
- level: core
- type: keyword
- description: Name of the continent.
- ignore_above: 1024
- - name: geo.country_iso_code
- level: core
- type: keyword
- description: Country ISO code.
- ignore_above: 1024
- - name: geo.location
- level: core
- type: geo_point
- description: Longitude and latitude.
- - name: geo.region_iso_code
- level: core
- type: keyword
- description: Region ISO code.
- ignore_above: 1024
- - name: geo.region_name
- level: core
- type: keyword
- description: Region name.
- ignore_above: 1024
-- name: url
- title: URL
- group: 2
- type: group
- fields:
- - name: original
- level: extended
- type: keyword
- description: |-
- Unmodified original url as seen in the event source.
- Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
- This field is meant to represent the URL as it was observed, complete or not.
- ignore_above: 1024
- multi_fields:
- - name: text
- type: text
- norms: false
- default_field: false
-- name: user
- title: User
- group: 2
- type: group
- fields:
- - name: name
- level: core
- type: keyword
- description: Short name or login of the user.
- ignore_above: 1024
- multi_fields:
- - name: text
- type: text
- norms: false
- default_field: false
-- name: user_agent
- title: User agent
- group: 2
- type: group
- fields:
- - name: device.name
- level: extended
- type: keyword
- description: Name of the device.
- ignore_above: 1024
- - name: name
- level: extended
- type: keyword
- description: Name of the user agent.
- ignore_above: 1024
- - name: original
- level: extended
- type: keyword
- description: Unparsed user_agent string.
- ignore_above: 1024
- multi_fields:
- - name: text
- type: text
- norms: false
- - name: os.name
- level: extended
- type: keyword
- description: Operating system name, without the version.
- ignore_above: 1024
- multi_fields:
- - name: text
- type: text
- norms: false
- default_field: false
-- name: ecs.version
- type: keyword
-- name: log.file.path
- type: keyword
-- name: log.offset
- type: long
-- name: input.type
- type: keyword
+ name: source.geo.location
+ type: geo_point
+- external: ecs
+ name: source.geo.region_iso_code
+- external: ecs
+ name: source.geo.region_name
+- external: ecs
+ name: source.ip
+- external: ecs
+ name: source.port
+- external: ecs
+ name: tags
+- external: ecs
+ name: url.domain
+- external: ecs
+ name: url.extension
+- external: ecs
+ name: url.original
+- external: ecs
+ name: url.path
+- external: ecs
+ name: url.query
+- external: ecs
+ name: user.name
+- external: ecs
+ name: user_agent.device.name
+- external: ecs
+ name: user_agent.name
+- external: ecs
+ name: user_agent.original
+- external: ecs
+ name: user_agent.os.name
diff --git a/test/packages/apache/data_stream/error/manifest.yml b/test/packages/apache/data_stream/error/manifest.yml
index a50c1e4b60..e0ccdffd68 100644
--- a/test/packages/apache/data_stream/error/manifest.yml
+++ b/test/packages/apache/data_stream/error/manifest.yml
@@ -1,5 +1,4 @@
title: Apache error logs
-release: experimental
type: logs
streams:
- input: logfile
@@ -13,6 +12,75 @@ streams:
default:
- /var/log/apache2/error.log*
- /var/log/httpd/error_log*
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - apache-error
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
template_path: log.yml.hbs
title: Apache error logs
description: Collect Apache error logs
+ - input: httpjson
+ title: Apache error logs via Splunk Enterprise REST API
+ description: Collect apache error logs via Splunk Enterprise REST API
+ enabled: false
+ template_path: httpjson.yml.hbs
+ vars:
+ - name: interval
+ type: text
+ title: Interval to query Splunk Enterprise REST API
+ description: Go Duration syntax (eg. 10s)
+ show_user: true
+ required: true
+ default: 10s
+ - name: search
+ type: text
+ title: Splunk search string
+ show_user: true
+ required: true
+ default: search sourcetype=apache:error OR sourcetype=apache_error
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ show_user: false
+ default:
+ - forwarded
+ - apache-error
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
diff --git a/test/packages/apache/data_stream/error/sample_event.json b/test/packages/apache/data_stream/error/sample_event.json
new file mode 100644
index 0000000000..6ddd60ff90
--- /dev/null
+++ b/test/packages/apache/data_stream/error/sample_event.json
@@ -0,0 +1,74 @@
+{
+ "agent": {
+ "hostname": "4942ef7a8cfc",
+ "name": "4942ef7a8cfc",
+ "id": "73de002e-d848-49c7-829d-e903959d0d44",
+ "ephemeral_id": "e8970288-5c73-40e7-8626-8d297104f4eb",
+ "type": "filebeat",
+ "version": "7.11.0"
+ },
+ "process": {
+ "pid": 1,
+ "thread": {
+ "id": 140503592395904
+ }
+ },
+ "log": {
+ "file": {
+ "path": "/tmp/service_logs/error.log"
+ },
+ "offset": 0,
+ "level": "notice"
+ },
+ "elastic_agent": {
+ "id": "6c69e2bc-7bb3-4bac-b7e9-41f22558321c",
+ "version": "7.11.0",
+ "snapshot": true
+ },
+ "message": "AH00489: Apache/2.4.46 (Unix) configured -- resuming normal operations",
+ "input": {
+ "type": "log"
+ },
+ "@timestamp": "2020-12-03T16:28:16.376Z",
+ "apache": {
+ "error": {
+ "module": "mpm_event"
+ }
+ },
+ "ecs": {
+ "version": "1.5.0"
+ },
+ "data_stream": {
+ "namespace": "ep",
+ "type": "logs",
+ "dataset": "apache.error"
+ },
+ "host": {
+ "hostname": "4942ef7a8cfc",
+ "os": {
+ "kernel": "4.9.184-linuxkit",
+ "codename": "Core",
+ "name": "CentOS Linux",
+ "family": "redhat",
+ "version": "7 (Core)",
+ "platform": "centos"
+ },
+ "containerized": true,
+ "ip": [
+ "192.168.0.4"
+ ],
+ "name": "4942ef7a8cfc",
+ "id": "06c26569966fd125c15acac5d7feffb6",
+ "mac": [
+ "02:42:c0:a8:00:04"
+ ],
+ "architecture": "x86_64"
+ },
+ "event": {
+ "timezone": "+00:00",
+ "kind": "event",
+ "category": "web",
+ "type": "info",
+ "dataset": "apache.error"
+ }
+}
\ No newline at end of file
diff --git a/test/packages/apache/data_stream/status/_dev/test/system/test-default-config.yml b/test/packages/apache/data_stream/status/_dev/test/system/test-default-config.yml
index 7493f64a81..83fc84f62e 100644
--- a/test/packages/apache/data_stream/status/_dev/test/system/test-default-config.yml
+++ b/test/packages/apache/data_stream/status/_dev/test/system/test-default-config.yml
@@ -1,6 +1,3 @@
-skip:
- reason: test is failing and needs further investigation but is blocking other PRs.
- link: https://github.com/elastic/elastic-package/issues/374
vars:
hosts:
- http://{{Hostname}}:{{Port}}
diff --git a/test/packages/apache/data_stream/status/fields/agent.yml b/test/packages/apache/data_stream/status/fields/agent.yml
new file mode 100644
index 0000000000..da4e652c53
--- /dev/null
+++ b/test/packages/apache/data_stream/status/fields/agent.yml
@@ -0,0 +1,198 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
diff --git a/test/packages/apache/data_stream/status/fields/base-fields.yml b/test/packages/apache/data_stream/status/fields/base-fields.yml
index 7c798f4534..2cf8da79f7 100644
--- a/test/packages/apache/data_stream/status/fields/base-fields.yml
+++ b/test/packages/apache/data_stream/status/fields/base-fields.yml
@@ -10,3 +10,11 @@
- name: '@timestamp'
type: date
description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: apache
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: apache.status
diff --git a/test/packages/apache/data_stream/status/fields/ecs.yml b/test/packages/apache/data_stream/status/fields/ecs.yml
index 7e361991e6..28044872f5 100644
--- a/test/packages/apache/data_stream/status/fields/ecs.yml
+++ b/test/packages/apache/data_stream/status/fields/ecs.yml
@@ -1,6 +1,8 @@
-- name: ecs.version
- type: keyword
-- name: service.type
- type: keyword
-- name: service.address
- type: keyword
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: service.address
+- external: ecs
+ name: service.type
+- external: ecs
+ name: error.message
diff --git a/test/packages/apache/data_stream/status/fields/fields.yml b/test/packages/apache/data_stream/status/fields/fields.yml
index 2c80752a45..5ed7663e2e 100644
--- a/test/packages/apache/data_stream/status/fields/fields.yml
+++ b/test/packages/apache/data_stream/status/fields/fields.yml
@@ -5,30 +5,38 @@
type: long
description: |
Total number of access requests.
+ metric_type: counter
- name: total_bytes
type: long
description: |
Total number of bytes served.
+ metric_type: counter
+ unit: byte
- name: requests_per_sec
type: scaled_float
description: |
Requests per second.
+ metric_type: gauge
- name: bytes_per_sec
type: scaled_float
description: |
Bytes per second.
+ metric_type: gauge
- name: bytes_per_request
type: scaled_float
description: |
Bytes per request.
+ metric_type: gauge
- name: workers.busy
type: long
description: |
Number of busy workers.
+ metric_type: gauge
- name: workers.idle
type: long
description: |
Number of idle workers.
+ metric_type: gauge
- name: uptime
type: group
fields:
@@ -36,10 +44,12 @@
type: long
description: |
Server uptime in seconds.
+ metric_type: counter
- name: uptime
type: long
description: |
Server uptime.
+ metric_type: counter
- name: cpu
type: group
fields:
@@ -47,22 +57,27 @@
type: scaled_float
description: |
CPU Load.
+ metric_type: gauge
- name: user
type: scaled_float
description: |
CPU user load.
+ metric_type: gauge
- name: system
type: scaled_float
description: |
System cpu.
+ metric_type: gauge
- name: children_user
type: scaled_float
description: |
CPU of children user.
+ metric_type: gauge
- name: children_system
type: scaled_float
description: |
CPU of children system.
+ metric_type: gauge
- name: connections
type: group
fields:
@@ -70,18 +85,22 @@
type: long
description: |
Total connections.
+ metric_type: counter
- name: async.writing
type: long
description: |
Async connection writing.
+ metric_type: gauge
- name: async.keep_alive
type: long
description: |
Async keeped alive connections.
+ metric_type: gauge
- name: async.closing
type: long
description: |
Async closed connections.
+ metric_type: gauge
- name: load
type: group
fields:
@@ -89,14 +108,17 @@
type: scaled_float
description: |
Load average for the last minute.
+ metric_type: gauge
- name: "5"
type: scaled_float
description: |
Load average for the last 5 minutes.
+ metric_type: gauge
- name: "15"
type: scaled_float
description: |
Load average for the last 15 minutes.
+ metric_type: gauge
- name: scoreboard
type: group
fields:
@@ -104,47 +126,59 @@
type: long
description: |
Starting up.
+ metric_type: gauge
- name: reading_request
type: long
description: |
Reading requests.
+ metric_type: gauge
- name: sending_reply
type: long
description: |
Sending Reply.
+ metric_type: gauge
- name: keepalive
type: long
description: |
Keep alive.
+ metric_type: gauge
- name: dns_lookup
type: long
description: |
Dns Lookups.
+ metric_type: gauge
- name: closing_connection
type: long
description: |
Closing connections.
+ metric_type: gauge
- name: logging
type: long
description: |
Logging
+ metric_type: gauge
- name: gracefully_finishing
type: long
description: |
Gracefully finishing.
+ metric_type: gauge
- name: idle_cleanup
type: long
description: |
Idle cleanups.
+ metric_type: gauge
- name: open_slot
type: long
description: |
Open slots.
+ metric_type: gauge
- name: waiting_for_connection
type: long
description: |
Waiting for connections.
+ metric_type: gauge
- name: total
type: long
description: |
Total.
+ metric_type: gauge
diff --git a/test/packages/apache/data_stream/status/manifest.yml b/test/packages/apache/data_stream/status/manifest.yml
index 52de60ae95..f4b63ba327 100644
--- a/test/packages/apache/data_stream/status/manifest.yml
+++ b/test/packages/apache/data_stream/status/manifest.yml
@@ -1,5 +1,4 @@
title: Apache status metrics
-release: experimental
type: metrics
streams:
- input: apache/metrics
@@ -10,7 +9,7 @@ streams:
multi: false
required: true
show_user: true
- default: 10s
+ default: 30s
- name: server_status_path
type: text
title: Server Status Path
diff --git a/test/packages/apache/data_stream/status/sample_event.json b/test/packages/apache/data_stream/status/sample_event.json
index 2088a8eb44..2d23267290 100644
--- a/test/packages/apache/data_stream/status/sample_event.json
+++ b/test/packages/apache/data_stream/status/sample_event.json
@@ -1,77 +1,101 @@
{
- "@timestamp": "2020-06-24T10:19:48.005Z",
+ "@timestamp": "2020-12-03T16:31:04.445Z",
+ "data_stream": {
+ "type": "metrics",
+ "dataset": "apache.status",
+ "namespace": "ep"
+ },
+ "elastic_agent": {
+ "version": "7.11.0",
+ "id": "6c69e2bc-7bb3-4bac-b7e9-41f22558321c",
+ "snapshot": true
+ },
+ "host": {
+ "os": {
+ "platform": "centos",
+ "version": "7 (Core)",
+ "family": "redhat",
+ "name": "CentOS Linux",
+ "kernel": "4.9.184-linuxkit",
+ "codename": "Core"
+ },
+ "id": "06c26569966fd125c15acac5d7feffb6",
+ "name": "4942ef7a8cfc",
+ "containerized": true,
+ "ip": [
+ "192.168.0.4"
+ ],
+ "mac": [
+ "02:42:c0:a8:00:04"
+ ],
+ "hostname": "4942ef7a8cfc",
+ "architecture": "x86_64"
+ },
+ "agent": {
+ "hostname": "4942ef7a8cfc",
+ "ephemeral_id": "8371d3a3-5321-4436-9fd5-cafcabfe4c57",
+ "id": "af6f66ef-d7d0-4784-b9bb-3fddbcc151b5",
+ "name": "4942ef7a8cfc",
+ "type": "metricbeat",
+ "version": "7.11.0"
+ },
"metricset": {
"name": "status",
- "period": 10000
+ "period": 30000
+ },
+ "service": {
+ "address": "http://elastic-package-service_apache_1:80/server-status?auto=",
+ "type": "apache"
},
"apache": {
"status": {
+ "load": {
+ "5": 1.89,
+ "15": 1.07,
+ "1": 1.53
+ },
+ "total_accesses": 11,
"connections": {
"total": 0,
"async": {
+ "closing": 0,
"writing": 0,
- "keep_alive": 0,
- "closing": 0
+ "keep_alive": 0
}
},
- "total_bytes": 128,
- "cpu": {
- "children_user": 0,
- "children_system": 0,
- "load": 0.185185,
- "user": 1.11,
- "system": 1.79
- },
+ "requests_per_sec": 0.916667,
"scoreboard": {
- "logging": 0,
- "idle_cleanup": 0,
"starting_up": 0,
- "reading_request": 0,
+ "keepalive": 0,
+ "sending_reply": 1,
+ "logging": 0,
+ "gracefully_finishing": 0,
"dns_lookup": 0,
"closing_connection": 0,
- "gracefully_finishing": 0,
- "sending_reply": 1,
- "keepalive": 0,
- "total": 400,
"open_slot": 325,
- "waiting_for_connection": 74
+ "total": 400,
+ "idle_cleanup": 0,
+ "waiting_for_connection": 74,
+ "reading_request": 0
},
+ "bytes_per_sec": 0,
+ "bytes_per_request": 0,
+ "uptime": {
+ "server_uptime": 12,
+ "uptime": 12
+ },
+ "total_bytes": 0,
"workers": {
"busy": 1,
"idle": 74
},
- "bytes_per_sec": 83.6986,
- "uptime": {
- "server_uptime": 1566,
- "uptime": 1566
- },
- "total_accesses": 1393,
- "bytes_per_request": 94.0933,
- "requests_per_sec": 0.889527,
- "load": {
- "1": 3.58,
- "5": 3.54,
- "15": 2.79
+ "cpu": {
+ "load": 0.583333,
+ "user": 0.03,
+ "system": 0.04,
+ "children_user": 0,
+ "children_system": 0
}
}
- },
- "service": {
- "address": "127.0.0.1:8088",
- "type": "apache"
- },
- "event": {
- "duration": 2381832,
- "dataset": "apache.status",
- "module": "apache"
- },
- "ecs": {
- "version": "1.5.0"
- },
- "agent": {
- "type": "metricbeat",
- "version": "8.0.0",
- "ephemeral_id": "685f03e4-76e7-4d05-b398-8454b8964681",
- "id": "a74466da-3ea4-44f9-aea0-11c5e4b920be",
- "name": "MacBook-Elastic.local"
}
}
\ No newline at end of file
diff --git a/test/packages/apache/docs/README.md b/test/packages/apache/docs/README.md
index 34706dc901..d00e556d05 100644
--- a/test/packages/apache/docs/README.md
+++ b/test/packages/apache/docs/README.md
@@ -5,8 +5,8 @@ logs created by the Apache server.
## Compatibility
-The Apache datasets were tested with Apache 2.4.12 and 2.4.20 and are expected to work with
-all versions >= 2.2.31 and >= 2.4.16.
+The Apache datasets were tested with Apache 2.4.12 and 2.4.46 and are expected to work with
+all versions >= 2.2.31 and >= 2.4.16 (independent from operating system).
## Logs
@@ -16,43 +16,94 @@ Access logs collects the Apache access logs.
**Exported fields**
-| Field | Description | Type | Unit | Metric Type |
-|---|---|---|---|---|
-| @timestamp | Event timestamp. | date | | |
-| apache.access.ssl.cipher | SSL cipher name. | keyword | | |
-| apache.access.ssl.protocol | SSL protocol version. | keyword | | |
-| data_stream.dataset | Data stream dataset. | constant_keyword | | |
-| data_stream.namespace | Data stream namespace. | constant_keyword | | |
-| data_stream.type | Data stream type. | constant_keyword | | |
-| ecs.version | | keyword | | |
-| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword | | |
-| http.request.referrer | Referrer for this HTTP request. | keyword | | |
-| http.response.body.bytes | Size in bytes of the response body. | long | byte | gauge |
-| http.response.status_code | HTTP response status code. | long | | |
-| http.version | HTTP version. | keyword | | |
-| input.type | | keyword | | |
-| log.file.path | | keyword | | |
-| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | |
-| log.offset | | long | | |
-| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text | | |
-| process.pid | Process id. | long | | |
-| process.thread.id | Thread ID. | long | | |
-| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | |
-| source.geo.city_name | City name. | keyword | | |
-| source.geo.continent_name | Name of the continent. | keyword | | |
-| source.geo.country_iso_code | Country ISO code. | keyword | | |
-| source.geo.location | Longitude and latitude. | geo_point | | |
-| source.geo.region_iso_code | Region ISO code. | keyword | | |
-| source.geo.region_name | Region name. | keyword | | |
-| source.ip | | ip | | |
-| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword | | |
-| user.name | Short name or login of the user. | keyword | | |
-| user_agent.device.name | Name of the device. | keyword | | |
-| user_agent.name | Name of the user agent. | keyword | | |
-| user_agent.original | Unparsed user_agent string. | keyword | | |
-| user_agent.os.name | Operating system name, without the version. | keyword | | |
-| user_agent.os.version | Operating system version as a raw string. | keyword | | |
-| user_agent.version | Version of the user agent. | keyword | | |
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| apache.access.ssl.cipher | SSL cipher name. | keyword |
+| apache.access.ssl.protocol | SSL protocol version. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.domain | Destination domain. | keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
+| event.dataset | Event dataset | constant_keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword |
+| http.request.referrer | Referrer for this HTTP request. | keyword |
+| http.response.body.bytes | Size in bytes of the response body. | long |
+| http.response.status_code | HTTP response status code. | long |
+| http.version | HTTP version. | keyword |
+| input.type | Input type | keyword |
+| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
+| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
+| log.offset | Log offset | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
+| process.pid | Process id. | long |
+| process.thread.id | Thread ID. | long |
+| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
+| source.domain | Source domain. | keyword |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| tags | List of keywords used to tag each event. | keyword |
+| tls.cipher | String indicating the cipher used during the current connection. | keyword |
+| tls.version | Numeric part of the version parsed from the original string. | keyword |
+| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword |
+| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| url.path | Path of the request, such as "/search". | wildcard |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
+| user.name | Short name or login of the user. | keyword |
+| user_agent.device.name | Name of the device. | keyword |
+| user_agent.name | Name of the user agent. | keyword |
+| user_agent.original | Unparsed user_agent string. | keyword |
+| user_agent.os.full | Operating system name, including the version or code name. | keyword |
+| user_agent.os.name | Operating system name, without the version. | keyword |
+| user_agent.os.version | Operating system version as a raw string. | keyword |
+| user_agent.version | Version of the user agent. | keyword |
### Error Logs
@@ -65,30 +116,77 @@ Error logs collects the Apache error logs.
|---|---|---|
| @timestamp | Event timestamp. | date |
| apache.error.module | The module producing the logged message. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
-| ecs.version | | keyword |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.dataset | Event dataset | constant_keyword |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
+| event.module | Event module | constant_keyword |
+| event.timezone | This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). | keyword |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| file.path | Full path to the file, including the file name. It should include the drive letter, when appropriate. | keyword |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword |
| http.request.referrer | Referrer for this HTTP request. | keyword |
| http.response.body.bytes | Size in bytes of the response body. | long |
| http.response.status_code | HTTP response status code. | long |
| http.version | HTTP version. | keyword |
-| input.type | | keyword |
-| log.file.path | | keyword |
+| input.type | Input type | keyword |
+| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword |
| log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword |
-| log.offset | | long |
-| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | text |
+| log.offset | Log offset | long |
+| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
| process.pid | Process id. | long |
| process.thread.id | Thread ID. | long |
| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword |
+| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long |
+| source.as.organization.name | Organization name. | keyword |
| source.geo.city_name | City name. | keyword |
| source.geo.continent_name | Name of the continent. | keyword |
| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
| source.geo.location | Longitude and latitude. | geo_point |
| source.geo.region_iso_code | Region ISO code. | keyword |
| source.geo.region_name | Region name. | keyword |
-| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.port | Port of the source. | long |
+| tags | List of keywords used to tag each event. | keyword |
+| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword |
+| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword |
+| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard |
+| url.path | Path of the request, such as "/search". | wildcard |
+| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword |
| user.name | Short name or login of the user. | keyword |
| user_agent.device.name | Name of the device. | keyword |
| user_agent.name | Name of the user agent. | keyword |
@@ -107,125 +205,182 @@ An example event for `status` looks as following:
```json
{
- "@timestamp": "2020-06-24T10:19:48.005Z",
+ "@timestamp": "2020-12-03T16:31:04.445Z",
+ "data_stream": {
+ "type": "metrics",
+ "dataset": "apache.status",
+ "namespace": "ep"
+ },
+ "elastic_agent": {
+ "version": "7.11.0",
+ "id": "6c69e2bc-7bb3-4bac-b7e9-41f22558321c",
+ "snapshot": true
+ },
+ "host": {
+ "os": {
+ "platform": "centos",
+ "version": "7 (Core)",
+ "family": "redhat",
+ "name": "CentOS Linux",
+ "kernel": "4.9.184-linuxkit",
+ "codename": "Core"
+ },
+ "id": "06c26569966fd125c15acac5d7feffb6",
+ "name": "4942ef7a8cfc",
+ "containerized": true,
+ "ip": [
+ "192.168.0.4"
+ ],
+ "mac": [
+ "02:42:c0:a8:00:04"
+ ],
+ "hostname": "4942ef7a8cfc",
+ "architecture": "x86_64"
+ },
+ "agent": {
+ "hostname": "4942ef7a8cfc",
+ "ephemeral_id": "8371d3a3-5321-4436-9fd5-cafcabfe4c57",
+ "id": "af6f66ef-d7d0-4784-b9bb-3fddbcc151b5",
+ "name": "4942ef7a8cfc",
+ "type": "metricbeat",
+ "version": "7.11.0"
+ },
"metricset": {
"name": "status",
- "period": 10000
+ "period": 30000
+ },
+ "service": {
+ "address": "http://elastic-package-service_apache_1:80/server-status?auto=",
+ "type": "apache"
},
"apache": {
"status": {
+ "load": {
+ "5": 1.89,
+ "15": 1.07,
+ "1": 1.53
+ },
+ "total_accesses": 11,
"connections": {
"total": 0,
"async": {
+ "closing": 0,
"writing": 0,
- "keep_alive": 0,
- "closing": 0
+ "keep_alive": 0
}
},
- "total_bytes": 128,
- "cpu": {
- "children_user": 0,
- "children_system": 0,
- "load": 0.185185,
- "user": 1.11,
- "system": 1.79
- },
+ "requests_per_sec": 0.916667,
"scoreboard": {
- "logging": 0,
- "idle_cleanup": 0,
"starting_up": 0,
- "reading_request": 0,
+ "keepalive": 0,
+ "sending_reply": 1,
+ "logging": 0,
+ "gracefully_finishing": 0,
"dns_lookup": 0,
"closing_connection": 0,
- "gracefully_finishing": 0,
- "sending_reply": 1,
- "keepalive": 0,
- "total": 400,
"open_slot": 325,
- "waiting_for_connection": 74
+ "total": 400,
+ "idle_cleanup": 0,
+ "waiting_for_connection": 74,
+ "reading_request": 0
+ },
+ "bytes_per_sec": 0,
+ "bytes_per_request": 0,
+ "uptime": {
+ "server_uptime": 12,
+ "uptime": 12
},
+ "total_bytes": 0,
"workers": {
"busy": 1,
"idle": 74
},
- "bytes_per_sec": 83.6986,
- "uptime": {
- "server_uptime": 1566,
- "uptime": 1566
- },
- "total_accesses": 1393,
- "bytes_per_request": 94.0933,
- "requests_per_sec": 0.889527,
- "load": {
- "1": 3.58,
- "5": 3.54,
- "15": 2.79
+ "cpu": {
+ "load": 0.583333,
+ "user": 0.03,
+ "system": 0.04,
+ "children_user": 0,
+ "children_system": 0
}
}
- },
- "service": {
- "address": "127.0.0.1:8088",
- "type": "apache"
- },
- "event": {
- "duration": 2381832,
- "dataset": "apache.status",
- "module": "apache"
- },
- "ecs": {
- "version": "1.5.0"
- },
- "agent": {
- "type": "metricbeat",
- "version": "8.0.0",
- "ephemeral_id": "685f03e4-76e7-4d05-b398-8454b8964681",
- "id": "a74466da-3ea4-44f9-aea0-11c5e4b920be",
- "name": "MacBook-Elastic.local"
}
}
```
**Exported fields**
-| Field | Description | Type |
-|---|---|---|
-| @timestamp | Event timestamp. | date |
-| apache.status.bytes_per_request | Bytes per request. | scaled_float |
-| apache.status.bytes_per_sec | Bytes per second. | scaled_float |
-| apache.status.connections.async.closing | Async closed connections. | long |
-| apache.status.connections.async.keep_alive | Async keeped alive connections. | long |
-| apache.status.connections.async.writing | Async connection writing. | long |
-| apache.status.connections.total | Total connections. | long |
-| apache.status.cpu.children_system | CPU of children system. | scaled_float |
-| apache.status.cpu.children_user | CPU of children user. | scaled_float |
-| apache.status.cpu.load | CPU Load. | scaled_float |
-| apache.status.cpu.system | System cpu. | scaled_float |
-| apache.status.cpu.user | CPU user load. | scaled_float |
-| apache.status.load.1 | Load average for the last minute. | scaled_float |
-| apache.status.load.15 | Load average for the last 15 minutes. | scaled_float |
-| apache.status.load.5 | Load average for the last 5 minutes. | scaled_float |
-| apache.status.requests_per_sec | Requests per second. | scaled_float |
-| apache.status.scoreboard.closing_connection | Closing connections. | long |
-| apache.status.scoreboard.dns_lookup | Dns Lookups. | long |
-| apache.status.scoreboard.gracefully_finishing | Gracefully finishing. | long |
-| apache.status.scoreboard.idle_cleanup | Idle cleanups. | long |
-| apache.status.scoreboard.keepalive | Keep alive. | long |
-| apache.status.scoreboard.logging | Logging | long |
-| apache.status.scoreboard.open_slot | Open slots. | long |
-| apache.status.scoreboard.reading_request | Reading requests. | long |
-| apache.status.scoreboard.sending_reply | Sending Reply. | long |
-| apache.status.scoreboard.starting_up | Starting up. | long |
-| apache.status.scoreboard.total | Total. | long |
-| apache.status.scoreboard.waiting_for_connection | Waiting for connections. | long |
-| apache.status.total_accesses | Total number of access requests. | long |
-| apache.status.total_bytes | Total number of bytes served. | long |
-| apache.status.uptime.server_uptime | Server uptime in seconds. | long |
-| apache.status.uptime.uptime | Server uptime. | long |
-| apache.status.workers.busy | Number of busy workers. | long |
-| apache.status.workers.idle | Number of idle workers. | long |
-| data_stream.dataset | Data stream dataset. | constant_keyword |
-| data_stream.namespace | Data stream namespace. | constant_keyword |
-| data_stream.type | Data stream type. | constant_keyword |
-| ecs.version | | keyword |
-| service.address | | keyword |
-| service.type | | keyword |
+| Field | Description | Type | Unit | Metric Type |
+|---|---|---|---|---|
+| @timestamp | Event timestamp. | date | | |
+| apache.status.bytes_per_request | Bytes per request. | scaled_float | | gauge |
+| apache.status.bytes_per_sec | Bytes per second. | scaled_float | | gauge |
+| apache.status.connections.async.closing | Async closed connections. | long | | gauge |
+| apache.status.connections.async.keep_alive | Async keeped alive connections. | long | | gauge |
+| apache.status.connections.async.writing | Async connection writing. | long | | gauge |
+| apache.status.connections.total | Total connections. | long | | counter |
+| apache.status.cpu.children_system | CPU of children system. | scaled_float | | gauge |
+| apache.status.cpu.children_user | CPU of children user. | scaled_float | | gauge |
+| apache.status.cpu.load | CPU Load. | scaled_float | | gauge |
+| apache.status.cpu.system | System cpu. | scaled_float | | gauge |
+| apache.status.cpu.user | CPU user load. | scaled_float | | gauge |
+| apache.status.load.1 | Load average for the last minute. | scaled_float | | gauge |
+| apache.status.load.15 | Load average for the last 15 minutes. | scaled_float | | gauge |
+| apache.status.load.5 | Load average for the last 5 minutes. | scaled_float | | gauge |
+| apache.status.requests_per_sec | Requests per second. | scaled_float | | gauge |
+| apache.status.scoreboard.closing_connection | Closing connections. | long | | gauge |
+| apache.status.scoreboard.dns_lookup | Dns Lookups. | long | | gauge |
+| apache.status.scoreboard.gracefully_finishing | Gracefully finishing. | long | | gauge |
+| apache.status.scoreboard.idle_cleanup | Idle cleanups. | long | | gauge |
+| apache.status.scoreboard.keepalive | Keep alive. | long | | gauge |
+| apache.status.scoreboard.logging | Logging | long | | gauge |
+| apache.status.scoreboard.open_slot | Open slots. | long | | gauge |
+| apache.status.scoreboard.reading_request | Reading requests. | long | | gauge |
+| apache.status.scoreboard.sending_reply | Sending Reply. | long | | gauge |
+| apache.status.scoreboard.starting_up | Starting up. | long | | gauge |
+| apache.status.scoreboard.total | Total. | long | | gauge |
+| apache.status.scoreboard.waiting_for_connection | Waiting for connections. | long | | gauge |
+| apache.status.total_accesses | Total number of access requests. | long | | counter |
+| apache.status.total_bytes | Total number of bytes served. | long | byte | counter |
+| apache.status.uptime.server_uptime | Server uptime in seconds. | long | | counter |
+| apache.status.uptime.uptime | Server uptime. | long | | counter |
+| apache.status.workers.busy | Number of busy workers. | long | | gauge |
+| apache.status.workers.idle | Number of idle workers. | long | | gauge |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword | | |
+| cloud.image.id | Image ID for the cloud instance. | keyword | | |
+| cloud.instance.id | Instance ID of the host machine. | keyword | | |
+| cloud.instance.name | Instance name of the host machine. | keyword | | |
+| cloud.machine.type | Machine type of the host machine. | keyword | | |
+| cloud.project.id | Name of the project in Google Cloud. | keyword | | |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | |
+| cloud.region | Region in which this host is running. | keyword | | |
+| container.id | Unique container id. | keyword | | |
+| container.image.name | Name of the image the container was built on. | keyword | | |
+| container.labels | Image labels. | object | | |
+| container.name | Container name. | keyword | | |
+| data_stream.dataset | Data stream dataset. | constant_keyword | | |
+| data_stream.namespace | Data stream namespace. | constant_keyword | | |
+| data_stream.type | Data stream type. | constant_keyword | | |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | |
+| error.message | Error message. | match_only_text | | |
+| event.dataset | Event dataset | constant_keyword | | |
+| event.module | Event module | constant_keyword | | |
+| host.architecture | Operating system architecture. | keyword | | |
+| host.containerized | If the host is a container. | boolean | | |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | |
+| host.ip | Host ip addresses. | ip | | |
+| host.mac | Host mac addresses. | keyword | | |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | |
+| host.os.build | OS build information. | keyword | | |
+| host.os.codename | OS codename, if any. | keyword | | |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword | | |
+| host.os.name | Operating system name, without the version. | keyword | | |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | |
+| host.os.version | Operating system version as a raw string. | keyword | | |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | |
+| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | |
+| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | |
+
diff --git a/test/packages/apache/img/apache-logs-overview.png b/test/packages/apache/img/apache-logs-overview.png
new file mode 100644
index 0000000000..5597f61a27
Binary files /dev/null and b/test/packages/apache/img/apache-logs-overview.png differ
diff --git a/test/packages/apache/img/apache-metrics-overview.png b/test/packages/apache/img/apache-metrics-overview.png
new file mode 100644
index 0000000000..ec24030bbd
Binary files /dev/null and b/test/packages/apache/img/apache-metrics-overview.png differ
diff --git a/test/packages/apache/img/apache_httpd_server_status.png b/test/packages/apache/img/apache_httpd_server_status.png
deleted file mode 100644
index b28bbecb34..0000000000
Binary files a/test/packages/apache/img/apache_httpd_server_status.png and /dev/null differ
diff --git a/test/packages/apache/img/kibana-apache.png b/test/packages/apache/img/kibana-apache.png
deleted file mode 100644
index badfee933a..0000000000
Binary files a/test/packages/apache/img/kibana-apache.png and /dev/null differ
diff --git a/test/packages/apache/kibana/dashboard/apache-Logs-Apache-Dashboard.json b/test/packages/apache/kibana/dashboard/apache-Logs-Apache-Dashboard.json
index 6cf77308fd..7332f02b4d 100644
--- a/test/packages/apache/kibana/dashboard/apache-Logs-Apache-Dashboard.json
+++ b/test/packages/apache/kibana/dashboard/apache-Logs-Apache-Dashboard.json
@@ -14,11 +14,13 @@
}
},
"optionsJSON": {
- "darkTheme": false
+ "darkTheme": false,
+ "useMargins": true
},
"panelsJSON": [
{
"embeddableConfig": {
+ "enhancements": {},
"mapBounds": {
"bottom_right": {
"lat": -3.864254615721396,
@@ -49,16 +51,18 @@
"gridData": {
"h": 12,
"i": "1",
- "w": 48,
- "x": 0,
+ "w": 35,
+ "x": 13,
"y": 0
},
"panelIndex": "1",
"panelRefName": "panel_0",
- "version": "7.3.0"
+ "version": "7.9.3"
},
{
- "embeddableConfig": {},
+ "embeddableConfig": {
+ "enhancements": {}
+ },
"gridData": {
"h": 12,
"i": "2",
@@ -68,10 +72,12 @@
},
"panelIndex": "2",
"panelRefName": "panel_1",
- "version": "7.3.0"
+ "version": "7.9.3"
},
{
- "embeddableConfig": {},
+ "embeddableConfig": {
+ "enhancements": {}
+ },
"gridData": {
"h": 12,
"i": "3",
@@ -81,10 +87,12 @@
},
"panelIndex": "3",
"panelRefName": "panel_2",
- "version": "7.3.0"
+ "version": "7.9.3"
},
{
- "embeddableConfig": {},
+ "embeddableConfig": {
+ "enhancements": {}
+ },
"gridData": {
"h": 8,
"i": "4",
@@ -94,10 +102,12 @@
},
"panelIndex": "4",
"panelRefName": "panel_3",
- "version": "7.3.0"
+ "version": "7.9.3"
},
{
- "embeddableConfig": {},
+ "embeddableConfig": {
+ "enhancements": {}
+ },
"gridData": {
"h": 8,
"i": "5",
@@ -107,10 +117,12 @@
},
"panelIndex": "5",
"panelRefName": "panel_4",
- "version": "7.3.0"
+ "version": "7.9.3"
},
{
- "embeddableConfig": {},
+ "embeddableConfig": {
+ "enhancements": {}
+ },
"gridData": {
"h": 8,
"i": "6",
@@ -120,7 +132,7 @@
},
"panelIndex": "6",
"panelRefName": "panel_5",
- "version": "7.3.0"
+ "version": "7.9.3"
},
{
"embeddableConfig": {
@@ -130,6 +142,7 @@
"apache2.error.integration",
"message"
],
+ "enhancements": {},
"sort": [
"@timestamp",
"desc"
@@ -144,7 +157,22 @@
},
"panelIndex": "7",
"panelRefName": "panel_6",
- "version": "7.3.0"
+ "version": "7.9.3"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 5,
+ "i": "f5d1286d-411a-4759-a2e2-0b3227b93cfa",
+ "w": 13,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "f5d1286d-411a-4759-a2e2-0b3227b93cfa",
+ "panelRefName": "panel_7",
+ "version": "7.9.3"
}
],
"timeRestore": false,
@@ -153,7 +181,7 @@
},
"id": "apache-Logs-Apache-Dashboard",
"migrationVersion": {
- "dashboard": "7.3.0"
+ "dashboard": "7.11.0"
},
"references": [
{
@@ -190,6 +218,11 @@
"id": "apache-errors-log",
"name": "panel_6",
"type": "search"
+ },
+ {
+ "id": "apache-ed44f820-3a10-11eb-8946-296aab7b13db",
+ "name": "panel_7",
+ "type": "visualization"
}
],
"type": "dashboard"
diff --git a/test/packages/apache/kibana/dashboard/apache-Metrics-Apache-HTTPD-server-status-2.json b/test/packages/apache/kibana/dashboard/apache-Metrics-Apache-HTTPD-server-status-2.json
deleted file mode 100644
index 83f1d1551c..0000000000
--- a/test/packages/apache/kibana/dashboard/apache-Metrics-Apache-HTTPD-server-status-2.json
+++ /dev/null
@@ -1,179 +0,0 @@
-{
- "attributes": {
- "description": "Overview of Apache server status",
- "hits": 0,
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": [],
- "highlightAll": true,
- "query": {
- "language": "kuery",
- "query": ""
- },
- "version": true
- }
- },
- "optionsJSON": {
- "darkTheme": false
- },
- "panelsJSON": [
- {
- "embeddableConfig": {},
- "gridData": {
- "h": 12,
- "i": "1",
- "w": 24,
- "x": 24,
- "y": 36
- },
- "panelIndex": "1",
- "panelRefName": "panel_0",
- "version": "7.3.0"
- },
- {
- "embeddableConfig": {
- "vis": {
- "params": {
- "sort": {
- "columnIndex": null,
- "direction": null
- }
- }
- }
- },
- "gridData": {
- "h": 12,
- "i": "2",
- "w": 12,
- "x": 0,
- "y": 0
- },
- "panelIndex": "2",
- "panelRefName": "panel_1",
- "version": "7.3.0"
- },
- {
- "embeddableConfig": {},
- "gridData": {
- "h": 12,
- "i": "3",
- "w": 24,
- "x": 0,
- "y": 36
- },
- "panelIndex": "3",
- "panelRefName": "panel_2",
- "version": "7.3.0"
- },
- {
- "embeddableConfig": {},
- "gridData": {
- "h": 12,
- "i": "4",
- "w": 48,
- "x": 0,
- "y": 24
- },
- "panelIndex": "4",
- "panelRefName": "panel_3",
- "version": "7.3.0"
- },
- {
- "embeddableConfig": {
- "vis": {
- "defaultColors": {
- "0 - 100": "rgb(0,104,55)"
- }
- }
- },
- "gridData": {
- "h": 12,
- "i": "5",
- "w": 24,
- "x": 24,
- "y": 0
- },
- "panelIndex": "5",
- "panelRefName": "panel_4",
- "version": "7.3.0"
- },
- {
- "embeddableConfig": {
- "vis": {
- "defaultColors": {
- "0 - 100": "rgb(0,104,55)"
- }
- }
- },
- "gridData": {
- "h": 12,
- "i": "6",
- "w": 12,
- "x": 12,
- "y": 0
- },
- "panelIndex": "6",
- "panelRefName": "panel_5",
- "version": "7.3.0"
- },
- {
- "embeddableConfig": {},
- "gridData": {
- "h": 12,
- "i": "7",
- "w": 48,
- "x": 0,
- "y": 12
- },
- "panelIndex": "7",
- "panelRefName": "panel_6",
- "version": "7.3.0"
- }
- ],
- "timeRestore": false,
- "title": "[Metrics Apache] Overview",
- "version": 1
- },
- "id": "apache-Metrics-Apache-HTTPD-server-status-2",
- "migrationVersion": {
- "dashboard": "7.3.0"
- },
- "references": [
- {
- "id": "apache-HTTPD-CPU",
- "name": "panel_0",
- "type": "visualization"
- },
- {
- "id": "apache-HTTPD-Hostname-list",
- "name": "panel_1",
- "type": "visualization"
- },
- {
- "id": "apache-HTTPD-Load1-slash-5-slash-15",
- "name": "panel_2",
- "type": "visualization"
- },
- {
- "id": "apache-HTTPD-Scoreboard",
- "name": "panel_3",
- "type": "visualization"
- },
- {
- "id": "apache-HTTPD-Total-accesses-and-kbytes",
- "name": "panel_4",
- "type": "visualization"
- },
- {
- "id": "apache-HTTPD-Uptime",
- "name": "panel_5",
- "type": "visualization"
- },
- {
- "id": "apache-HTTPD-Workers",
- "name": "panel_6",
- "type": "visualization"
- }
- ],
- "type": "dashboard"
-}
\ No newline at end of file
diff --git a/test/packages/apache/kibana/dashboard/apache-Metrics-Apache-HTTPD-server-status.json b/test/packages/apache/kibana/dashboard/apache-Metrics-Apache-HTTPD-server-status.json
new file mode 100644
index 0000000000..35a2998fd1
--- /dev/null
+++ b/test/packages/apache/kibana/dashboard/apache-Metrics-Apache-HTTPD-server-status.json
@@ -0,0 +1,273 @@
+{
+ "attributes": {
+ "description": "Overview of Apache server status",
+ "hits": 0,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "highlightAll": true,
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "version": true
+ }
+ },
+ "optionsJSON": {
+ "darkTheme": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "1",
+ "w": 24,
+ "x": 24,
+ "y": 50
+ },
+ "panelIndex": "1",
+ "panelRefName": "panel_0",
+ "version": "7.9.3"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "3",
+ "w": 24,
+ "x": 0,
+ "y": 50
+ },
+ "panelIndex": "3",
+ "panelRefName": "panel_1",
+ "version": "7.9.3"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "4",
+ "w": 24,
+ "x": 24,
+ "y": 5
+ },
+ "panelIndex": "4",
+ "panelRefName": "panel_2",
+ "version": "7.9.3"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 5,
+ "i": "4cc4755f-49a7-43c1-8a21-0a78291f0b3f",
+ "w": 13,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "4cc4755f-49a7-43c1-8a21-0a78291f0b3f",
+ "panelRefName": "panel_3",
+ "version": "7.9.3"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 5,
+ "i": "7b7a1f18-e274-4f4e-a3b3-3760e7896897",
+ "w": 11,
+ "x": 13,
+ "y": 0
+ },
+ "panelIndex": "7b7a1f18-e274-4f4e-a3b3-3760e7896897",
+ "panelRefName": "panel_4",
+ "version": "7.9.3"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 5,
+ "i": "01794c9e-0ce3-4e1e-bc87-6c15b6434ba8",
+ "w": 12,
+ "x": 24,
+ "y": 0
+ },
+ "panelIndex": "01794c9e-0ce3-4e1e-bc87-6c15b6434ba8",
+ "panelRefName": "panel_5",
+ "version": "7.9.3"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 5,
+ "i": "e2b2dd17-dcda-4b17-b250-dd30c596f7f6",
+ "w": 12,
+ "x": 36,
+ "y": 0
+ },
+ "panelIndex": "e2b2dd17-dcda-4b17-b250-dd30c596f7f6",
+ "panelRefName": "panel_6",
+ "version": "7.9.3"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "f90d54d8-034c-4cfd-8640-0e8f10c2ca99",
+ "w": 24,
+ "x": 0,
+ "y": 5
+ },
+ "panelIndex": "f90d54d8-034c-4cfd-8640-0e8f10c2ca99",
+ "panelRefName": "panel_7",
+ "version": "7.9.3"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "3b23e577-34f6-4cd0-b636-01581b8ce1c0",
+ "w": 24,
+ "x": 0,
+ "y": 20
+ },
+ "panelIndex": "3b23e577-34f6-4cd0-b636-01581b8ce1c0",
+ "panelRefName": "panel_8",
+ "version": "7.9.3"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "100b598b-4223-4a6b-95d9-ee94147fa5ac",
+ "w": 24,
+ "x": 24,
+ "y": 20
+ },
+ "panelIndex": "100b598b-4223-4a6b-95d9-ee94147fa5ac",
+ "panelRefName": "panel_9",
+ "version": "7.9.3"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "a7dc6253-4f39-4aae-984f-3108d1cf3cfb",
+ "w": 24,
+ "x": 0,
+ "y": 35
+ },
+ "panelIndex": "a7dc6253-4f39-4aae-984f-3108d1cf3cfb",
+ "panelRefName": "panel_10",
+ "version": "7.9.3"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {}
+ },
+ "gridData": {
+ "h": 15,
+ "i": "4204480f-8c9f-426f-b3f7-0714a70d418b",
+ "w": 24,
+ "x": 24,
+ "y": 35
+ },
+ "panelIndex": "4204480f-8c9f-426f-b3f7-0714a70d418b",
+ "panelRefName": "panel_11",
+ "version": "7.9.3"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Metrics Apache] Overview",
+ "version": 1
+ },
+ "id": "apache-Metrics-Apache-HTTPD-server-status",
+ "migrationVersion": {
+ "dashboard": "7.11.0"
+ },
+ "references": [
+ {
+ "id": "apache-HTTPD-CPU",
+ "name": "panel_0",
+ "type": "visualization"
+ },
+ {
+ "id": "apache-HTTPD-Load1-slash-5-slash-15",
+ "name": "panel_1",
+ "type": "visualization"
+ },
+ {
+ "id": "apache-HTTPD-Scoreboard",
+ "name": "panel_2",
+ "type": "visualization"
+ },
+ {
+ "id": "apache-805d7bb0-3a10-11eb-8946-296aab7b13db",
+ "name": "panel_3",
+ "type": "visualization"
+ },
+ {
+ "id": "apache-22057f20-3a12-11eb-8946-296aab7b13db",
+ "name": "panel_4",
+ "type": "visualization"
+ },
+ {
+ "id": "apache-47820ce0-3a1d-11eb-8946-296aab7b13db",
+ "name": "panel_5",
+ "type": "visualization"
+ },
+ {
+ "id": "apache-99666080-3a20-11eb-8946-296aab7b13db",
+ "name": "panel_6",
+ "type": "visualization"
+ },
+ {
+ "id": "apache-f4ffec70-3a36-11eb-8946-296aab7b13db",
+ "name": "panel_7",
+ "type": "visualization"
+ },
+ {
+ "id": "apache-320cd980-3a36-11eb-8946-296aab7b13db",
+ "name": "panel_8",
+ "type": "visualization"
+ },
+ {
+ "id": "apache-a45311f0-3a34-11eb-8946-296aab7b13db",
+ "name": "panel_9",
+ "type": "visualization"
+ },
+ {
+ "id": "apache-7d68f730-3a39-11eb-8946-296aab7b13db",
+ "name": "panel_10",
+ "type": "visualization"
+ },
+ {
+ "id": "apache-7724cf20-3a39-11eb-8946-296aab7b13db",
+ "name": "panel_11",
+ "type": "visualization"
+ }
+ ],
+ "type": "dashboard"
+}
\ No newline at end of file
diff --git a/test/packages/apache/kibana/ml_module/apache-Logs-ml.json b/test/packages/apache/kibana/ml_module/apache-Logs-ml.json
new file mode 100644
index 0000000000..cccc306d3f
--- /dev/null
+++ b/test/packages/apache/kibana/ml_module/apache-Logs-ml.json
@@ -0,0 +1,419 @@
+{
+ "attributes": {
+ "id": "apache_data_stream",
+ "title": "Apache access logs",
+ "description": "Find unusual activity in HTTP access logs.",
+ "type": "Web Access Logs",
+ "logo": {
+ "icon": "logoApache"
+ },
+ "defaultIndexPattern": "logs-*",
+ "query": {
+ "bool": {
+ "filter": [
+ {
+ "term": {
+ "data_stream.dataset": "apache.access"
+ }
+ },
+ {
+ "exists": {
+ "field": "source.address"
+ }
+ },
+ {
+ "exists": {
+ "field": "url.original"
+ }
+ },
+ {
+ "exists": {
+ "field": "http.response.status_code"
+ }
+ }
+ ],
+ "must_not": {
+ "terms": {
+ "_tier": [
+ "data_frozen",
+ "data_cold"
+ ]
+ }
+ }
+ }
+ },
+ "jobs": [
+ {
+ "id": "visitor_rate_apache",
+ "config": {
+ "groups": [
+ "apache"
+ ],
+ "description": "HTTP Access Logs: Detect unusual visitor rates",
+ "analysis_config": {
+ "bucket_span": "15m",
+ "summary_count_field_name": "dc_source_address",
+ "detectors": [
+ {
+ "detector_description": "Apache access visitor rate",
+ "function": "non_zero_count"
+ }
+ ],
+ "influencers": []
+ },
+ "analysis_limits": {
+ "model_memory_limit": "10mb"
+ },
+ "data_description": {
+ "time_field": "@timestamp",
+ "time_format": "epoch_ms"
+ },
+ "model_plot_config": {
+ "enabled": true
+ },
+ "custom_settings": {
+ "created_by": "ml-module-apache-access-data-stream",
+ "custom_urls": [
+ {
+ "url_name": "Apache logs overview",
+ "url_value": "dashboards#/view/apache-Logs-Apache-Dashboard?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))\u0026_a=(description:\u0027\u0027,filters:!((\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:data_stream.dataset,negate:!f,params:(query:\u0027apache.access\u0027),type:phrase,value:\u0027apache.access\u0027),query:(match:(data_stream.dataset:(query:\u0027apache.access\u0027,type:phrase))))),query:(language:kuery,query:\u0027\u0027))"
+ },
+ {
+ "url_name": "Raw data",
+ "url_value": "discover#/?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))\u0026_a=(columns:!(_source),filters:!((\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:data_stream.dataset,negate:!f,params:(query:\u0027apache.access\u0027),type:phrase,value:\u0027apache.access\u0027),query:(match:(data_stream.dataset:(query:\u0027apache.access\u0027,type:phrase))))),index:\u0027INDEX_PATTERN_ID\u0027,interval:auto,query:(language:kuery,query:\u0027\u0027),sort:!(\u0027@timestamp\u0027,desc))"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "id": "status_code_rate_apache",
+ "config": {
+ "groups": [
+ "apache"
+ ],
+ "description": "HTTP Access Logs: Detect unusual status code rates",
+ "analysis_config": {
+ "bucket_span": "15m",
+ "detectors": [
+ {
+ "detector_description": "Apache access status code rate",
+ "function": "count",
+ "partition_field_name": "http.response.status_code"
+ }
+ ],
+ "influencers": [
+ "http.response.status_code",
+ "source.address"
+ ]
+ },
+ "analysis_limits": {
+ "model_memory_limit": "100mb"
+ },
+ "data_description": {
+ "time_field": "@timestamp",
+ "time_format": "epoch_ms"
+ },
+ "model_plot_config": {
+ "enabled": true
+ },
+ "custom_settings": {
+ "created_by": "ml-module-apache-access-data-stream",
+ "custom_urls": [
+ {
+ "url_name": "Apache logs overview",
+ "url_value": "dashboards#/view/apache-Logs-Apache-Dashboard?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))\u0026_a=(description:\u0027\u0027,filters:!((\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:data_stream.dataset,negate:!f,params:(query:\u0027apache.access\u0027),type:phrase,value:\u0027apache.access\u0027),query:(match:(data_stream.dataset:(query:\u0027apache.access\u0027,type:phrase)))),(\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:http.response.status_code,negate:!f,params:(query:\u0027$http.response.status_code$\u0027),type:phrase,value:\u0027$http.response.status_code$\u0027),query:(match:(http.response.status_code:(query:\u0027$http.response.status_code$\u0027,type:phrase))))),query:(language:kuery,query:\u0027\u0027))"
+ },
+ {
+ "url_name": "Raw data",
+ "url_value": "discover#/?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))\u0026_a=(columns:!(_source),filters:!((\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:data_stream.dataset,negate:!f,params:(query:\u0027apache.access\u0027),type:phrase,value:\u0027apache.access\u0027),query:(match:(data_stream.dataset:(query:\u0027apache.access\u0027,type:phrase)))),(\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:http.response.status_code,negate:!f,params:(query:\u0027$http.response.status_code$\u0027),type:phrase,value:\u0027$http.response.status_code$\u0027),query:(match:(http.response.status_code:(query:\u0027$http.response.status_code$\u0027,type:phrase))))),index:\u0027INDEX_PATTERN_ID\u0027,interval:auto,query:(language:kuery,query:\u0027\u0027),sort:!(\u0027@timestamp\u0027,desc))"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "id": "source_ip_url_count_apache",
+ "config": {
+ "groups": [
+ "apache"
+ ],
+ "description": "HTTP Access Logs: Detect unusual source IPs - high distinct count of URLs",
+ "analysis_config": {
+ "bucket_span": "1h",
+ "detectors": [
+ {
+ "detector_description": "Apache access source IP high dc URL",
+ "function": "high_distinct_count",
+ "field_name": "url.original",
+ "over_field_name": "source.address"
+ }
+ ],
+ "influencers": [
+ "source.address"
+ ]
+ },
+ "data_description": {
+ "time_field": "@timestamp",
+ "time_format": "epoch_ms"
+ },
+ "custom_settings": {
+ "created_by": "ml-module-apache-access-data-stream",
+ "custom_urls": [
+ {
+ "url_name": "Apache logs overview",
+ "url_value": "dashboards#/view/apache-Logs-Apache-Dashboard?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))\u0026_a=(description:\u0027\u0027,filters:!((\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:data_stream.dataset,negate:!f,params:(query:\u0027apache.access\u0027),type:phrase,value:\u0027apache.access\u0027),query:(match:(data_stream.dataset:(query:\u0027apache.access\u0027,type:phrase)))),(\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:source.address,negate:!f,params:(query:\u0027$source.address$\u0027),type:phrase,value:\u0027$source.address$\u0027),query:(match:(source.address:(query:\u0027$source.address$\u0027,type:phrase))))),query:(language:kuery,query:\u0027\u0027))"
+ },
+ {
+ "url_name": "Raw data",
+ "url_value": "discover#/?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))\u0026_a=(columns:!(_source),filters:!((\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:data_stream.dataset,negate:!f,params:(query:\u0027apache.access\u0027),type:phrase,value:\u0027apache.access\u0027),query:(match:(data_stream.dataset:(query:\u0027apache.access\u0027,type:phrase)))),(\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:source.address,negate:!f,params:(query:\u0027$source.address$\u0027),type:phrase,value:\u0027$source.address$\u0027),query:(match:(source.address:(query:\u0027$source.address$\u0027,type:phrase))))),index:\u0027INDEX_PATTERN_ID\u0027,interval:auto,query:(language:kuery,query:\u0027\u0027),sort:!(\u0027@timestamp\u0027,desc))"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "id": "source_ip_request_rate_apache",
+ "config": {
+ "groups": [
+ "apache"
+ ],
+ "description": "HTTP Access Logs: Detect unusual source IPs - high request rates",
+ "analysis_config": {
+ "bucket_span": "1h",
+ "detectors": [
+ {
+ "detector_description": "Apache access source IP high count",
+ "function": "high_count",
+ "over_field_name": "source.address"
+ }
+ ],
+ "influencers": [
+ "source.address"
+ ]
+ },
+ "data_description": {
+ "time_field": "@timestamp",
+ "time_format": "epoch_ms"
+ },
+ "custom_settings": {
+ "created_by": "ml-module-apache-access-data-stream",
+ "custom_urls": [
+ {
+ "url_name": "Apache logs overview",
+ "url_value": "dashboards#/view/apache-Logs-Apache-Dashboard?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))\u0026_a=(description:\u0027\u0027,filters:!((\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:data_stream.dataset,negate:!f,params:(query:\u0027apache.access\u0027),type:phrase,value:\u0027apache.access\u0027),query:(match:(data_stream.dataset:(query:\u0027apache.access\u0027,type:phrase)))),(\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:source.address,negate:!f,params:(query:\u0027$source.address$\u0027),type:phrase,value:\u0027$source.address$\u0027),query:(match:(source.address:(query:\u0027$source.address$\u0027,type:phrase))))),query:(language:kuery,query:\u0027\u0027))"
+ },
+ {
+ "url_name": "Raw data",
+ "url_value": "discover#/?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))\u0026_a=(columns:!(_source),filters:!((\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:data_stream.dataset,negate:!f,params:(query:\u0027apache.access\u0027),type:phrase,value:\u0027apache.access\u0027),query:(match:(data_stream.dataset:(query:\u0027apache.access\u0027,type:phrase)))),(\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:source.address,negate:!f,params:(query:\u0027$source.address$\u0027),type:phrase,value:\u0027$source.address$\u0027),query:(match:(source.address:(query:\u0027$source.address$\u0027,type:phrase))))),index:\u0027INDEX_PATTERN_ID\u0027,interval:auto,query:(language:kuery,query:\u0027\u0027),sort:!(\u0027@timestamp\u0027,desc))"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "id": "low_request_rate_apache",
+ "config": {
+ "groups": [
+ "apache"
+ ],
+ "description": "HTTP Access Logs: Detect low request rates",
+ "analysis_config": {
+ "bucket_span": "15m",
+ "summary_count_field_name": "doc_count",
+ "detectors": [
+ {
+ "detector_description": "Apache access low request rate",
+ "function": "low_count"
+ }
+ ],
+ "influencers": []
+ },
+ "analysis_limits": {
+ "model_memory_limit": "10mb"
+ },
+ "data_description": {
+ "time_field": "@timestamp",
+ "time_format": "epoch_ms"
+ },
+ "model_plot_config": {
+ "enabled": true
+ },
+ "custom_settings": {
+ "created_by": "ml-module-apache-access-data-stream",
+ "custom_urls": [
+ {
+ "url_name": "Apache logs overview",
+ "url_value": "dashboards#/view/apache-Logs-Apache-Dashboard?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))\u0026_a=(description:\u0027\u0027,filters:!((\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:data_stream.dataset,negate:!f,params:(query:\u0027apache.access\u0027),type:phrase,value:\u0027apache.access\u0027),query:(match:(data_stream.dataset:(query:\u0027apache.access\u0027,type:phrase))))),query:(language:kuery,query:\u0027\u0027))"
+ },
+ {
+ "url_name": "Raw data",
+ "url_value": "discover#/?_g=(time:(from:\u0027$earliest$\u0027,mode:absolute,to:\u0027$latest$\u0027))\u0026_a=(columns:!(_source),filters:!((\u0027$state\u0027:(store:appState),meta:(alias:!n,disabled:!f,index:\u0027INDEX_PATTERN_ID\u0027,key:data_stream.dataset,negate:!f,params:(query:\u0027apache.access\u0027),type:phrase,value:\u0027apache.access\u0027),query:(match:(data_stream.dataset:(query:\u0027apache.access\u0027,type:phrase))))),index:\u0027INDEX_PATTERN_ID\u0027,interval:auto,query:(language:kuery,query:\u0027\u0027),sort:!(\u0027@timestamp\u0027,desc))"
+ }
+ ]
+ }
+ }
+ }
+ ],
+ "datafeeds": [
+ {
+ "id": "datafeed-visitor_rate_apache",
+ "job_id": "visitor_rate_apache",
+ "config": {
+ "job_id": "visitor_rate_apache",
+ "indices": [
+ "INDEX_PATTERN_NAME"
+ ],
+ "query": {
+ "bool": {
+ "filter": [
+ {
+ "term": {
+ "data_stream.dataset": "apache.access"
+ }
+ }
+ ]
+ }
+ },
+ "aggregations": {
+ "buckets": {
+ "date_histogram": {
+ "field": "@timestamp",
+ "fixed_interval": "15m",
+ "offset": 0,
+ "order": {
+ "_key": "asc"
+ },
+ "keyed": false,
+ "min_doc_count": 0
+ },
+ "aggregations": {
+ "@timestamp": {
+ "max": {
+ "field": "@timestamp"
+ }
+ },
+ "dc_source_address": {
+ "cardinality": {
+ "field": "source.address"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ {
+ "id": "datafeed-status_code_rate_apache",
+ "job_id": "status_code_rate_apache",
+ "config": {
+ "job_id": "status_code_rate_apache",
+ "indices": [
+ "INDEX_PATTERN_NAME"
+ ],
+ "query": {
+ "bool": {
+ "filter": [
+ {
+ "term": {
+ "data_stream.dataset": "apache.access"
+ }
+ }
+ ]
+ }
+ }
+ }
+ },
+ {
+ "id": "datafeed-source_ip_url_count_apache",
+ "job_id": "source_ip_url_count_apache",
+ "config": {
+ "job_id": "source_ip_url_count_apache",
+ "indices": [
+ "INDEX_PATTERN_NAME"
+ ],
+ "query": {
+ "bool": {
+ "filter": [
+ {
+ "term": {
+ "data_stream.dataset": "apache.access"
+ }
+ }
+ ]
+ }
+ }
+ }
+ },
+ {
+ "id": "datafeed-source_ip_request_rate_apache",
+ "job_id": "source_ip_request_rate_apache",
+ "config": {
+ "job_id": "source_ip_request_rate_apache",
+ "indices": [
+ "INDEX_PATTERN_NAME"
+ ],
+ "query": {
+ "bool": {
+ "filter": [
+ {
+ "term": {
+ "data_stream.dataset": "apache.access"
+ }
+ }
+ ]
+ }
+ }
+ }
+ },
+ {
+ "id": "datafeed-low_request_rate_apache",
+ "job_id": "low_request_rate_apache",
+ "config": {
+ "job_id": "low_request_rate_apache",
+ "indices": [
+ "INDEX_PATTERN_NAME"
+ ],
+ "query": {
+ "bool": {
+ "filter": [
+ {
+ "term": {
+ "data_stream.dataset": "apache.access"
+ }
+ }
+ ]
+ }
+ },
+ "aggregations": {
+ "buckets": {
+ "date_histogram": {
+ "field": "@timestamp",
+ "fixed_interval": "15m",
+ "offset": 0,
+ "order": {
+ "_key": "asc"
+ },
+ "keyed": false,
+ "min_doc_count": 0
+ },
+ "aggregations": {
+ "@timestamp": {
+ "max": {
+ "field": "@timestamp"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ ]
+ },
+ "id": "apache-Logs-ml",
+ "migrationVersion": {
+ "search": "7.9.3"
+ },
+ "references": [],
+ "type": "ml-module"
+}
\ No newline at end of file
diff --git a/test/packages/apache/kibana/search/apache-HTTPD.json b/test/packages/apache/kibana/search/apache-HTTPD.json
index 73b560cd5a..5afdb95ba7 100644
--- a/test/packages/apache/kibana/search/apache-HTTPD.json
+++ b/test/packages/apache/kibana/search/apache-HTTPD.json
@@ -39,7 +39,7 @@
},
"id": "apache-HTTPD",
"migrationVersion": {
- "search": "7.4.0"
+ "search": "7.9.3"
},
"references": [
{
diff --git a/test/packages/apache/kibana/search/apache-access-logs.json b/test/packages/apache/kibana/search/apache-access-logs.json
index 8571f8fbe1..5d2d2e31b5 100644
--- a/test/packages/apache/kibana/search/apache-access-logs.json
+++ b/test/packages/apache/kibana/search/apache-access-logs.json
@@ -42,7 +42,7 @@
},
"id": "apache-access-logs",
"migrationVersion": {
- "search": "7.4.0"
+ "search": "7.9.3"
},
"references": [
{
diff --git a/test/packages/apache/kibana/search/apache-errors-log.json b/test/packages/apache/kibana/search/apache-errors-log.json
index ff2bf239b2..ff5742a373 100644
--- a/test/packages/apache/kibana/search/apache-errors-log.json
+++ b/test/packages/apache/kibana/search/apache-errors-log.json
@@ -42,7 +42,7 @@
},
"id": "apache-errors-log",
"migrationVersion": {
- "search": "7.4.0"
+ "search": "7.9.3"
},
"references": [
{
diff --git a/test/packages/apache/kibana/visualization/apache-22057f20-3a12-11eb-8946-296aab7b13db.json b/test/packages/apache/kibana/visualization/apache-22057f20-3a12-11eb-8946-296aab7b13db.json
new file mode 100644
index 0000000000..c7d5744883
--- /dev/null
+++ b/test/packages/apache/kibana/visualization/apache-22057f20-3a12-11eb-8946-296aab7b13db.json
@@ -0,0 +1,78 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "title": "Uptime [Metrics Apache]",
+ "uiStateJSON": {},
+ "version": 1,
+ "visState": {
+ "aggs": [],
+ "params": {
+ "axis_formatter": "number",
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "background_color_rules": [
+ {
+ "id": "c3c89690-3a11-11eb-8a27-5ff1727df0e0"
+ }
+ ],
+ "bar_color_rules": [
+ {
+ "id": "c2fc9400-3a11-11eb-8a27-5ff1727df0e0"
+ }
+ ],
+ "default_index_pattern": "metrics-*",
+ "default_timefield": "@timestamp",
+ "id": "61ca57f0-469d-11e7-af02-69e470af7417",
+ "index_pattern": "",
+ "interval": "",
+ "isModelInvalid": false,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "#68BC00",
+ "fill": 0.5,
+ "formatter": "s,humanize,",
+ "id": "61ca57f1-469d-11e7-af02-69e470af7417",
+ "label": "Uptime",
+ "line_width": 1,
+ "metrics": [
+ {
+ "field": "apache.status.uptime.uptime",
+ "id": "61ca57f2-469d-11e7-af02-69e470af7417",
+ "type": "max"
+ }
+ ],
+ "point_size": 1,
+ "separate_axis": 0,
+ "split_color_mode": "kibana",
+ "split_mode": "everything",
+ "stacked": "none"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "",
+ "tooltip_mode": "show_all",
+ "type": "metric"
+ },
+ "title": "Uptime [Metrics Apache]",
+ "type": "metrics"
+ }
+ },
+ "id": "apache-22057f20-3a12-11eb-8946-296aab7b13db",
+ "migrationVersion": {
+ "visualization": "7.9.3"
+ },
+ "references": [],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/test/packages/apache/kibana/visualization/apache-320cd980-3a36-11eb-8946-296aab7b13db.json b/test/packages/apache/kibana/visualization/apache-320cd980-3a36-11eb-8946-296aab7b13db.json
new file mode 100644
index 0000000000..66fe71c6f4
--- /dev/null
+++ b/test/packages/apache/kibana/visualization/apache-320cd980-3a36-11eb-8946-296aab7b13db.json
@@ -0,0 +1,152 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Requests per sec [Metrics Apache]",
+ "uiStateJSON": {},
+ "version": 1,
+ "visState": {
+ "aggs": [
+ {
+ "enabled": true,
+ "id": "1",
+ "params": {
+ "customLabel": "Requests per sec",
+ "field": "apache.status.requests_per_sec"
+ },
+ "schema": "metric",
+ "type": "avg"
+ },
+ {
+ "enabled": true,
+ "id": "2",
+ "params": {
+ "drop_partials": false,
+ "extended_bounds": {},
+ "field": "@timestamp",
+ "interval": "auto",
+ "min_doc_count": 1,
+ "scaleMetricValues": false,
+ "timeRange": {
+ "from": "now-15m",
+ "to": "now"
+ },
+ "useNormalizedEsInterval": true
+ },
+ "schema": "segment",
+ "type": "date_histogram"
+ }
+ ],
+ "params": {
+ "addLegend": true,
+ "addTimeMarker": false,
+ "addTooltip": true,
+ "categoryAxes": [
+ {
+ "id": "CategoryAxis-1",
+ "labels": {
+ "filter": true,
+ "show": true,
+ "truncate": 100
+ },
+ "position": "bottom",
+ "scale": {
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {},
+ "type": "category"
+ }
+ ],
+ "defaultYExtents": false,
+ "drawLinesBetweenPoints": true,
+ "grid": {
+ "categoryLines": false
+ },
+ "interpolate": "linear",
+ "labels": {},
+ "legendPosition": "right",
+ "radiusRatio": 9,
+ "row": true,
+ "scale": "linear",
+ "seriesParams": [
+ {
+ "data": {
+ "id": "1",
+ "label": "Requests per sec"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ }
+ ],
+ "setYExtents": false,
+ "shareYAxis": true,
+ "showCircles": true,
+ "smoothLines": false,
+ "thresholdLine": {
+ "color": "#E7664C",
+ "show": false,
+ "style": "full",
+ "value": 10,
+ "width": 1
+ },
+ "times": [],
+ "type": "line",
+ "valueAxes": [
+ {
+ "id": "ValueAxis-1",
+ "labels": {
+ "filter": false,
+ "rotate": 0,
+ "show": true,
+ "truncate": 100
+ },
+ "name": "LeftAxis-1",
+ "position": "left",
+ "scale": {
+ "mode": "normal",
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {
+ "text": "Requests per sec"
+ },
+ "type": "value"
+ }
+ ],
+ "yAxis": {}
+ },
+ "title": "Requests per sec [Metrics Apache]",
+ "type": "line"
+ }
+ },
+ "id": "apache-320cd980-3a36-11eb-8946-296aab7b13db",
+ "migrationVersion": {
+ "visualization": "7.9.3"
+ },
+ "references": [
+ {
+ "id": "apache-HTTPD",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/test/packages/apache/kibana/visualization/apache-47820ce0-3a1d-11eb-8946-296aab7b13db.json b/test/packages/apache/kibana/visualization/apache-47820ce0-3a1d-11eb-8946-296aab7b13db.json
new file mode 100644
index 0000000000..232a587a63
--- /dev/null
+++ b/test/packages/apache/kibana/visualization/apache-47820ce0-3a1d-11eb-8946-296aab7b13db.json
@@ -0,0 +1,89 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "title": "Total accesses [Metrics Apache]",
+ "uiStateJSON": {},
+ "version": 1,
+ "visState": {
+ "aggs": [],
+ "params": {
+ "axis_formatter": "number",
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "background_color_rules": [
+ {
+ "id": "5414c4a0-3a1a-11eb-8b9a-851db9ca6ca8"
+ }
+ ],
+ "bar_color_rules": [
+ {
+ "id": "c532ace0-3a1c-11eb-8b9a-851db9ca6ca8"
+ }
+ ],
+ "default_index_pattern": "metrics-*",
+ "default_timefield": "@timestamp",
+ "gauge_color_rules": [
+ {
+ "id": "586a5890-3a19-11eb-8b9a-851db9ca6ca8"
+ }
+ ],
+ "gauge_inner_width": 10,
+ "gauge_style": "half",
+ "gauge_width": 10,
+ "id": "61ca57f0-469d-11e7-af02-69e470af7417",
+ "index_pattern": "",
+ "interval": "",
+ "isModelInvalid": false,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "#68BC00",
+ "fill": 0.5,
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "formatter": "0a",
+ "id": "6ccbc140-3a1c-11eb-8b9a-851db9ca6ca8",
+ "label": "Total accesses",
+ "line_width": 1,
+ "metrics": [
+ {
+ "field": "apache.status.total_accesses",
+ "id": "6ccbc141-3a1c-11eb-8b9a-851db9ca6ca8",
+ "type": "max"
+ }
+ ],
+ "point_size": 1,
+ "separate_axis": 0,
+ "split_mode": "everything",
+ "stacked": "none"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "",
+ "tooltip_mode": "show_all",
+ "type": "metric"
+ },
+ "title": "Total accesses [Metrics Apache]",
+ "type": "metrics"
+ }
+ },
+ "id": "apache-47820ce0-3a1d-11eb-8946-296aab7b13db",
+ "migrationVersion": {
+ "visualization": "7.9.3"
+ },
+ "references": [],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/test/packages/apache/kibana/visualization/apache-7724cf20-3a39-11eb-8946-296aab7b13db.json b/test/packages/apache/kibana/visualization/apache-7724cf20-3a39-11eb-8946-296aab7b13db.json
new file mode 100644
index 0000000000..6c7e554b74
--- /dev/null
+++ b/test/packages/apache/kibana/visualization/apache-7724cf20-3a39-11eb-8946-296aab7b13db.json
@@ -0,0 +1,189 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "title": "Connections [Metrics Apache]",
+ "uiStateJSON": {},
+ "version": 1,
+ "visState": {
+ "aggs": [
+ {
+ "enabled": true,
+ "id": "1",
+ "params": {
+ "customLabel": "Writing",
+ "field": "apache.status.connections.async.writing"
+ },
+ "schema": "metric",
+ "type": "max"
+ },
+ {
+ "enabled": true,
+ "id": "2",
+ "params": {
+ "drop_partials": false,
+ "extended_bounds": {},
+ "field": "@timestamp",
+ "interval": "30s",
+ "min_doc_count": 1,
+ "scaleMetricValues": false,
+ "timeRange": {
+ "from": "now-15m",
+ "to": "now"
+ },
+ "useNormalizedEsInterval": true
+ },
+ "schema": "segment",
+ "type": "date_histogram"
+ },
+ {
+ "enabled": true,
+ "id": "3",
+ "params": {
+ "customLabel": "Keep alive",
+ "field": "apache.status.connections.async.keep_alive"
+ },
+ "schema": "metric",
+ "type": "max"
+ },
+ {
+ "enabled": true,
+ "id": "4",
+ "params": {
+ "customLabel": "Closing",
+ "field": "apache.status.connections.async.closing"
+ },
+ "schema": "metric",
+ "type": "max"
+ }
+ ],
+ "params": {
+ "addLegend": true,
+ "addTimeMarker": false,
+ "addTooltip": true,
+ "categoryAxes": [
+ {
+ "id": "CategoryAxis-1",
+ "labels": {
+ "filter": true,
+ "show": true,
+ "truncate": 100
+ },
+ "position": "bottom",
+ "scale": {
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {},
+ "type": "category"
+ }
+ ],
+ "grid": {
+ "categoryLines": false
+ },
+ "labels": {},
+ "legendPosition": "right",
+ "seriesParams": [
+ {
+ "data": {
+ "id": "1",
+ "label": "Writing"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ },
+ {
+ "data": {
+ "id": "3",
+ "label": "Keep alive"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ },
+ {
+ "data": {
+ "id": "4",
+ "label": "Closing"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ }
+ ],
+ "thresholdLine": {
+ "color": "#E7664C",
+ "show": false,
+ "style": "full",
+ "value": 10,
+ "width": 1
+ },
+ "times": [],
+ "type": "line",
+ "valueAxes": [
+ {
+ "id": "ValueAxis-1",
+ "labels": {
+ "filter": false,
+ "rotate": 0,
+ "show": true,
+ "truncate": 100
+ },
+ "name": "LeftAxis-1",
+ "position": "left",
+ "scale": {
+ "mode": "normal",
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {
+ "text": "Connections"
+ },
+ "type": "value"
+ }
+ ]
+ },
+ "title": "Connections [Metrics Apache]",
+ "type": "line"
+ }
+ },
+ "id": "apache-7724cf20-3a39-11eb-8946-296aab7b13db",
+ "migrationVersion": {
+ "visualization": "7.9.3"
+ },
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/test/packages/apache/kibana/visualization/apache-7d68f730-3a39-11eb-8946-296aab7b13db.json b/test/packages/apache/kibana/visualization/apache-7d68f730-3a39-11eb-8946-296aab7b13db.json
new file mode 100644
index 0000000000..0f925bc270
--- /dev/null
+++ b/test/packages/apache/kibana/visualization/apache-7d68f730-3a39-11eb-8946-296aab7b13db.json
@@ -0,0 +1,141 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "title": "Total connections [Metrics Apache]",
+ "uiStateJSON": {},
+ "version": 1,
+ "visState": {
+ "aggs": [
+ {
+ "enabled": true,
+ "id": "2",
+ "params": {
+ "drop_partials": false,
+ "extended_bounds": {},
+ "field": "@timestamp",
+ "interval": "30s",
+ "min_doc_count": 1,
+ "scaleMetricValues": false,
+ "timeRange": {
+ "from": "now-15m",
+ "to": "now"
+ },
+ "useNormalizedEsInterval": true
+ },
+ "schema": "segment",
+ "type": "date_histogram"
+ },
+ {
+ "enabled": true,
+ "id": "4",
+ "params": {
+ "customLabel": "Total",
+ "field": "apache.status.connections.total"
+ },
+ "schema": "metric",
+ "type": "max"
+ }
+ ],
+ "params": {
+ "addLegend": true,
+ "addTimeMarker": false,
+ "addTooltip": true,
+ "categoryAxes": [
+ {
+ "id": "CategoryAxis-1",
+ "labels": {
+ "filter": true,
+ "show": true,
+ "truncate": 100
+ },
+ "position": "bottom",
+ "scale": {
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {},
+ "type": "category"
+ }
+ ],
+ "grid": {
+ "categoryLines": false
+ },
+ "labels": {},
+ "legendPosition": "right",
+ "seriesParams": [
+ {
+ "data": {
+ "id": "4",
+ "label": "Total"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ }
+ ],
+ "thresholdLine": {
+ "color": "#E7664C",
+ "show": false,
+ "style": "full",
+ "value": 10,
+ "width": 1
+ },
+ "times": [],
+ "type": "line",
+ "valueAxes": [
+ {
+ "id": "ValueAxis-1",
+ "labels": {
+ "filter": false,
+ "rotate": 0,
+ "show": true,
+ "truncate": 100
+ },
+ "name": "LeftAxis-1",
+ "position": "left",
+ "scale": {
+ "mode": "normal",
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {
+ "text": "Connections"
+ },
+ "type": "value"
+ }
+ ]
+ },
+ "title": "Total connections [Metrics Apache]",
+ "type": "line"
+ }
+ },
+ "id": "apache-7d68f730-3a39-11eb-8946-296aab7b13db",
+ "migrationVersion": {
+ "visualization": "7.9.3"
+ },
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/test/packages/apache/kibana/visualization/apache-805d7bb0-3a10-11eb-8946-296aab7b13db.json b/test/packages/apache/kibana/visualization/apache-805d7bb0-3a10-11eb-8946-296aab7b13db.json
new file mode 100644
index 0000000000..c663484193
--- /dev/null
+++ b/test/packages/apache/kibana/visualization/apache-805d7bb0-3a10-11eb-8946-296aab7b13db.json
@@ -0,0 +1,56 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "title": "Apache Hostname [Metrics Apache]",
+ "uiStateJSON": {},
+ "version": 1,
+ "visState": {
+ "aggs": [],
+ "params": {
+ "controls": [
+ {
+ "fieldName": "host.hostname",
+ "id": "1607512709833",
+ "indexPatternRefName": "control_0_index_pattern",
+ "label": "Hostname",
+ "options": {
+ "dynamicOptions": true,
+ "multiselect": false,
+ "order": "desc",
+ "size": 5,
+ "type": "terms"
+ },
+ "parent": "",
+ "type": "list"
+ }
+ ],
+ "pinFilters": false,
+ "updateFiltersOnChange": true,
+ "useTimeFilter": false
+ },
+ "title": "Apache Hostname [Metrics Apache]",
+ "type": "input_control_vis"
+ }
+ },
+ "id": "apache-805d7bb0-3a10-11eb-8946-296aab7b13db",
+ "migrationVersion": {
+ "visualization": "7.9.3"
+ },
+ "references": [
+ {
+ "id": "metrics-*",
+ "name": "control_0_index_pattern",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/test/packages/apache/kibana/visualization/apache-99666080-3a20-11eb-8946-296aab7b13db.json b/test/packages/apache/kibana/visualization/apache-99666080-3a20-11eb-8946-296aab7b13db.json
new file mode 100644
index 0000000000..fcf0f34c90
--- /dev/null
+++ b/test/packages/apache/kibana/visualization/apache-99666080-3a20-11eb-8946-296aab7b13db.json
@@ -0,0 +1,90 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "title": "Total egress [Metrics Apache]",
+ "uiStateJSON": {},
+ "version": 1,
+ "visState": {
+ "aggs": [],
+ "params": {
+ "axis_formatter": "number",
+ "axis_position": "left",
+ "axis_scale": "normal",
+ "background_color_rules": [
+ {
+ "id": "5414c4a0-3a1a-11eb-8b9a-851db9ca6ca8"
+ }
+ ],
+ "bar_color_rules": [
+ {
+ "id": "c532ace0-3a1c-11eb-8b9a-851db9ca6ca8"
+ }
+ ],
+ "default_index_pattern": "metrics-*",
+ "default_timefield": "@timestamp",
+ "gauge_color_rules": [
+ {
+ "id": "586a5890-3a19-11eb-8b9a-851db9ca6ca8"
+ }
+ ],
+ "gauge_inner_width": 10,
+ "gauge_style": "half",
+ "gauge_width": 10,
+ "id": "61ca57f0-469d-11e7-af02-69e470af7417",
+ "index_pattern": "",
+ "interval": "",
+ "isModelInvalid": false,
+ "series": [
+ {
+ "axis_position": "right",
+ "chart_type": "line",
+ "color": "#68BC00",
+ "fill": 0.5,
+ "filter": {
+ "language": "kuery",
+ "query": ""
+ },
+ "formatter": "bytes",
+ "id": "61ca57f1-469d-11e7-af02-69e470af7417",
+ "label": "Total egress",
+ "line_width": 1,
+ "metrics": [
+ {
+ "field": "apache.status.total_bytes",
+ "id": "61ca57f2-469d-11e7-af02-69e470af7417",
+ "type": "max"
+ }
+ ],
+ "point_size": 1,
+ "separate_axis": 0,
+ "split_color_mode": "kibana",
+ "split_mode": "everything",
+ "stacked": "none"
+ }
+ ],
+ "show_grid": 1,
+ "show_legend": 1,
+ "time_field": "",
+ "tooltip_mode": "show_all",
+ "type": "metric"
+ },
+ "title": "Total egress [Metrics Apache]",
+ "type": "metrics"
+ }
+ },
+ "id": "apache-99666080-3a20-11eb-8946-296aab7b13db",
+ "migrationVersion": {
+ "visualization": "7.9.3"
+ },
+ "references": [],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/test/packages/apache/kibana/visualization/apache-HTTPD-CPU.json b/test/packages/apache/kibana/visualization/apache-HTTPD-CPU.json
index 5fce62e7a5..dc0b8c8496 100644
--- a/test/packages/apache/kibana/visualization/apache-HTTPD-CPU.json
+++ b/test/packages/apache/kibana/visualization/apache-HTTPD-CPU.json
@@ -3,7 +3,11 @@
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
- "filter": []
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
}
},
"savedSearchRefName": "search_0",
@@ -13,6 +17,7 @@
"visState": {
"aggs": [
{
+ "enabled": true,
"id": "1",
"params": {
"customLabel": "CPU load",
@@ -22,28 +27,42 @@
"type": "avg"
},
{
+ "enabled": true,
"id": "2",
"params": {
+ "drop_partials": false,
"extended_bounds": {},
"field": "@timestamp",
"interval": "auto",
- "min_doc_count": 1
+ "min_doc_count": 1,
+ "scaleMetricValues": false,
+ "timeRange": {
+ "from": "now-15m",
+ "to": "now"
+ },
+ "useNormalizedEsInterval": true
},
"schema": "segment",
"type": "date_histogram"
},
{
+ "enabled": true,
"id": "3",
"params": {
- "field": "apache.status.hostname",
+ "field": "host.hostname",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
"order": "desc",
"orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
"size": 5
},
"schema": "split",
"type": "terms"
},
{
+ "enabled": true,
"id": "4",
"params": {
"customLabel": "CPU user",
@@ -53,6 +72,7 @@
"type": "avg"
},
{
+ "enabled": true,
"id": "5",
"params": {
"customLabel": "CPU system",
@@ -62,6 +82,7 @@
"type": "avg"
},
{
+ "enabled": true,
"id": "6",
"params": {
"customLabel": "CPU children user",
@@ -71,6 +92,7 @@
"type": "avg"
},
{
+ "enabled": true,
"id": "7",
"params": {
"customLabel": "CPU children system",
@@ -80,31 +102,156 @@
"type": "avg"
}
],
- "listeners": {},
"params": {
"addLegend": true,
"addTimeMarker": false,
"addTooltip": true,
+ "categoryAxes": [
+ {
+ "id": "CategoryAxis-1",
+ "labels": {
+ "filter": true,
+ "show": true,
+ "truncate": 100
+ },
+ "position": "bottom",
+ "scale": {
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {},
+ "type": "category"
+ }
+ ],
"defaultYExtents": false,
"drawLinesBetweenPoints": true,
+ "grid": {
+ "categoryLines": false
+ },
"interpolate": "linear",
+ "labels": {},
+ "legendPosition": "right",
"radiusRatio": 9,
"row": true,
"scale": "linear",
+ "seriesParams": [
+ {
+ "data": {
+ "id": "1",
+ "label": "CPU load"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ },
+ {
+ "data": {
+ "id": "4",
+ "label": "CPU user"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ },
+ {
+ "data": {
+ "id": "5",
+ "label": "CPU system"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ },
+ {
+ "data": {
+ "id": "6",
+ "label": "CPU children user"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ },
+ {
+ "data": {
+ "id": "7",
+ "label": "CPU children system"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ }
+ ],
"setYExtents": false,
"shareYAxis": true,
"showCircles": true,
"smoothLines": false,
+ "thresholdLine": {
+ "color": "#E7664C",
+ "show": false,
+ "style": "full",
+ "value": 10,
+ "width": 1
+ },
"times": [],
+ "type": "line",
+ "valueAxes": [
+ {
+ "id": "ValueAxis-1",
+ "labels": {
+ "filter": false,
+ "rotate": 0,
+ "show": true,
+ "truncate": 100
+ },
+ "name": "LeftAxis-1",
+ "position": "left",
+ "scale": {
+ "mode": "normal",
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {
+ "text": "Count"
+ },
+ "type": "value"
+ }
+ ],
"yAxis": {}
},
- "title": "Apache HTTPD - CPU",
+ "title": "CPU usage [Metrics Apache]",
"type": "line"
}
},
"id": "apache-HTTPD-CPU",
"migrationVersion": {
- "visualization": "7.8.0"
+ "visualization": "7.9.3"
},
"references": [
{
diff --git a/test/packages/apache/kibana/visualization/apache-HTTPD-Hostname-list.json b/test/packages/apache/kibana/visualization/apache-HTTPD-Hostname-list.json
deleted file mode 100644
index ea5454985c..0000000000
--- a/test/packages/apache/kibana/visualization/apache-HTTPD-Hostname-list.json
+++ /dev/null
@@ -1,71 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": []
- }
- },
- "savedSearchRefName": "search_0",
- "title": "Hostname list [Metrics Apache]",
- "uiStateJSON": {
- "vis": {
- "params": {
- "sort": {
- "columnIndex": null,
- "direction": null
- }
- }
- }
- },
- "version": 1,
- "visState": {
- "aggs": [
- {
- "id": "1",
- "params": {
- "customLabel": "Events count"
- },
- "schema": "metric",
- "type": "count"
- },
- {
- "id": "2",
- "params": {
- "customLabel": "Apache HTTD Hostname",
- "field": "apache.status.hostname",
- "order": "desc",
- "orderBy": "1",
- "size": 5
- },
- "schema": "bucket",
- "type": "terms"
- }
- ],
- "listeners": {},
- "params": {
- "perPage": 10,
- "showMeticsAtAllLevels": false,
- "showPartialRows": false,
- "sort": {
- "columnIndex": null,
- "direction": null
- }
- },
- "title": "Apache HTTPD - Hostname list",
- "type": "table"
- }
- },
- "id": "apache-HTTPD-Hostname-list",
- "migrationVersion": {
- "visualization": "7.8.0"
- },
- "references": [
- {
- "id": "apache-HTTPD",
- "name": "search_0",
- "type": "search"
- }
- ],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/test/packages/apache/kibana/visualization/apache-HTTPD-Load1-slash-5-slash-15.json b/test/packages/apache/kibana/visualization/apache-HTTPD-Load1-slash-5-slash-15.json
index 488052c19d..8d0ba87a59 100644
--- a/test/packages/apache/kibana/visualization/apache-HTTPD-Load1-slash-5-slash-15.json
+++ b/test/packages/apache/kibana/visualization/apache-HTTPD-Load1-slash-5-slash-15.json
@@ -3,7 +3,11 @@
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
- "filter": []
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
}
},
"savedSearchRefName": "search_0",
@@ -13,6 +17,7 @@
"visState": {
"aggs": [
{
+ "enabled": true,
"id": "1",
"params": {
"customLabel": "Load 5",
@@ -22,17 +27,26 @@
"type": "avg"
},
{
+ "enabled": true,
"id": "2",
"params": {
+ "drop_partials": false,
"extended_bounds": {},
"field": "@timestamp",
"interval": "auto",
- "min_doc_count": 1
+ "min_doc_count": 1,
+ "scaleMetricValues": false,
+ "timeRange": {
+ "from": "now-15m",
+ "to": "now"
+ },
+ "useNormalizedEsInterval": true
},
"schema": "segment",
"type": "date_histogram"
},
{
+ "enabled": true,
"id": "3",
"params": {
"customLabel": "Load 1",
@@ -42,6 +56,7 @@
"type": "avg"
},
{
+ "enabled": true,
"id": "4",
"params": {
"customLabel": "Load 15",
@@ -51,43 +66,145 @@
"type": "avg"
},
{
+ "enabled": true,
"id": "5",
"params": {
"customLabel": "Hostname",
- "field": "apache.status.hostname",
+ "field": "host.hostname",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
"order": "desc",
"orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
"size": 5
},
"schema": "split",
"type": "terms"
}
],
- "listeners": {},
"params": {
"addLegend": true,
"addTimeMarker": false,
"addTooltip": true,
+ "categoryAxes": [
+ {
+ "id": "CategoryAxis-1",
+ "labels": {
+ "filter": true,
+ "show": true,
+ "truncate": 100
+ },
+ "position": "bottom",
+ "scale": {
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {},
+ "type": "category"
+ }
+ ],
"defaultYExtents": false,
"drawLinesBetweenPoints": true,
+ "grid": {
+ "categoryLines": false
+ },
"interpolate": "linear",
+ "labels": {},
+ "legendPosition": "right",
"radiusRatio": 9,
"row": true,
"scale": "linear",
+ "seriesParams": [
+ {
+ "data": {
+ "id": "1",
+ "label": "Load 5"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ },
+ {
+ "data": {
+ "id": "3",
+ "label": "Load 1"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ },
+ {
+ "data": {
+ "id": "4",
+ "label": "Load 15"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ }
+ ],
"setYExtents": false,
"shareYAxis": true,
"showCircles": true,
"smoothLines": false,
+ "thresholdLine": {
+ "color": "#E7664C",
+ "show": false,
+ "style": "full",
+ "value": 10,
+ "width": 1
+ },
"times": [],
+ "type": "line",
+ "valueAxes": [
+ {
+ "id": "ValueAxis-1",
+ "labels": {
+ "filter": false,
+ "rotate": 0,
+ "show": true,
+ "truncate": 100
+ },
+ "name": "LeftAxis-1",
+ "position": "left",
+ "scale": {
+ "mode": "normal",
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {
+ "text": "Count"
+ },
+ "type": "value"
+ }
+ ],
"yAxis": {}
},
- "title": "Apache HTTPD - Load1/5/15",
+ "title": "Load1/5/15 [Metrics Apache]",
"type": "line"
}
},
"id": "apache-HTTPD-Load1-slash-5-slash-15",
"migrationVersion": {
- "visualization": "7.8.0"
+ "visualization": "7.9.3"
},
"references": [
{
diff --git a/test/packages/apache/kibana/visualization/apache-HTTPD-Scoreboard.json b/test/packages/apache/kibana/visualization/apache-HTTPD-Scoreboard.json
index 7af844ff47..1167e1092a 100644
--- a/test/packages/apache/kibana/visualization/apache-HTTPD-Scoreboard.json
+++ b/test/packages/apache/kibana/visualization/apache-HTTPD-Scoreboard.json
@@ -3,7 +3,11 @@
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
- "filter": []
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
}
},
"savedSearchRefName": "search_0",
@@ -13,6 +17,7 @@
"visState": {
"aggs": [
{
+ "enabled": true,
"id": "1",
"params": {
"customLabel": "Closing connection",
@@ -22,29 +27,43 @@
"type": "avg"
},
{
+ "enabled": true,
"id": "2",
"params": {
+ "drop_partials": false,
"extended_bounds": {},
"field": "@timestamp",
"interval": "auto",
- "min_doc_count": 1
+ "min_doc_count": 1,
+ "scaleMetricValues": false,
+ "timeRange": {
+ "from": "now-15m",
+ "to": "now"
+ },
+ "useNormalizedEsInterval": true
},
"schema": "segment",
"type": "date_histogram"
},
{
+ "enabled": true,
"id": "3",
"params": {
"customLabel": "Hostname",
- "field": "apache.status.hostname",
+ "field": "host.hostname",
+ "missingBucket": false,
+ "missingBucketLabel": "Missing",
"order": "desc",
"orderBy": "1",
+ "otherBucket": false,
+ "otherBucketLabel": "Other",
"size": 5
},
"schema": "split",
"type": "terms"
},
{
+ "enabled": true,
"id": "4",
"params": {
"customLabel": "DNS lookup",
@@ -54,6 +73,7 @@
"type": "avg"
},
{
+ "enabled": true,
"id": "5",
"params": {
"customLabel": "Gracefully finishing",
@@ -63,6 +83,7 @@
"type": "avg"
},
{
+ "enabled": true,
"id": "6",
"params": {
"customLabel": "Idle cleanup",
@@ -72,6 +93,7 @@
"type": "avg"
},
{
+ "enabled": true,
"id": "7",
"params": {
"customLabel": "Keepalive",
@@ -81,6 +103,7 @@
"type": "avg"
},
{
+ "enabled": true,
"id": "8",
"params": {
"customLabel": "Logging",
@@ -90,6 +113,7 @@
"type": "avg"
},
{
+ "enabled": true,
"id": "9",
"params": {
"customLabel": "Open slot",
@@ -99,6 +123,7 @@
"type": "avg"
},
{
+ "enabled": true,
"id": "10",
"params": {
"customLabel": "Reading request",
@@ -108,6 +133,7 @@
"type": "avg"
},
{
+ "enabled": true,
"id": "11",
"params": {
"customLabel": "Sending reply",
@@ -117,6 +143,7 @@
"type": "avg"
},
{
+ "enabled": true,
"id": "12",
"params": {
"customLabel": "Starting up",
@@ -126,6 +153,7 @@
"type": "avg"
},
{
+ "enabled": true,
"id": "13",
"params": {
"customLabel": "Total",
@@ -135,6 +163,7 @@
"type": "avg"
},
{
+ "enabled": true,
"id": "14",
"params": {
"customLabel": "Waiting for connection",
@@ -144,31 +173,254 @@
"type": "avg"
}
],
- "listeners": {},
"params": {
"addLegend": true,
"addTimeMarker": false,
"addTooltip": true,
+ "categoryAxes": [
+ {
+ "id": "CategoryAxis-1",
+ "labels": {
+ "filter": true,
+ "show": true,
+ "truncate": 100
+ },
+ "position": "bottom",
+ "scale": {
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {},
+ "type": "category"
+ }
+ ],
"defaultYExtents": false,
"drawLinesBetweenPoints": true,
+ "grid": {
+ "categoryLines": false
+ },
"interpolate": "linear",
+ "labels": {},
+ "legendPosition": "right",
"radiusRatio": 9,
"row": true,
"scale": "linear",
+ "seriesParams": [
+ {
+ "data": {
+ "id": "1",
+ "label": "Closing connection"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ },
+ {
+ "data": {
+ "id": "4",
+ "label": "DNS lookup"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ },
+ {
+ "data": {
+ "id": "5",
+ "label": "Gracefully finishing"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ },
+ {
+ "data": {
+ "id": "6",
+ "label": "Idle cleanup"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ },
+ {
+ "data": {
+ "id": "7",
+ "label": "Keepalive"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ },
+ {
+ "data": {
+ "id": "8",
+ "label": "Logging"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ },
+ {
+ "data": {
+ "id": "9",
+ "label": "Open slot"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ },
+ {
+ "data": {
+ "id": "10",
+ "label": "Reading request"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ },
+ {
+ "data": {
+ "id": "11",
+ "label": "Sending reply"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ },
+ {
+ "data": {
+ "id": "12",
+ "label": "Starting up"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ },
+ {
+ "data": {
+ "id": "13",
+ "label": "Total"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ },
+ {
+ "data": {
+ "id": "14",
+ "label": "Waiting for connection"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ }
+ ],
"setYExtents": false,
"shareYAxis": true,
"showCircles": true,
"smoothLines": false,
+ "thresholdLine": {
+ "color": "#E7664C",
+ "show": false,
+ "style": "full",
+ "value": 10,
+ "width": 1
+ },
"times": [],
+ "type": "line",
+ "valueAxes": [
+ {
+ "id": "ValueAxis-1",
+ "labels": {
+ "filter": false,
+ "rotate": 0,
+ "show": true,
+ "truncate": 100
+ },
+ "name": "LeftAxis-1",
+ "position": "left",
+ "scale": {
+ "mode": "normal",
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {
+ "text": "Count"
+ },
+ "type": "value"
+ }
+ ],
"yAxis": {}
},
- "title": "Apache HTTPD - Scoreboard",
+ "title": "Scoreboard [Metrics Apache]",
"type": "line"
}
},
"id": "apache-HTTPD-Scoreboard",
"migrationVersion": {
- "visualization": "7.8.0"
+ "visualization": "7.9.3"
},
"references": [
{
diff --git a/test/packages/apache/kibana/visualization/apache-HTTPD-Total-accesses-and-kbytes.json b/test/packages/apache/kibana/visualization/apache-HTTPD-Total-accesses-and-kbytes.json
deleted file mode 100644
index b4adcccb0d..0000000000
--- a/test/packages/apache/kibana/visualization/apache-HTTPD-Total-accesses-and-kbytes.json
+++ /dev/null
@@ -1,55 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": []
- }
- },
- "savedSearchRefName": "search_0",
- "title": "Total accesses and kbytes [Metrics Apache]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [
- {
- "id": "1",
- "params": {
- "customLabel": "Total kbytes",
- "field": "apache.status.total_bytes"
- },
- "schema": "metric",
- "type": "max"
- },
- {
- "id": "2",
- "params": {
- "customLabel": "Total accesses",
- "field": "apache.status.total_accesses"
- },
- "schema": "metric",
- "type": "max"
- }
- ],
- "listeners": {},
- "params": {
- "fontSize": 60,
- "handleNoResults": true
- },
- "title": "Apache HTTPD - Total accesses and kbytes",
- "type": "metric"
- }
- },
- "id": "apache-HTTPD-Total-accesses-and-kbytes",
- "migrationVersion": {
- "visualization": "7.8.0"
- },
- "references": [
- {
- "id": "apache-HTTPD",
- "name": "search_0",
- "type": "search"
- }
- ],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/test/packages/apache/kibana/visualization/apache-HTTPD-Uptime.json b/test/packages/apache/kibana/visualization/apache-HTTPD-Uptime.json
deleted file mode 100644
index f5a9d3704d..0000000000
--- a/test/packages/apache/kibana/visualization/apache-HTTPD-Uptime.json
+++ /dev/null
@@ -1,55 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": []
- }
- },
- "savedSearchRefName": "search_0",
- "title": "Uptime [Metrics Apache]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [
- {
- "id": "1",
- "params": {
- "customLabel": "Uptime",
- "field": "apache.status.uptime.uptime"
- },
- "schema": "metric",
- "type": "max"
- },
- {
- "id": "2",
- "params": {
- "customLabel": "Server uptime",
- "field": "apache.status.uptime.server_uptime"
- },
- "schema": "metric",
- "type": "max"
- }
- ],
- "listeners": {},
- "params": {
- "fontSize": 60,
- "handleNoResults": true
- },
- "title": "Apache HTTPD - Uptime",
- "type": "metric"
- }
- },
- "id": "apache-HTTPD-Uptime",
- "migrationVersion": {
- "visualization": "7.8.0"
- },
- "references": [
- {
- "id": "apache-HTTPD",
- "name": "search_0",
- "type": "search"
- }
- ],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/test/packages/apache/kibana/visualization/apache-HTTPD-Workers.json b/test/packages/apache/kibana/visualization/apache-HTTPD-Workers.json
deleted file mode 100644
index 6f54ccaadf..0000000000
--- a/test/packages/apache/kibana/visualization/apache-HTTPD-Workers.json
+++ /dev/null
@@ -1,91 +0,0 @@
-{
- "attributes": {
- "description": "",
- "kibanaSavedObjectMeta": {
- "searchSourceJSON": {
- "filter": []
- }
- },
- "savedSearchRefName": "search_0",
- "title": "Workers [Metrics Apache]",
- "uiStateJSON": {},
- "version": 1,
- "visState": {
- "aggs": [
- {
- "id": "1",
- "params": {
- "customLabel": "Busy workers",
- "field": "apache.status.workers.busy"
- },
- "schema": "metric",
- "type": "avg"
- },
- {
- "id": "2",
- "params": {
- "extended_bounds": {},
- "field": "@timestamp",
- "interval": "auto",
- "min_doc_count": 1
- },
- "schema": "segment",
- "type": "date_histogram"
- },
- {
- "id": "3",
- "params": {
- "customLabel": "Hostname",
- "field": "apache.status.hostname",
- "order": "desc",
- "orderBy": "1",
- "size": 5
- },
- "schema": "split",
- "type": "terms"
- },
- {
- "id": "4",
- "params": {
- "customLabel": "Idle workers",
- "field": "apache.status.workers.idle"
- },
- "schema": "metric",
- "type": "avg"
- }
- ],
- "listeners": {},
- "params": {
- "addLegend": true,
- "addTimeMarker": false,
- "addTooltip": true,
- "defaultYExtents": false,
- "drawLinesBetweenPoints": true,
- "interpolate": "linear",
- "radiusRatio": 9,
- "row": true,
- "scale": "linear",
- "setYExtents": false,
- "shareYAxis": true,
- "showCircles": true,
- "smoothLines": false,
- "times": [],
- "yAxis": {}
- },
- "title": "Apache HTTPD - Workers",
- "type": "line"
- }
- },
- "id": "apache-HTTPD-Workers",
- "migrationVersion": {
- "visualization": "7.8.0"
- },
- "references": [
- {
- "id": "apache-HTTPD",
- "name": "search_0",
- "type": "search"
- }
- ],
- "type": "visualization"
-}
\ No newline at end of file
diff --git a/test/packages/apache/kibana/visualization/apache-a45311f0-3a34-11eb-8946-296aab7b13db.json b/test/packages/apache/kibana/visualization/apache-a45311f0-3a34-11eb-8946-296aab7b13db.json
new file mode 100644
index 0000000000..ec859d0cc0
--- /dev/null
+++ b/test/packages/apache/kibana/visualization/apache-a45311f0-3a34-11eb-8946-296aab7b13db.json
@@ -0,0 +1,152 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Bytes per sec [Metrics Apache]",
+ "uiStateJSON": {},
+ "version": 1,
+ "visState": {
+ "aggs": [
+ {
+ "enabled": true,
+ "id": "1",
+ "params": {
+ "customLabel": "Bytes per sec",
+ "field": "apache.status.bytes_per_sec"
+ },
+ "schema": "metric",
+ "type": "avg"
+ },
+ {
+ "enabled": true,
+ "id": "2",
+ "params": {
+ "drop_partials": false,
+ "extended_bounds": {},
+ "field": "@timestamp",
+ "interval": "auto",
+ "min_doc_count": 1,
+ "scaleMetricValues": false,
+ "timeRange": {
+ "from": "now-15m",
+ "to": "now"
+ },
+ "useNormalizedEsInterval": true
+ },
+ "schema": "segment",
+ "type": "date_histogram"
+ }
+ ],
+ "params": {
+ "addLegend": true,
+ "addTimeMarker": false,
+ "addTooltip": true,
+ "categoryAxes": [
+ {
+ "id": "CategoryAxis-1",
+ "labels": {
+ "filter": true,
+ "show": true,
+ "truncate": 100
+ },
+ "position": "bottom",
+ "scale": {
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {},
+ "type": "category"
+ }
+ ],
+ "defaultYExtents": false,
+ "drawLinesBetweenPoints": true,
+ "grid": {
+ "categoryLines": false
+ },
+ "interpolate": "linear",
+ "labels": {},
+ "legendPosition": "right",
+ "radiusRatio": 9,
+ "row": true,
+ "scale": "linear",
+ "seriesParams": [
+ {
+ "data": {
+ "id": "1",
+ "label": "Bytes per sec"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ }
+ ],
+ "setYExtents": false,
+ "shareYAxis": true,
+ "showCircles": true,
+ "smoothLines": false,
+ "thresholdLine": {
+ "color": "#E7664C",
+ "show": false,
+ "style": "full",
+ "value": 10,
+ "width": 1
+ },
+ "times": [],
+ "type": "line",
+ "valueAxes": [
+ {
+ "id": "ValueAxis-1",
+ "labels": {
+ "filter": false,
+ "rotate": 0,
+ "show": true,
+ "truncate": 100
+ },
+ "name": "LeftAxis-1",
+ "position": "left",
+ "scale": {
+ "mode": "normal",
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {
+ "text": "Bytes per sec"
+ },
+ "type": "value"
+ }
+ ],
+ "yAxis": {}
+ },
+ "title": "Bytes per sec [Metrics Apache]",
+ "type": "line"
+ }
+ },
+ "id": "apache-a45311f0-3a34-11eb-8946-296aab7b13db",
+ "migrationVersion": {
+ "visualization": "7.9.3"
+ },
+ "references": [
+ {
+ "id": "apache-HTTPD",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/test/packages/apache/kibana/visualization/apache-access-unique-IPs-map.json b/test/packages/apache/kibana/visualization/apache-access-unique-IPs-map.json
index 1263059c4e..4504b84a68 100644
--- a/test/packages/apache/kibana/visualization/apache-access-unique-IPs-map.json
+++ b/test/packages/apache/kibana/visualization/apache-access-unique-IPs-map.json
@@ -72,7 +72,7 @@
},
"id": "apache-access-unique-IPs-map",
"migrationVersion": {
- "visualization": "7.8.0"
+ "visualization": "7.9.3"
},
"references": [
{
diff --git a/test/packages/apache/kibana/visualization/apache-browsers.json b/test/packages/apache/kibana/visualization/apache-browsers.json
index 6506bebf8b..5cc8e7bc52 100644
--- a/test/packages/apache/kibana/visualization/apache-browsers.json
+++ b/test/packages/apache/kibana/visualization/apache-browsers.json
@@ -60,7 +60,7 @@
},
"id": "apache-browsers",
"migrationVersion": {
- "visualization": "7.8.0"
+ "visualization": "7.9.3"
},
"references": [
{
diff --git a/test/packages/apache/kibana/visualization/apache-ed44f820-3a10-11eb-8946-296aab7b13db.json b/test/packages/apache/kibana/visualization/apache-ed44f820-3a10-11eb-8946-296aab7b13db.json
new file mode 100644
index 0000000000..bc84a0c66d
--- /dev/null
+++ b/test/packages/apache/kibana/visualization/apache-ed44f820-3a10-11eb-8946-296aab7b13db.json
@@ -0,0 +1,56 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "title": "Apache Hostname [Logs Apache]",
+ "uiStateJSON": {},
+ "version": 1,
+ "visState": {
+ "aggs": [],
+ "params": {
+ "controls": [
+ {
+ "fieldName": "host.hostname",
+ "id": "1607512709833",
+ "indexPatternRefName": "control_0_index_pattern",
+ "label": "Hostname",
+ "options": {
+ "dynamicOptions": true,
+ "multiselect": false,
+ "order": "desc",
+ "size": 5,
+ "type": "terms"
+ },
+ "parent": "",
+ "type": "list"
+ }
+ ],
+ "pinFilters": false,
+ "updateFiltersOnChange": true,
+ "useTimeFilter": false
+ },
+ "title": "Apache Hostname [Logs Apache]",
+ "type": "input_control_vis"
+ }
+ },
+ "id": "apache-ed44f820-3a10-11eb-8946-296aab7b13db",
+ "migrationVersion": {
+ "visualization": "7.9.3"
+ },
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "control_0_index_pattern",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/test/packages/apache/kibana/visualization/apache-error-logs-over-time.json b/test/packages/apache/kibana/visualization/apache-error-logs-over-time.json
index 480a4a2750..bb97fac6a7 100644
--- a/test/packages/apache/kibana/visualization/apache-error-logs-over-time.json
+++ b/test/packages/apache/kibana/visualization/apache-error-logs-over-time.json
@@ -64,7 +64,7 @@
},
"id": "apache-error-logs-over-time",
"migrationVersion": {
- "visualization": "7.8.0"
+ "visualization": "7.9.3"
},
"references": [
{
diff --git a/test/packages/apache/kibana/visualization/apache-f4ffec70-3a36-11eb-8946-296aab7b13db.json b/test/packages/apache/kibana/visualization/apache-f4ffec70-3a36-11eb-8946-296aab7b13db.json
new file mode 100644
index 0000000000..fad15583fb
--- /dev/null
+++ b/test/packages/apache/kibana/visualization/apache-f4ffec70-3a36-11eb-8946-296aab7b13db.json
@@ -0,0 +1,180 @@
+{
+ "attributes": {
+ "description": "",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "savedSearchRefName": "search_0",
+ "title": "Workers [Metrics Apache]",
+ "uiStateJSON": {
+ "vis": {
+ "legendOpen": true
+ }
+ },
+ "version": 1,
+ "visState": {
+ "aggs": [
+ {
+ "enabled": true,
+ "id": "1",
+ "params": {
+ "customLabel": "Busy workers",
+ "field": "apache.status.workers.busy"
+ },
+ "schema": "metric",
+ "type": "avg"
+ },
+ {
+ "enabled": true,
+ "id": "2",
+ "params": {
+ "drop_partials": false,
+ "extended_bounds": {},
+ "field": "@timestamp",
+ "interval": "auto",
+ "min_doc_count": 1,
+ "scaleMetricValues": false,
+ "timeRange": {
+ "from": "now-15m",
+ "to": "now"
+ },
+ "useNormalizedEsInterval": true
+ },
+ "schema": "segment",
+ "type": "date_histogram"
+ },
+ {
+ "enabled": true,
+ "id": "3",
+ "params": {
+ "customLabel": "Idle workers",
+ "field": "apache.status.workers.idle"
+ },
+ "schema": "metric",
+ "type": "avg"
+ }
+ ],
+ "params": {
+ "addLegend": true,
+ "addTimeMarker": false,
+ "addTooltip": true,
+ "categoryAxes": [
+ {
+ "id": "CategoryAxis-1",
+ "labels": {
+ "filter": true,
+ "show": true,
+ "truncate": 100
+ },
+ "position": "bottom",
+ "scale": {
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {},
+ "type": "category"
+ }
+ ],
+ "defaultYExtents": false,
+ "drawLinesBetweenPoints": true,
+ "grid": {
+ "categoryLines": false
+ },
+ "interpolate": "linear",
+ "labels": {},
+ "legendPosition": "right",
+ "radiusRatio": 9,
+ "row": true,
+ "scale": "linear",
+ "seriesParams": [
+ {
+ "data": {
+ "id": "1",
+ "label": "Busy workers"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ },
+ {
+ "data": {
+ "id": "3",
+ "label": "Idle workers"
+ },
+ "drawLinesBetweenPoints": true,
+ "interpolate": "linear",
+ "lineWidth": 2,
+ "mode": "normal",
+ "show": true,
+ "showCircles": false,
+ "type": "line",
+ "valueAxis": "ValueAxis-1"
+ }
+ ],
+ "setYExtents": false,
+ "shareYAxis": true,
+ "showCircles": true,
+ "smoothLines": false,
+ "thresholdLine": {
+ "color": "#E7664C",
+ "show": false,
+ "style": "full",
+ "value": 10,
+ "width": 1
+ },
+ "times": [],
+ "type": "line",
+ "valueAxes": [
+ {
+ "id": "ValueAxis-1",
+ "labels": {
+ "filter": false,
+ "rotate": 0,
+ "show": false,
+ "truncate": 100
+ },
+ "name": "LeftAxis-1",
+ "position": "left",
+ "scale": {
+ "mode": "normal",
+ "type": "linear"
+ },
+ "show": true,
+ "style": {},
+ "title": {
+ "text": "Workers"
+ },
+ "type": "value"
+ }
+ ],
+ "yAxis": {}
+ },
+ "title": "Workers [Metrics Apache]",
+ "type": "line"
+ }
+ },
+ "id": "apache-f4ffec70-3a36-11eb-8946-296aab7b13db",
+ "migrationVersion": {
+ "visualization": "7.9.3"
+ },
+ "references": [
+ {
+ "id": "apache-HTTPD",
+ "name": "search_0",
+ "type": "search"
+ }
+ ],
+ "type": "visualization"
+}
\ No newline at end of file
diff --git a/test/packages/apache/kibana/visualization/apache-operating-systems.json b/test/packages/apache/kibana/visualization/apache-operating-systems.json
index 0d371fb525..196f983cd6 100644
--- a/test/packages/apache/kibana/visualization/apache-operating-systems.json
+++ b/test/packages/apache/kibana/visualization/apache-operating-systems.json
@@ -60,7 +60,7 @@
},
"id": "apache-operating-systems",
"migrationVersion": {
- "visualization": "7.8.0"
+ "visualization": "7.9.3"
},
"references": [
{
diff --git a/test/packages/apache/kibana/visualization/apache-response-codes-of-top-URLs.json b/test/packages/apache/kibana/visualization/apache-response-codes-of-top-URLs.json
index 6a27d092a1..6b8eb93302 100644
--- a/test/packages/apache/kibana/visualization/apache-response-codes-of-top-URLs.json
+++ b/test/packages/apache/kibana/visualization/apache-response-codes-of-top-URLs.json
@@ -67,7 +67,7 @@
},
"id": "apache-response-codes-of-top-URLs",
"migrationVersion": {
- "visualization": "7.8.0"
+ "visualization": "7.9.3"
},
"references": [
{
diff --git a/test/packages/apache/kibana/visualization/apache-response-codes-over-time.json b/test/packages/apache/kibana/visualization/apache-response-codes-over-time.json
index 2847a150fc..8f36ed2601 100644
--- a/test/packages/apache/kibana/visualization/apache-response-codes-over-time.json
+++ b/test/packages/apache/kibana/visualization/apache-response-codes-over-time.json
@@ -71,7 +71,7 @@
},
"id": "apache-response-codes-over-time",
"migrationVersion": {
- "visualization": "7.8.0"
+ "visualization": "7.9.3"
},
"references": [
{
diff --git a/test/packages/apache/manifest.yml b/test/packages/apache/manifest.yml
index 47e87b9896..b04065d21c 100644
--- a/test/packages/apache/manifest.yml
+++ b/test/packages/apache/manifest.yml
@@ -1,23 +1,26 @@
format_version: 1.0.0
name: apache
-title: Apache
-version: 0.0.1
+title: Apache HTTP Server
+# version is set to something very large to so this test package can
+# be installed in the package registry regardless of the version of
+# the actual apache package in the registry at any given time.
+version: 999.999.999
license: basic
-description: Apache Integration
+description: Collect logs and metrics from Apache servers with Elastic Agent.
type: integration
categories:
- web
-release: experimental
+release: ga
conditions:
- kibana.version: '^7.9.0'
+ kibana.version: "^7.14.0 || ^8.0.0"
screenshots:
- - src: /img/kibana-apache.png
- title: Apache Integration
- size: 1215x1199
+ - src: /img/apache-metrics-overview.png
+ title: Apache metrics overview
+ size: 3360x3064
type: image/png
- - src: /img/apache_httpd_server_status.png
- title: Apache HTTPD Server Status
- size: 1919x1079
+ - src: /img/apache-logs-overview.png
+ title: Apache logs overview
+ size: 3342x1384
type: image/png
icons:
- src: /img/logo_apache.svg
@@ -32,6 +35,65 @@ policy_templates:
- type: logfile
title: Collect logs from Apache instances
description: Collecting Apache access and error logs
+ - type: httpjson
+ title: Collect logs from third-party REST API (experimental)
+ description: Collect logs from third-party REST API (experimental)
+ vars:
+ - name: url
+ type: text
+ title: URL of Splunk Enterprise Server
+ description: i.e. scheme://host:port, path is automatic
+ show_user: true
+ required: true
+ default: https://server.example.com:8089
+ - name: username
+ type: text
+ title: Splunk REST API Username
+ show_user: true
+ required: false
+ - name: password
+ type: password
+ title: Splunk REST API Password
+ show_user: true
+ required: false
+ - name: token
+ type: password
+ title: Splunk Authorization Token
+ description: |
+ Bearer Token or Session Key, e.g. "Bearer eyJFd3e46..."
+ or "Splunk 192fd3e...". Cannot be used with username
+ and password.
+ show_user: true
+ required: false
+ - name: ssl
+ type: yaml
+ title: SSL Configuration
+ description: i.e. certificate_authorities, supported_protocols, verification_mode etc.
+ multi: false
+ required: false
+ show_user: false
+ default: |
+ #certificate_authorities:
+ # - |
+ # -----BEGIN CERTIFICATE-----
+ # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+ # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+ # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+ # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+ # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+ # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+ # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+ # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+ # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+ # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+ # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+ # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+ # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+ # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+ # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+ # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+ # sxSmbIUfc2SGJGCJD4I=
+ # -----END CERTIFICATE-----
- type: apache/metrics
title: Collect metrics from Apache instances
description: Collecting Apache status metrics
@@ -45,4 +107,4 @@ policy_templates:
default:
- http://127.0.0.1
owner:
- github: elastic/integrations-services
+ github: elastic/integrations
diff --git a/test/packages/aws/_dev/build/build.yml b/test/packages/aws/_dev/build/build.yml
new file mode 100644
index 0000000000..08d85edcf9
--- /dev/null
+++ b/test/packages/aws/_dev/build/build.yml
@@ -0,0 +1,3 @@
+dependencies:
+ ecs:
+ reference: git@1.12
diff --git a/test/packages/aws/_dev/build/docs/README.md b/test/packages/aws/_dev/build/docs/README.md
index e36b499695..c40242cdf6 100644
--- a/test/packages/aws/_dev/build/docs/README.md
+++ b/test/packages/aws/_dev/build/docs/README.md
@@ -15,6 +15,20 @@ AWS credentials are required for running AWS integration.
* *endpoint*: URL of the entry point for an AWS web service.
* *role_arn*: AWS IAM Role to assume.
+#### Data stream specific configuration parameters
+* *latency*: Some AWS services send monitoring metrics to CloudWatch with a
+latency to process larger than Metricbeat collection period. This will cause
+data points missing or none get collected by Metricbeat. In this case, please
+specify a latency parameter so collection start time and end time will be
+shifted by the given latency amount.
+* *period*: How often the data stream is executed.
+* *regions*: Specify which AWS regions to query metrics from. If the `regions`
+is not set in the config, then by default, the integration will query metrics
+from all available AWS regions. If `endpoint` is specified, `regions` becomes a
+required config parameter.
+* *tags_filter*: Tag key value pairs from aws resources. A tag is a label that
+user assigns to an AWS resource.
+
### Credential Types
There are three types of AWS credentials can be used: access keys, temporary
security credentials and IAM role ARN.
@@ -61,10 +75,14 @@ temporary credentials. Please see
for more details.
### Supported Formats
-1. Use `access_key_id`, `secret_access_key` and/or `session_token` directly
-2. Use `role_arn`: If `access_key_id` and `secret_access_key` are not given,
-then the package will check for `role_arn`. `role_arn` is used to specify which
- AWS IAM role to assume for generating temporary credentials.
+1. Use access keys: Access keys include `access_key_id`, `secret_access_key`
+and/or `session_token`.
+2. Use `role_arn`: `role_arn` is used to specify which AWS IAM role to assume
+for generating temporary credentials. If `role_arn` is given, the package will
+check if access keys are given. If not, the package will check for credential
+profile name. If neither is given, default credential profile will be used.
+Please make sure credentials are given under either a credential profile or
+access keys.
3. Use `credential_profile_name` and/or `shared_credential_file`:
If `access_key_id`, `secret_access_key` and `role_arn` are all not given, then
the package will check for `credential_profile_name`. If you use different
diff --git a/test/packages/aws/_dev/build/docs/cloudtrail.md b/test/packages/aws/_dev/build/docs/cloudtrail.md
index e06cbe105b..cbe7fb05c1 100644
--- a/test/packages/aws/_dev/build/docs/cloudtrail.md
+++ b/test/packages/aws/_dev/build/docs/cloudtrail.md
@@ -9,3 +9,5 @@ events for the account. If user creates a trail, it delivers those events as log
Integrity is turned on, it only reads the CloudTrail logs.
{{fields "cloudtrail"}}
+
+{{event "cloudtrail"}}
diff --git a/test/packages/aws/_dev/build/docs/cloudwatch.md b/test/packages/aws/_dev/build/docs/cloudwatch.md
index 50fe1a5a5f..a27d5f8c8b 100644
--- a/test/packages/aws/_dev/build/docs/cloudwatch.md
+++ b/test/packages/aws/_dev/build/docs/cloudwatch.md
@@ -9,6 +9,8 @@ setup already.
{{fields "cloudwatch_logs"}}
+{{event "cloudwatch_logs"}}
+
## Metrics
{{event "cloudwatch_metrics"}}
diff --git a/test/packages/aws/_dev/build/docs/ec2.md b/test/packages/aws/_dev/build/docs/ec2.md
index 9a9fe5e428..f0e6205075 100644
--- a/test/packages/aws/_dev/build/docs/ec2.md
+++ b/test/packages/aws/_dev/build/docs/ec2.md
@@ -9,6 +9,8 @@ and `process.name`. For logs from other services, please use `cloudwatch` datase
{{fields "ec2_logs"}}
+{{event "ec2_logs"}}
+
## Metrics
{{event "ec2_metrics"}}
diff --git a/test/packages/aws/_dev/build/docs/elb.md b/test/packages/aws/_dev/build/docs/elb.md
index 608ed45e66..db9413e39f 100644
--- a/test/packages/aws/_dev/build/docs/elb.md
+++ b/test/packages/aws/_dev/build/docs/elb.md
@@ -16,6 +16,8 @@ For network load balancer, please follow [enable access log for network load bal
{{fields "elb_logs"}}
+{{event "elb_logs"}}
+
## Metrics
{{event "elb_metrics"}}
diff --git a/test/packages/aws/_dev/build/docs/s3.md b/test/packages/aws/_dev/build/docs/s3.md
index cfa236aa13..ae3faed53b 100644
--- a/test/packages/aws/_dev/build/docs/s3.md
+++ b/test/packages/aws/_dev/build/docs/s3.md
@@ -12,6 +12,8 @@ for sending server access logs to S3 bucket.
{{fields "s3access"}}
+{{event "s3access"}}
+
## Metrics
### s3_daily_storage
diff --git a/test/packages/aws/_dev/build/docs/s3_storage_lens.md b/test/packages/aws/_dev/build/docs/s3_storage_lens.md
new file mode 100644
index 0000000000..275ba37372
--- /dev/null
+++ b/test/packages/aws/_dev/build/docs/s3_storage_lens.md
@@ -0,0 +1,7 @@
+# s3 storage lens
+
+## Metrics
+
+{{event "s3_storage_lens"}}
+
+{{fields "s3_storage_lens"}}
\ No newline at end of file
diff --git a/test/packages/aws/_dev/build/docs/vpcflow.md b/test/packages/aws/_dev/build/docs/vpcflow.md
index f707db5822..65e7e4fc9b 100644
--- a/test/packages/aws/_dev/build/docs/vpcflow.md
+++ b/test/packages/aws/_dev/build/docs/vpcflow.md
@@ -3,3 +3,5 @@
## Logs
{{fields "vpcflow"}}
+
+{{event "vpcflow"}}
\ No newline at end of file
diff --git a/test/packages/aws/_dev/build/docs/waf.md b/test/packages/aws/_dev/build/docs/waf.md
new file mode 100644
index 0000000000..eeca8301b9
--- /dev/null
+++ b/test/packages/aws/_dev/build/docs/waf.md
@@ -0,0 +1,9 @@
+# waf
+
+## Logs
+
+The `waf` dataset is specifically for WAF logs. Export logs from Kinesis Data Firehose to Amazon S3 bucket which has SQS notification setup already.
+
+{{fields "waf"}}
+
+{{event "waf"}}
\ No newline at end of file
diff --git a/test/packages/aws/changelog.yml b/test/packages/aws/changelog.yml
index 4ae28cb66a..72a1732365 100644
--- a/test/packages/aws/changelog.yml
+++ b/test/packages/aws/changelog.yml
@@ -1,21 +1,226 @@
# newer versions go on top
- version: "999.999.999"
changes:
- - description: Use input groups.
- type: enhancement # can be one of: enhancement, bugfix, breaking-change
+ - description: Change test public IPs to the supported subset
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/2327
+- version: "1.6.1"
+ changes:
+ - description: Fix the value of event.created in CloudTrail data stream.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2325
+- version: "1.6.0"
+ changes:
+ - description: Add max_number_of_messages config option to AWS S3 input config.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2299
+- version: "1.5.1"
+ changes:
+ - description: Add missing sample events
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2282
+- version: "1.5.0"
+ changes:
+ - description: Support Kibana 8.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2206
+- version: "1.4.1"
+ changes:
+ - description: Add Overview dashboard for AWS S3 Storage Lens
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2153
+- version: "1.4.0"
+ changes:
+ - description: Add integration for AWS S3 Storage Lens
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2142
+- version: "1.3.2"
+ changes:
+ - description: Uniform with guidelines
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/2003
+- version: "1.3.1"
+ changes:
+ - description: Add config parameter descriptions
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1917
+- version: "1.3.0"
+ changes:
+ - description: Add WAF datastream
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1886
+- version: "1.2.2"
+ changes:
+ - description: Prevent pipeline script error
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1871
+- version: "1.2.1"
+ changes:
+ - description: Fix logic that checks for the 'forwarded' tag
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1797
+- version: "1.2.0"
+ changes:
+ - description: Update to ECS 1.12.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1687
+- version: "1.1.0"
+ changes:
+ - description: vpcflow sync with filebeat fileset
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1772
+- version: "1.0.0"
+ changes:
+ - description: Release AWS as GA
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1623
+- version: "0.10.7"
+ changes:
+ - description: Add proxy config
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1648
+- version: "0.10.6"
+ changes:
+ - description: Fix aws.billing.EstimatedCharges field name
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1606
+- version: "0.10.5"
+ changes:
+ - description: Add event.created field
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1590
+- version: "0.10.4"
+ changes:
+ - description: Improve RDS dashboard
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1449
+- version: "0.10.3"
+ changes:
+ - description: Convert to generated ECS fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1465
+- version: '0.10.2'
+ changes:
+ - description: update to ECS 1.11.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1371
+- version: "0.10.1"
+ changes:
+ - description: Escape special characters in docs
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1405
+- version: "0.10.0"
+ changes:
+ - description: Update integration description
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1364
+- version: "0.9.3"
+ changes:
+ - description: Fix categories for each policy template
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1357
+- version: "0.9.2"
+ changes:
+ - description: Add linked account information into billing metricset
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1334
+- version: "0.9.1"
+ changes:
+ - description: Fix `aws.s3access` pipeline when remote IP is a `-`
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1333
+- version: "0.9.0"
+ changes:
+ - description: Change default credential options to access keys
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1320
+- version: "0.8.0"
+ changes:
+ - description: Set "event.module" and "event.dataset"
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1245
+- version: "0.7.0"
+ changes:
+ - description: Introduce granularity using input_groups
+ type: enhancement
link: https://github.com/elastic/integrations/pull/767
+- version: "0.6.4"
+ changes:
+ - description: Add support for Splunk authorization tokens
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1147
+- version: "0.6.3"
+ changes:
+ - description: Fix bug in Third Party ingest pipeline
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1201
+- version: "0.6.2"
+ changes:
+ - description: Removed incorrect `http.request.referrer` field from elb logs
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1212
+- version: "0.6.1"
+ changes:
+ - description: Add support for CloudTrail Digest & Insight logs
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1079
+- version: "0.6.0"
+ changes:
+ - description: Update ECS version, add event.original and preparing for package GA
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1070
+- version: "0.5.6"
+ changes:
+ - description: Fix stack compatability
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/1000
+- version: "0.5.5"
+ changes:
+ - description: Allow role_arn work with access keys for AWS
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/979
+- version: "0.5.4"
+ changes:
+ - description: Rename s3 input to aws-s3.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/631
+- version: "0.5.3"
+ changes:
+ - description: Add missing "geo" fields
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/919
+- version: "0.5.2"
+ changes:
+ - description: update to ECS 1.9.0
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/834
+- version: "0.5.1"
+ changes:
+ - description: Ignore missing "json" field in ingest pipeline
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/791
+- version: "0.5.0"
+ changes:
+ - description: Moving edge processors to ingest pipeline
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/782
+- version: "0.4.2"
+ changes:
+ - description: Updating package owner
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/766
- version: "0.4.1"
changes:
- description: Correct sample event file.
- type: bugfix # can be one of: enhancement, bugfix, breaking-change
+ type: bugfix
link: https://github.com/elastic/integrations/pull/754
- version: "0.4.0"
changes:
- description: Add changes to use ECS 1.8 fields.
- type: enhancement # can be one of: enhancement, bugfix, breaking-change
+ type: enhancement
link: https://github.com/elastic/integrations/pull/721
- version: "0.0.3"
changes:
- description: initial release
- type: enhancement # can be one of: enhancement, bugfix, breaking-change
+ type: enhancement
link: https://github.com/elastic/integrations/pull/21
diff --git a/test/packages/aws/data_stream/billing/agent/stream/stream.yml.hbs b/test/packages/aws/data_stream/billing/agent/stream/stream.yml.hbs
index caae1156d6..45017bd29c 100644
--- a/test/packages/aws/data_stream/billing/agent/stream/stream.yml.hbs
+++ b/test/packages/aws/data_stream/billing/agent/stream/stream.yml.hbs
@@ -32,4 +32,7 @@ cost_explorer_config.group_by_tag_keys:
{{#each cost_explorer_config.group_by_tag_keys as |tag_key i|}}
- {{tag_key}}
{{/each}}
+{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
{{/if}}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/billing/fields/base-fields.yml b/test/packages/aws/data_stream/billing/fields/base-fields.yml
index 7c798f4534..f3e0e8980d 100644
--- a/test/packages/aws/data_stream/billing/fields/base-fields.yml
+++ b/test/packages/aws/data_stream/billing/fields/base-fields.yml
@@ -10,3 +10,11 @@
- name: '@timestamp'
type: date
description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: aws
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: aws.billing
diff --git a/test/packages/aws/data_stream/billing/fields/ecs.yml b/test/packages/aws/data_stream/billing/fields/ecs.yml
index a02d7269c5..83e3f6f122 100644
--- a/test/packages/aws/data_stream/billing/fields/ecs.yml
+++ b/test/packages/aws/data_stream/billing/fields/ecs.yml
@@ -1,53 +1,24 @@
-- name: cloud
- title: Cloud
- group: 2
- type: group
- footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
- fields:
- - name: account.id
- level: extended
- type: keyword
- description: |-
- The cloud account or organization id used to identify different entities in a multi-tenant environment.
- Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
- ignore_above: 1024
- - name: account.name
- level: extended
- type: keyword
- description: |-
- The cloud account name or alias used to identify different entities in a multi-tenant environment.
- Examples: AWS account name, Google Cloud ORG display name.
- ignore_above: 1024
- - name: availability_zone
- level: extended
- type: keyword
- description: Availability zone in which this host is running.
- ignore_above: 1024
- - name: instance.id
- level: extended
- type: keyword
- description: Instance ID of the host machine.
- ignore_above: 1024
- - name: machine.type
- level: extended
- type: keyword
- description: Machine type of the host machine.
- ignore_above: 1024
- - name: provider
- level: extended
- type: keyword
- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
- ignore_above: 1024
- - name: region
- level: extended
- type: keyword
- description: Region in which this host is running.
- ignore_above: 1024
-- name: ecs.version
- type: keyword
- description: ECS version this event conforms to.
- example: 1.0.0
- ignore_above: 1024
-- name: service.type
- type: keyword
- description: Service type
+- external: ecs
+ name: cloud
+- external: ecs
+ name: cloud.account.id
+- external: ecs
+ name: cloud.account.name
+- external: ecs
+ name: cloud.availability_zone
+- external: ecs
+ name: cloud.instance.id
+- external: ecs
+ name: cloud.machine.type
+- external: ecs
+ name: cloud.provider
+- external: ecs
+ name: cloud.region
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error
+- external: ecs
+ name: error.message
+- external: ecs
+ name: service.type
diff --git a/test/packages/aws/data_stream/billing/fields/fields.yml b/test/packages/aws/data_stream/billing/fields/fields.yml
index 5b3ee582a6..b91f8f3645 100644
--- a/test/packages/aws/data_stream/billing/fields/fields.yml
+++ b/test/packages/aws/data_stream/billing/fields/fields.yml
@@ -4,7 +4,7 @@
- name: billing
type: group
fields:
- - name: EstimatedCharges.max
+ - name: EstimatedCharges
type: long
description: Maximum estimated charges for AWS acccount.
- name: Currency
diff --git a/test/packages/aws/data_stream/billing/fields/package-fields.yml b/test/packages/aws/data_stream/billing/fields/package-fields.yml
index a8a7ee8dcc..7adc9facb0 100644
--- a/test/packages/aws/data_stream/billing/fields/package-fields.yml
+++ b/test/packages/aws/data_stream/billing/fields/package-fields.yml
@@ -17,3 +17,16 @@
type: object
description: |
Metrics that returned from Cloudwatch API query.
+ - name: linked_account
+ type: group
+ fields:
+ - name: id
+ type: keyword
+ description: >
+ ID used to identify linked account.
+
+ - name: name
+ type: keyword
+ description: >
+ Name or alias used to identify linked account.
+
diff --git a/test/packages/aws/data_stream/billing/manifest.yml b/test/packages/aws/data_stream/billing/manifest.yml
index e42030e46c..dcdfb390f1 100644
--- a/test/packages/aws/data_stream/billing/manifest.yml
+++ b/test/packages/aws/data_stream/billing/manifest.yml
@@ -1,4 +1,4 @@
-title: AWS billing metrics
+title: AWS Billing Metrics
release: beta
type: metrics
streams:
@@ -27,6 +27,7 @@ streams:
- "AZ"
- "INSTANCE_TYPE"
- "SERVICE"
+ - "LINKED_ACCOUNT"
- name: cost_explorer_config.group_by_tag_keys
type: text
title: Cost Explorer Group By Tag Keys
@@ -35,5 +36,5 @@ streams:
show_user: true
default:
- "aws:createdBy"
- title: AWS Billing metrics
- description: Collect AWS billing metrics
+ title: AWS Billing Metrics
+ description: Collect billing metrics from Amazon Web Services with Elastic Agent.
diff --git a/test/packages/aws/data_stream/billing/sample_event.json b/test/packages/aws/data_stream/billing/sample_event.json
index 0a252492f0..832bb00231 100644
--- a/test/packages/aws/data_stream/billing/sample_event.json
+++ b/test/packages/aws/data_stream/billing/sample_event.json
@@ -22,17 +22,29 @@
},
"aws": {
"billing": {
- "metrics": {
- "EstimatedCharges": {
- "max": 1625.41
- }
+ "Currency": "USD",
+ "EstimatedCharges": 39.26,
+ "ServiceName": "AmazonEKS",
+ "AmortizedCost": {
+ "amount": 51.6,
+ "unit": "USD"
+ },
+ "BlendedCost": {
+ "amount": 51.6,
+ "unit": "USD"
+ },
+ "NormalizedUsageAmount": {
+ "amount": 672,
+ "unit": "N/A"
+ },
+ "UnblendedCost": {
+ "amount": 51.6,
+ "unit": "USD"
+ },
+ "UsageQuantity": {
+ "amount": 168,
+ "unit": "N/A"
}
- },
- "cloudwatch": {
- "namespace": "AWS/Billing"
- },
- "dimensions": {
- "Currency": "USD"
}
},
"service": {
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-user-to-group-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-user-to-group-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-user-to-group-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-user-to-group-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-user-to-group-json.log-expected.json
index aefef7cf61..02145eb005 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-user-to-group-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-add-user-to-group-json.log-expected.json
@@ -1,6 +1,13 @@
{
"expected": [
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-2",
"account": {
@@ -8,21 +15,19 @@
}
},
"@timestamp": "2014-03-25T21:08:14.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice",
"Bob"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:54.290352893Z",
"original": "{\"eventVersion\":\"1.0\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2014-03-25T18:45:11Z\"}}},\"eventTime\":\"2014-03-25T21:08:14Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"AddUserToGroup\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"AWSConsole\",\"requestParameters\":{\"userName\":\"Bob\",\"groupName\":\"admin\"},\"responseElements\":null}",
"provider": "iam.amazonaws.com",
- "created": "2014-03-25T21:08:14.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "AddUserToGroup",
"type": [
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log
index c2a4a5e884..90e496fc0f 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log
@@ -1 +1 @@
-{"eventVersion":"1.05","userIdentity":{"type":"AssumedRole","principalId":"AROAIN5ATK5U7KEXAMPLE:JohnRole1","arn":"arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1","accountId":"111111111111","accessKeyId":"AKIAI44QH8DHBEXAMPLE","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2019-10-02T21:50:54Z"},"sessionIssuer":{"type":"Role","principalId":"AROAIN5ATK5U7KEXAMPLE","arn":"arn:aws:iam::111111111111:role/JohnRole1","accountId":"111111111111","userName":"JohnDoe"}}},"eventTime":"2019-10-02T22:12:29Z","eventSource":"sts.amazonaws.com","eventName":"AssumeRole","awsRegion":"us-east-2","sourceIPAddress":"123.145.67.89","userAgent":"aws-cli/1.16.248 Python/3.4.7 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 botocore/1.12.239","requestParameters":{"incomingTransitiveTags":{"Department":"Engineering"},"tags":[{"value":"johndoe@example.com","key":"Email"},{"value":"12345","key":"CostCenter"}],"roleArn":"arn:aws:iam::111111111111:role/JohnRole2","roleSessionName":"Role2WithTags","transitiveTagKeys":["Email","CostCenter"],"durationSeconds":3600},"responseElements":{"credentials":{"accessKeyId":"ASIAWHOJDLGPOEXAMPLE","expiration":"Oct 2, 2019 11:12:29 PM","sessionToken":"AgoJb3JpZ2luX2VjEB4aCXVzLXdlc3QtMSJHMEXAMPLETOKEN+//rJb8Lo30mFc5MlhFCEbubZvEj0wHB/mDMwIgSEe9gk/Zjr09tZV7F1HDTMhmEXAMPLETOKEN/iEJ/rkqngII9///////////ARABGgw0MjgzMDc4NjM5NjYiDLZjZFKwP4qxQG5sFCryASO4UPz5qE97wPPH1eLMvs7CgSDBSWfonmRTCfokm2FN1+hWUdQQH6adjbbrVLFL8c3jSsBhQ383AvxpwK5YRuDE1AI/+C+WKFZb701eiv9J5La2EXAMPLETOKEN/c7S5Iro1WUJ0q3Cxuo/8HUoSxVhQHM7zF7mWWLhXLEQ52ivL+F6q5dpXu4aTFedpMfnJa8JtkWwG9x1Axj0Ypy2ok8v5unpQGWych1vwdvj6ez1Dm8Xg1+qIzXILiEXAMPLETOKEN/vQGqu8H+nxp3kabcrtOvTFTvxX6vsc8OGwUfHhzAfYGEXAMPLETOKEN/L6v1yMM3B1OwFOrQBno1HEjf1oNI8RnQiMNFdUOtwYj7HUZIOCZmjfN8PPHq77N7GJl9lzvIZKQA0Owcjg+mc78zHCj8y0siY8C96paEXAMPLETOKEN/E3cpksxWdgs91HRzJWScjN2+r2LTGjYhyPqcmFzzo2mCE7mBNEXAMPLETOKEN/oJy+2o83YNW5tOiDmczgDzJZ4UKR84yGYOMfSnF4XcEJrDgAJ3OJFwmTcTQICAlSwLEXAMPLETOKEN"},"assumedRoleUser":{"assumedRoleId":"AROAIFR7WHDTSOYQYHFUE:Role2WithTags","arn":"arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags"}},"requestID":"b96b0e4e-e561-11e9-8b3f-7b396EXAMPLE","eventID":"1917948f-3042-46ec-98e2-62865EXAMPLE","resources":[{"ARN":"arn:aws:iam::111122223333:role/JohnRole2","accountId":"111111111111","type":"AWS::IAM::Role"}],"eventType":"AwsApiCall","recipientAccountId":"111111111111"}
+{"eventVersion":"1.05","userIdentity":{"type":"AssumedRole","principalId":"AROAIN5ATK5U7KEXAMPLE:JohnRole1","arn":"arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1","accountId":"111111111111","accessKeyId":"AKIAI44QH8DHBEXAMPLE","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2019-10-02T21:50:54Z"},"sessionIssuer":{"type":"Role","principalId":"AROAIN5ATK5U7KEXAMPLE","arn":"arn:aws:iam::111111111111:role/JohnRole1","accountId":"111111111111","userName":"JohnDoe"}}},"eventTime":"2019-10-02T22:12:29Z","eventSource":"sts.amazonaws.com","eventName":"AssumeRole","awsRegion":"us-east-2","sourceIPAddress":"81.2.69.144","userAgent":"aws-cli/1.16.248 Python/3.4.7 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 botocore/1.12.239","requestParameters":{"incomingTransitiveTags":{"Department":"Engineering"},"tags":[{"value":"johndoe@example.com","key":"Email"},{"value":"12345","key":"CostCenter"}],"roleArn":"arn:aws:iam::111111111111:role/JohnRole2","roleSessionName":"Role2WithTags","transitiveTagKeys":["Email","CostCenter"],"durationSeconds":3600},"responseElements":{"credentials":{"accessKeyId":"ASIAWHOJDLGPOEXAMPLE","expiration":"Oct 2, 2019 11:12:29 PM","sessionToken":"AgoJb3JpZ2luX2VjEB4aCXVzLXdlc3QtMSJHMEXAMPLETOKEN+//rJb8Lo30mFc5MlhFCEbubZvEj0wHB/mDMwIgSEe9gk/Zjr09tZV7F1HDTMhmEXAMPLETOKEN/iEJ/rkqngII9///////////ARABGgw0MjgzMDc4NjM5NjYiDLZjZFKwP4qxQG5sFCryASO4UPz5qE97wPPH1eLMvs7CgSDBSWfonmRTCfokm2FN1+hWUdQQH6adjbbrVLFL8c3jSsBhQ383AvxpwK5YRuDE1AI/+C+WKFZb701eiv9J5La2EXAMPLETOKEN/c7S5Iro1WUJ0q3Cxuo/8HUoSxVhQHM7zF7mWWLhXLEQ52ivL+F6q5dpXu4aTFedpMfnJa8JtkWwG9x1Axj0Ypy2ok8v5unpQGWych1vwdvj6ez1Dm8Xg1+qIzXILiEXAMPLETOKEN/vQGqu8H+nxp3kabcrtOvTFTvxX6vsc8OGwUfHhzAfYGEXAMPLETOKEN/L6v1yMM3B1OwFOrQBno1HEjf1oNI8RnQiMNFdUOtwYj7HUZIOCZmjfN8PPHq77N7GJl9lzvIZKQA0Owcjg+mc78zHCj8y0siY8C96paEXAMPLETOKEN/E3cpksxWdgs91HRzJWScjN2+r2LTGjYhyPqcmFzzo2mCE7mBNEXAMPLETOKEN/oJy+2o83YNW5tOiDmczgDzJZ4UKR84yGYOMfSnF4XcEJrDgAJ3OJFwmTcTQICAlSwLEXAMPLETOKEN"},"assumedRoleUser":{"assumedRoleId":"AROAIFR7WHDTSOYQYHFUE:Role2WithTags","arn":"arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags"}},"requestID":"b96b0e4e-e561-11e9-8b3f-7b396EXAMPLE","eventID":"1917948f-3042-46ec-98e2-62865EXAMPLE","resources":[{"ARN":"arn:aws:iam::111122223333:role/JohnRole2","accountId":"111111111111","type":"AWS::IAM::Role"}],"eventType":"AwsApiCall","recipientAccountId":"111111111111"}
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json
index 4b2156077d..6231a4dd28 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-assume-role-json.log-expected.json
@@ -8,32 +8,35 @@
}
},
"@timestamp": "2019-10-02T22:12:29.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"source": {
"geo": {
- "continent_name": "Asia",
- "region_iso_code": "CN-CQ",
- "country_name": "China",
- "region_name": "Chongqing",
+ "continent_name": "Europe",
+ "region_iso_code": "GB-OXF",
+ "city_name": "Abingdon",
+ "country_iso_code": "GB",
+ "country_name": "United Kingdom",
+ "region_name": "Oxfordshire",
"location": {
- "lon": 106.5531,
- "lat": 29.5569
- },
- "country_iso_code": "CN"
+ "lon": -1.3614,
+ "lat": 51.7095
+ }
},
"as": {
- "number": 4837,
+ "number": 20712,
"organization": {
- "name": "CHINA UNICOM China169 Backbone"
+ "name": "Andrews \u0026 Arnold Ltd"
}
},
- "address": "123.145.67.89",
- "ip": "123.145.67.89"
+ "address": "81.2.69.144",
+ "ip": "81.2.69.144"
},
"event": {
- "ingested": "2021-04-23T12:15:54.325928891Z",
- "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"AROAIN5ATK5U7KEXAMPLE:JohnRole1\",\"arn\":\"arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1\",\"accountId\":\"111111111111\",\"accessKeyId\":\"AKIAI44QH8DHBEXAMPLE\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2019-10-02T21:50:54Z\"},\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"AROAIN5ATK5U7KEXAMPLE\",\"arn\":\"arn:aws:iam::111111111111:role/JohnRole1\",\"accountId\":\"111111111111\",\"userName\":\"JohnDoe\"}}},\"eventTime\":\"2019-10-02T22:12:29Z\",\"eventSource\":\"sts.amazonaws.com\",\"eventName\":\"AssumeRole\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"123.145.67.89\",\"userAgent\":\"aws-cli/1.16.248 Python/3.4.7 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 botocore/1.12.239\",\"requestParameters\":{\"incomingTransitiveTags\":{\"Department\":\"Engineering\"},\"tags\":[{\"value\":\"johndoe@example.com\",\"key\":\"Email\"},{\"value\":\"12345\",\"key\":\"CostCenter\"}],\"roleArn\":\"arn:aws:iam::111111111111:role/JohnRole2\",\"roleSessionName\":\"Role2WithTags\",\"transitiveTagKeys\":[\"Email\",\"CostCenter\"],\"durationSeconds\":3600},\"responseElements\":{\"credentials\":{\"accessKeyId\":\"ASIAWHOJDLGPOEXAMPLE\",\"expiration\":\"Oct 2, 2019 11:12:29 PM\",\"sessionToken\":\"AgoJb3JpZ2luX2VjEB4aCXVzLXdlc3QtMSJHMEXAMPLETOKEN+//rJb8Lo30mFc5MlhFCEbubZvEj0wHB/mDMwIgSEe9gk/Zjr09tZV7F1HDTMhmEXAMPLETOKEN/iEJ/rkqngII9///////////ARABGgw0MjgzMDc4NjM5NjYiDLZjZFKwP4qxQG5sFCryASO4UPz5qE97wPPH1eLMvs7CgSDBSWfonmRTCfokm2FN1+hWUdQQH6adjbbrVLFL8c3jSsBhQ383AvxpwK5YRuDE1AI/+C+WKFZb701eiv9J5La2EXAMPLETOKEN/c7S5Iro1WUJ0q3Cxuo/8HUoSxVhQHM7zF7mWWLhXLEQ52ivL+F6q5dpXu4aTFedpMfnJa8JtkWwG9x1Axj0Ypy2ok8v5unpQGWych1vwdvj6ez1Dm8Xg1+qIzXILiEXAMPLETOKEN/vQGqu8H+nxp3kabcrtOvTFTvxX6vsc8OGwUfHhzAfYGEXAMPLETOKEN/L6v1yMM3B1OwFOrQBno1HEjf1oNI8RnQiMNFdUOtwYj7HUZIOCZmjfN8PPHq77N7GJl9lzvIZKQA0Owcjg+mc78zHCj8y0siY8C96paEXAMPLETOKEN/E3cpksxWdgs91HRzJWScjN2+r2LTGjYhyPqcmFzzo2mCE7mBNEXAMPLETOKEN/oJy+2o83YNW5tOiDmczgDzJZ4UKR84yGYOMfSnF4XcEJrDgAJ3OJFwmTcTQICAlSwLEXAMPLETOKEN\"},\"assumedRoleUser\":{\"assumedRoleId\":\"AROAIFR7WHDTSOYQYHFUE:Role2WithTags\",\"arn\":\"arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags\"}},\"requestID\":\"b96b0e4e-e561-11e9-8b3f-7b396EXAMPLE\",\"eventID\":\"1917948f-3042-46ec-98e2-62865EXAMPLE\",\"resources\":[{\"ARN\":\"arn:aws:iam::111122223333:role/JohnRole2\",\"accountId\":\"111111111111\",\"type\":\"AWS::IAM::Role\"}],\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"111111111111\"}",
+ "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"AROAIN5ATK5U7KEXAMPLE:JohnRole1\",\"arn\":\"arn:aws:sts::111111111111:assumed-role/JohnDoe/JohnRole1\",\"accountId\":\"111111111111\",\"accessKeyId\":\"AKIAI44QH8DHBEXAMPLE\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2019-10-02T21:50:54Z\"},\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"AROAIN5ATK5U7KEXAMPLE\",\"arn\":\"arn:aws:iam::111111111111:role/JohnRole1\",\"accountId\":\"111111111111\",\"userName\":\"JohnDoe\"}}},\"eventTime\":\"2019-10-02T22:12:29Z\",\"eventSource\":\"sts.amazonaws.com\",\"eventName\":\"AssumeRole\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"81.2.69.144\",\"userAgent\":\"aws-cli/1.16.248 Python/3.4.7 Linux/4.9.184-0.1.ac.235.83.329.metal1.x86_64 botocore/1.12.239\",\"requestParameters\":{\"incomingTransitiveTags\":{\"Department\":\"Engineering\"},\"tags\":[{\"value\":\"johndoe@example.com\",\"key\":\"Email\"},{\"value\":\"12345\",\"key\":\"CostCenter\"}],\"roleArn\":\"arn:aws:iam::111111111111:role/JohnRole2\",\"roleSessionName\":\"Role2WithTags\",\"transitiveTagKeys\":[\"Email\",\"CostCenter\"],\"durationSeconds\":3600},\"responseElements\":{\"credentials\":{\"accessKeyId\":\"ASIAWHOJDLGPOEXAMPLE\",\"expiration\":\"Oct 2, 2019 11:12:29 PM\",\"sessionToken\":\"AgoJb3JpZ2luX2VjEB4aCXVzLXdlc3QtMSJHMEXAMPLETOKEN+//rJb8Lo30mFc5MlhFCEbubZvEj0wHB/mDMwIgSEe9gk/Zjr09tZV7F1HDTMhmEXAMPLETOKEN/iEJ/rkqngII9///////////ARABGgw0MjgzMDc4NjM5NjYiDLZjZFKwP4qxQG5sFCryASO4UPz5qE97wPPH1eLMvs7CgSDBSWfonmRTCfokm2FN1+hWUdQQH6adjbbrVLFL8c3jSsBhQ383AvxpwK5YRuDE1AI/+C+WKFZb701eiv9J5La2EXAMPLETOKEN/c7S5Iro1WUJ0q3Cxuo/8HUoSxVhQHM7zF7mWWLhXLEQ52ivL+F6q5dpXu4aTFedpMfnJa8JtkWwG9x1Axj0Ypy2ok8v5unpQGWych1vwdvj6ez1Dm8Xg1+qIzXILiEXAMPLETOKEN/vQGqu8H+nxp3kabcrtOvTFTvxX6vsc8OGwUfHhzAfYGEXAMPLETOKEN/L6v1yMM3B1OwFOrQBno1HEjf1oNI8RnQiMNFdUOtwYj7HUZIOCZmjfN8PPHq77N7GJl9lzvIZKQA0Owcjg+mc78zHCj8y0siY8C96paEXAMPLETOKEN/E3cpksxWdgs91HRzJWScjN2+r2LTGjYhyPqcmFzzo2mCE7mBNEXAMPLETOKEN/oJy+2o83YNW5tOiDmczgDzJZ4UKR84yGYOMfSnF4XcEJrDgAJ3OJFwmTcTQICAlSwLEXAMPLETOKEN\"},\"assumedRoleUser\":{\"assumedRoleId\":\"AROAIFR7WHDTSOYQYHFUE:Role2WithTags\",\"arn\":\"arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags\"}},\"requestID\":\"b96b0e4e-e561-11e9-8b3f-7b396EXAMPLE\",\"eventID\":\"1917948f-3042-46ec-98e2-62865EXAMPLE\",\"resources\":[{\"ARN\":\"arn:aws:iam::111122223333:role/JohnRole2\",\"accountId\":\"111111111111\",\"type\":\"AWS::IAM::Role\"}],\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"111111111111\"}",
"provider": "sts.amazonaws.com",
- "created": "2019-10-02T22:12:29.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "AssumeRole",
"id": "1917948f-3042-46ec-98e2-62865EXAMPLE",
@@ -120,7 +123,10 @@
"name": "Spider"
},
"version": "1.16.248"
- }
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
}
]
}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-change-password-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-change-password-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-change-password-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-change-password-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-change-password-json.log-expected.json
index 69673ce6bb..9dcab5261a 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-change-password-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-change-password-json.log-expected.json
@@ -1,6 +1,13 @@
{
"expected": [
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-1",
"account": {
@@ -8,20 +15,18 @@
}
},
"@timestamp": "2020-01-09T00:09:33.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:54.376665102Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"0123456789012\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\"},\"eventTime\":\"2020-01-09T00:09:33Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"ChangePassword\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46\",\"errorCode\":\"AccessDeniedException\",\"errorMessage\":\"An unknown error occurred\",\"requestParameters\":null,\"responseElements\":null,\"requestID\":\"EXAMPLE-5204-4fed-9c60-9c6EXAMPLE\",\"eventID\":\"EXAMPLE-b92f-48bb-8c4c-efeEXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "iam.amazonaws.com",
- "created": "2020-01-09T00:09:33.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "ChangePassword",
"id": "EXAMPLE-b92f-48bb-8c4c-efeEXAMPLE",
@@ -63,6 +68,13 @@
}
},
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-1",
"account": {
@@ -70,20 +82,18 @@
}
},
"@timestamp": "2020-01-09T00:03:36.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:54.376673279Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"0123456789012\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\"},\"eventTime\":\"2020-01-09T00:03:36Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"ChangePassword\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46\",\"requestParameters\":null,\"responseElements\":null,\"requestID\":\"EXAMPLE-5c16-4eda-9724-EXAMPLE\",\"eventID\":\"EXAMPLE-35a7-4c25-9fc7-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "iam.amazonaws.com",
- "created": "2020-01-09T00:03:36.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "ChangePassword",
"id": "EXAMPLE-35a7-4c25-9fc7-EXAMPLE",
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-cloudtrail-digest-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-cloudtrail-digest-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-cloudtrail-digest-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-cloudtrail-digest-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-cloudtrail-digest-json.log-expected.json
index 00bd8dda0e..0c1cc9a2c9 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-cloudtrail-digest-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-cloudtrail-digest-json.log-expected.json
@@ -6,23 +6,27 @@
"id": "123456789123"
}
},
+ "@timestamp": "2020-09-11T19:36:49.000Z",
"file": {
"path": "AWSLogs/123456789123/CloudTrail-Digest/us-west-2/2020/09/11/123456789123_CloudTrail-Digest_us-west-2_leh-ct-test_us-west-2_20200911T183649Z.json.gz",
"hash": {
"sha256": "10e0872f32fa1d299d0cc98e94d4c88a6a2eada9d9fc3ae6d53dfe8d54c7caf807072f1e1eec47efdeecfcc22483887f8fddfc954ae587fba43e7676b5547f432fa8722ba1c5baa6b233bcb528ce7c01e3748aab8f28c16c024de79da820128b4c9e5ce65e98a9c4e631687ecc89c224a11bb3df06ce441ff740e4ac9fbd41159e77f5863550118284121f193e357866fbd0463faffb56e194af196e35a7675c3bbd0a398f43159343c3f59129d6339a281a8fdb3192f3fffea9bd21dbb0a705ebfae1921f2133aab0ad29522aea6df0828c1780d3f3ed6b8270ab3ba24459916b0fbbe82fba6ff9677bafe7306e0f5edcc0f1508cdb4e36f3e3b30e653e9987"
}
},
- "@timestamp": "2020-09-11T19:36:49.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"hash": [
"10e0872f32fa1d299d0cc98e94d4c88a6a2eada9d9fc3ae6d53dfe8d54c7caf807072f1e1eec47efdeecfcc22483887f8fddfc954ae587fba43e7676b5547f432fa8722ba1c5baa6b233bcb528ce7c01e3748aab8f28c16c024de79da820128b4c9e5ce65e98a9c4e631687ecc89c224a11bb3df06ce441ff740e4ac9fbd41159e77f5863550118284121f193e357866fbd0463faffb56e194af196e35a7675c3bbd0a398f43159343c3f59129d6339a281a8fdb3192f3fffea9bd21dbb0a705ebfae1921f2133aab0ad29522aea6df0828c1780d3f3ed6b8270ab3ba24459916b0fbbe82fba6ff9677bafe7306e0f5edcc0f1508cdb4e36f3e3b30e653e9987"
]
},
"event": {
- "ingested": "2021-04-23T12:15:54.447816418Z",
"original": "{\"awsAccountId\":\"123456789123\",\"digestStartTime\":\"2020-09-11T18:36:49Z\",\"digestEndTime\":\"2020-09-11T19:36:49Z\",\"digestS3Bucket\":\"alice-bucket\",\"digestS3Object\":\"AWSLogs/123456789123/CloudTrail-Digest/us-west-2/2020/09/11/123456789123_CloudTrail-Digest_us-west-2_leh-ct-test_us-west-2_20200911T193649Z.json.gz\",\"digestPublicKeyFingerprint\":\"47aaa19f7eec22e9bd0b5e58cfade8cb\",\"digestSignatureAlgorithm\":\"SHA256withRSA\",\"newestEventTime\":\"2020-09-11T19:26:24Z\",\"oldestEventTime\":\"2020-09-11T18:32:04Z\",\"previousDigestS3Bucket\":\"alice-bucket\",\"previousDigestS3Object\":\"AWSLogs/123456789123/CloudTrail-Digest/us-west-2/2020/09/11/123456789123_CloudTrail-Digest_us-west-2_leh-ct-test_us-west-2_20200911T183649Z.json.gz\",\"previousDigestHashValue\":\"531914fcfa0dbacf0c9dd1475a1fdcb5dea6e85921409f3c3ec0ba39063c860\",\"previousDigestHashAlgorithm\":\"SHA-256\",\"previousDigestSignature\":\"10e0872f32fa1d299d0cc98e94d4c88a6a2eada9d9fc3ae6d53dfe8d54c7caf807072f1e1eec47efdeecfcc22483887f8fddfc954ae587fba43e7676b5547f432fa8722ba1c5baa6b233bcb528ce7c01e3748aab8f28c16c024de79da820128b4c9e5ce65e98a9c4e631687ecc89c224a11bb3df06ce441ff740e4ac9fbd41159e77f5863550118284121f193e357866fbd0463faffb56e194af196e35a7675c3bbd0a398f43159343c3f59129d6339a281a8fdb3192f3fffea9bd21dbb0a705ebfae1921f2133aab0ad29522aea6df0828c1780d3f3ed6b8270ab3ba24459916b0fbbe82fba6ff9677bafe7306e0f5edcc0f1508cdb4e36f3e3b30e653e9987\",\"logFiles\":[{\"s3Bucket\":\"alice-bucket\",\"s3Object\":\"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1930Z_l2pGqVS53QcGdAkp.json.gz\",\"hashValue\":\"420784a5bbc12e9ac442451e8ec1356744fdeabf4fee0d2222508db6d448139c\",\"hashAlgorithm\":\"SHA-256\",\"newestEventTime\":\"2020-09-11T19:26:24Z\",\"oldestEventTime\":\"2020-09-11T19:26:24Z\"},{\"s3Bucket\":\"alice-bucket\",\"s3Object\":\"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1915Z_TIKlbLnJ6IwUxqxw.json.gz\",\"hashValue\":\"4e1eb2a8b41d032cbb16e5449fc8f3eac304e7d43017a391b37c788c77336196\",\"hashAlgorithm\":\"SHA-256\",\"newestEventTime\":\"2020-09-11T19:11:18Z\",\"oldestEventTime\":\"2020-09-11T19:11:18Z\"},{\"s3Bucket\":\"alice-bucket\",\"s3Object\":\"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1835Z_OPJhVNodH1gY760s.json.gz\",\"hashValue\":\"2695aeb3b4c1f021fe76e0b36f5ac15e557c41c58af6eef282d77ef056210d70\",\"hashAlgorithm\":\"SHA-256\",\"newestEventTime\":\"2020-09-11T18:32:04Z\",\"oldestEventTime\":\"2020-09-11T18:32:04Z\"},{\"s3Bucket\":\"alice-bucket\",\"s3Object\":\"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1925Z_zJNGzQovyNAImZV9.json.gz\",\"hashValue\":\"45a2906f55cbfc912584e9425f8d3d8d6fabf571a45a5ecd7d2a0f4132b81689\",\"hashAlgorithm\":\"SHA-256\",\"newestEventTime\":\"2020-09-11T19:21:28Z\",\"oldestEventTime\":\"2020-09-11T19:21:28Z\"},{\"s3Bucket\":\"alice-bucket\",\"s3Object\":\"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1855Z_RqN9YzoKAJCKbejj.json.gz\",\"hashValue\":\"515cc8be750d815266b4fc799c7600765f22502d29f5bb9d5c8969ffc5ab7097\",\"hashAlgorithm\":\"SHA-256\",\"newestEventTime\":\"2020-09-11T18:51:21Z\",\"oldestEventTime\":\"2020-09-11T18:51:21Z\"},{\"s3Bucket\":\"alice-bucket\",\"s3Object\":\"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1850Z_jLldN7U8XrspES8p.json.gz\",\"hashValue\":\"18650414e79e084dff02da66253f071347f7bb5c4863279bafe7762a980f7c0b\",\"hashAlgorithm\":\"SHA-256\",\"newestEventTime\":\"2020-09-11T18:46:45Z\",\"oldestEventTime\":\"2020-09-11T18:46:45Z\"},{\"s3Bucket\":\"alice-bucket\",\"s3Object\":\"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1905Z_jBNdmg4bSGxZ3wC8.json.gz\",\"hashValue\":\"54050ec665636f1985f5b51ae43c74a58282cb2e500492a45f20a4dc1bf8a6d5\",\"hashAlgorithm\":\"SHA-256\",\"newestEventTime\":\"2020-09-11T19:01:06Z\",\"oldestEventTime\":\"2020-09-11T19:01:06Z\"},{\"s3Bucket\":\"alice-bucket\",\"s3Object\":\"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1920Z_bj5DRrmILF6jK23a.json.gz\",\"hashValue\":\"6e0d8fcbd712d3f6d1caf4a872681f4290b05ed8a8f1c9450a0a6db92ccab4d7\",\"hashAlgorithm\":\"SHA-256\",\"newestEventTime\":\"2020-09-11T19:16:12Z\",\"oldestEventTime\":\"2020-09-11T19:16:12Z\"},{\"s3Bucket\":\"alice-bucket\",\"s3Object\":\"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1900Z_6LjrkrhsLQMzCiSN.json.gz\",\"hashValue\":\"b2b0e2804d1c6b92d76eee203d7eba32d3d003e6967f175723a83ecc2d7ad4ba\",\"hashAlgorithm\":\"SHA-256\",\"newestEventTime\":\"2020-09-11T18:56:05Z\",\"oldestEventTime\":\"2020-09-11T18:56:05Z\"},{\"s3Bucket\":\"alice-bucket\",\"s3Object\":\"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1910Z_DLyqye8LaeoD204N.json.gz\",\"hashValue\":\"4397a13565a67d9ed6e57737b98eb7e61ca52bb191c9b5da0423136dfc5581c7\",\"hashAlgorithm\":\"SHA-256\",\"newestEventTime\":\"2020-09-11T19:06:31Z\",\"oldestEventTime\":\"2020-09-11T19:06:31Z\"},{\"s3Bucket\":\"alice-bucket\",\"s3Object\":\"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1845Z_TSDKyASOn2ejOq5n.json.gz\",\"hashValue\":\"94f09d2398632c7b0c0066ed5d56768632dd2e06ed9c80af9d0c2c5f59bd60b6\",\"hashAlgorithm\":\"SHA-256\",\"newestEventTime\":\"2020-09-11T18:41:58Z\",\"oldestEventTime\":\"2020-09-11T18:41:58Z\"},{\"s3Bucket\":\"alice-bucket\",\"s3Object\":\"AWSLogs/123456789123/CloudTrail/us-west-2/2020/09/11/123456789123_CloudTrail_us-west-2_20200911T1840Z_btJydJ2t7hCRnjsN.json.gz\",\"hashValue\":\"9044f9a05d70688bc6f6048d5f8d00764ab65e132b8ffefb193b22ca4394d771\",\"hashAlgorithm\":\"SHA-256\",\"newestEventTime\":\"2020-09-11T18:37:10Z\",\"oldestEventTime\":\"2020-09-11T18:37:10Z\"}]}",
"type": "info",
- "kind": "event"
+ "created": "2021-11-11T01:02:03.123456789Z",
+ "kind": "event",
+ "outcome": "success"
},
"aws": {
"cloudtrail": {
@@ -137,7 +141,10 @@
}
}
}
- }
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
}
]
}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-common-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 0000000000..e8c22fb0e2
--- /dev/null
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,7 @@
+dynamic_fields:
+ event.ingested: ".*"
+fields:
+ # Simulate @timestamp value from Filebeat.
+ '@timestamp': '2021-11-11T01:02:03.123456789Z'
+ tags:
+ - preserve_original_event
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log
index 14fb436a93..315e72e609 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log
@@ -1,3 +1,3 @@
-{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"AIDACKCEVSQ6C2EXAMPLE","arn":"arn:aws:iam::111122223333:user/JohnDoe","accountId":"111122223333","userName":"JohnDoe"},"eventTime":"2014-07-16T15:49:27Z","eventSource":"signin.amazonaws.com","eventName":"ConsoleLogin","awsRegion":"us-east-2","sourceIPAddress":"192.0.2.110","userAgent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0","requestParameters":null,"responseElements":{"ConsoleLogin":"Success"},"additionalEventData":{"MobileVersion":"No","LoginTo":"https://console.aws.amazon.com/s3/","MFAUsed":"No"},"eventID":"3fcfb182-98f8-4744-bd45-10aEXAMPLE"}
-{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"AIDACKCEVSQ6C2EXAMPLE","arn":"arn:aws:iam::111122223333:user/JaneDoe","accountId":"111122223333","userName":"JaneDoe"},"eventTime":"2014-07-08T17:35:27Z","eventSource":"signin.amazonaws.com","eventName":"ConsoleLogin","awsRegion":"us-east-2","sourceIPAddress":"192.0.2.100","userAgent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0","errorMessage":"Failed authentication","requestParameters":null,"responseElements":{"ConsoleLogin":"Failure"},"additionalEventData":{"MobileVersion":"No","LoginTo":"https://console.aws.amazon.com/sns","MFAUsed":"No"},"eventID":"11ea990b-4678-4bcd-8fbe-625EXAMPLE"}
-{"eventVersion":"1.05","userIdentity":{"type":"AssumedRole","principalId":"AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName","arn":"arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName","accountId":"123456789012","accessKeyId":"AKIAIOSFODNN7EXAMPLE","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"20131102T010628Z"},"sessionIssuer":{"type":"Role","principalId":"AROAIDPPEZS35WEXAMPLE","arn":"arn:aws:iam::123456789012:role/RoleToBeAssumed","accountId":"123456789012","userName":"RoleToBeAssumed"}}},"eventTime":"2014-07-08T17:35:27Z","eventSource":"signin.amazonaws.com","eventName":"ConsoleLogin","awsRegion":"us-east-2","sourceIPAddress":"192.0.2.100","userAgent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0","errorMessage":"Failed authentication","requestParameters":null,"responseElements":{"ConsoleLogin":"Failure"},"additionalEventData":{"MobileVersion":"No","LoginTo":"https://console.aws.amazon.com/sns","MFAUsed":"No"},"eventID":"11ea990b-4678-4bcd-8fbe-625EXAMPLE"}
+{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"AIDACKCEVSQ6C2EXAMPLE","arn":"arn:aws:iam::111122223333:user/JohnDoe","accountId":"111122223333","userName":"JohnDoe"},"eventTime":"2014-07-16T15:49:27Z","eventSource":"signin.amazonaws.com","eventName":"ConsoleLogin","awsRegion":"us-east-2","sourceIPAddress":"89.160.20.156","userAgent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0","requestParameters":null,"responseElements":{"ConsoleLogin":"Success"},"additionalEventData":{"MobileVersion":"No","LoginTo":"https://console.aws.amazon.com/s3/","MFAUsed":"No"},"eventID":"3fcfb182-98f8-4744-bd45-10aEXAMPLE"}
+{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"AIDACKCEVSQ6C2EXAMPLE","arn":"arn:aws:iam::111122223333:user/JaneDoe","accountId":"111122223333","userName":"JaneDoe"},"eventTime":"2014-07-08T17:35:27Z","eventSource":"signin.amazonaws.com","eventName":"ConsoleLogin","awsRegion":"us-east-2","sourceIPAddress":"89.160.20.156","userAgent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0","errorMessage":"Failed authentication","requestParameters":null,"responseElements":{"ConsoleLogin":"Failure"},"additionalEventData":{"MobileVersion":"No","LoginTo":"https://console.aws.amazon.com/sns","MFAUsed":"No"},"eventID":"11ea990b-4678-4bcd-8fbe-625EXAMPLE"}
+{"eventVersion":"1.05","userIdentity":{"type":"AssumedRole","principalId":"AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName","arn":"arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName","accountId":"123456789012","accessKeyId":"AKIAIOSFODNN7EXAMPLE","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"20131102T010628Z"},"sessionIssuer":{"type":"Role","principalId":"AROAIDPPEZS35WEXAMPLE","arn":"arn:aws:iam::123456789012:role/RoleToBeAssumed","accountId":"123456789012","userName":"RoleToBeAssumed"}}},"eventTime":"2014-07-08T17:35:27Z","eventSource":"signin.amazonaws.com","eventName":"ConsoleLogin","awsRegion":"us-east-2","sourceIPAddress":"89.160.20.156","userAgent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0","errorMessage":"Failed authentication","requestParameters":null,"responseElements":{"ConsoleLogin":"Failure"},"additionalEventData":{"MobileVersion":"No","LoginTo":"https://console.aws.amazon.com/sns","MFAUsed":"No"},"eventID":"11ea990b-4678-4bcd-8fbe-625EXAMPLE"}
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json
index 0d16e8864f..69fec10edc 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-console-login-json.log-expected.json
@@ -1,6 +1,31 @@
{
"expected": [
{
+ "source": {
+ "geo": {
+ "continent_name": "Europe",
+ "region_iso_code": "SE-AB",
+ "city_name": "Tumba",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "region_name": "Stockholm",
+ "location": {
+ "lon": 17.8167,
+ "lat": 59.2
+ }
+ },
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "address": "89.160.20.156",
+ "ip": "89.160.20.156"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-2",
"account": {
@@ -8,20 +33,18 @@
}
},
"@timestamp": "2014-07-16T15:49:27.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"JohnDoe"
]
},
- "source": {
- "address": "192.0.2.110",
- "ip": "192.0.2.110"
- },
"event": {
- "ingested": "2021-04-23T12:15:54.469997177Z",
- "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"AIDACKCEVSQ6C2EXAMPLE\",\"arn\":\"arn:aws:iam::111122223333:user/JohnDoe\",\"accountId\":\"111122223333\",\"userName\":\"JohnDoe\"},\"eventTime\":\"2014-07-16T15:49:27Z\",\"eventSource\":\"signin.amazonaws.com\",\"eventName\":\"ConsoleLogin\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"192.0.2.110\",\"userAgent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0\",\"requestParameters\":null,\"responseElements\":{\"ConsoleLogin\":\"Success\"},\"additionalEventData\":{\"MobileVersion\":\"No\",\"LoginTo\":\"https://console.aws.amazon.com/s3/\",\"MFAUsed\":\"No\"},\"eventID\":\"3fcfb182-98f8-4744-bd45-10aEXAMPLE\"}",
+ "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"AIDACKCEVSQ6C2EXAMPLE\",\"arn\":\"arn:aws:iam::111122223333:user/JohnDoe\",\"accountId\":\"111122223333\",\"userName\":\"JohnDoe\"},\"eventTime\":\"2014-07-16T15:49:27Z\",\"eventSource\":\"signin.amazonaws.com\",\"eventName\":\"ConsoleLogin\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"89.160.20.156\",\"userAgent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0\",\"requestParameters\":null,\"responseElements\":{\"ConsoleLogin\":\"Success\"},\"additionalEventData\":{\"MobileVersion\":\"No\",\"LoginTo\":\"https://console.aws.amazon.com/s3/\",\"MFAUsed\":\"No\"},\"eventID\":\"3fcfb182-98f8-4744-bd45-10aEXAMPLE\"}",
"provider": "signin.amazonaws.com",
- "created": "2014-07-16T15:49:27.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "ConsoleLogin",
"id": "3fcfb182-98f8-4744-bd45-10aEXAMPLE",
@@ -80,6 +103,31 @@
}
},
{
+ "source": {
+ "geo": {
+ "continent_name": "Europe",
+ "region_iso_code": "SE-AB",
+ "city_name": "Tumba",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "region_name": "Stockholm",
+ "location": {
+ "lon": 17.8167,
+ "lat": 59.2
+ }
+ },
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "address": "89.160.20.156",
+ "ip": "89.160.20.156"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-2",
"account": {
@@ -87,20 +135,18 @@
}
},
"@timestamp": "2014-07-08T17:35:27.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"JaneDoe"
]
},
- "source": {
- "address": "192.0.2.100",
- "ip": "192.0.2.100"
- },
"event": {
- "ingested": "2021-04-23T12:15:54.470006220Z",
- "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"AIDACKCEVSQ6C2EXAMPLE\",\"arn\":\"arn:aws:iam::111122223333:user/JaneDoe\",\"accountId\":\"111122223333\",\"userName\":\"JaneDoe\"},\"eventTime\":\"2014-07-08T17:35:27Z\",\"eventSource\":\"signin.amazonaws.com\",\"eventName\":\"ConsoleLogin\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"192.0.2.100\",\"userAgent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0\",\"errorMessage\":\"Failed authentication\",\"requestParameters\":null,\"responseElements\":{\"ConsoleLogin\":\"Failure\"},\"additionalEventData\":{\"MobileVersion\":\"No\",\"LoginTo\":\"https://console.aws.amazon.com/sns\",\"MFAUsed\":\"No\"},\"eventID\":\"11ea990b-4678-4bcd-8fbe-625EXAMPLE\"}",
+ "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"AIDACKCEVSQ6C2EXAMPLE\",\"arn\":\"arn:aws:iam::111122223333:user/JaneDoe\",\"accountId\":\"111122223333\",\"userName\":\"JaneDoe\"},\"eventTime\":\"2014-07-08T17:35:27Z\",\"eventSource\":\"signin.amazonaws.com\",\"eventName\":\"ConsoleLogin\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"89.160.20.156\",\"userAgent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0\",\"errorMessage\":\"Failed authentication\",\"requestParameters\":null,\"responseElements\":{\"ConsoleLogin\":\"Failure\"},\"additionalEventData\":{\"MobileVersion\":\"No\",\"LoginTo\":\"https://console.aws.amazon.com/sns\",\"MFAUsed\":\"No\"},\"eventID\":\"11ea990b-4678-4bcd-8fbe-625EXAMPLE\"}",
"provider": "signin.amazonaws.com",
- "created": "2014-07-08T17:35:27.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "ConsoleLogin",
"id": "11ea990b-4678-4bcd-8fbe-625EXAMPLE",
@@ -167,15 +213,35 @@
}
},
"@timestamp": "2014-07-08T17:35:27.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"source": {
- "address": "192.0.2.100",
- "ip": "192.0.2.100"
+ "geo": {
+ "continent_name": "Europe",
+ "region_iso_code": "SE-AB",
+ "city_name": "Tumba",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "region_name": "Stockholm",
+ "location": {
+ "lon": 17.8167,
+ "lat": 59.2
+ }
+ },
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "address": "89.160.20.156",
+ "ip": "89.160.20.156"
},
"event": {
- "ingested": "2021-04-23T12:15:54.470010588Z",
- "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName\",\"arn\":\"arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName\",\"accountId\":\"123456789012\",\"accessKeyId\":\"AKIAIOSFODNN7EXAMPLE\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"20131102T010628Z\"},\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"AROAIDPPEZS35WEXAMPLE\",\"arn\":\"arn:aws:iam::123456789012:role/RoleToBeAssumed\",\"accountId\":\"123456789012\",\"userName\":\"RoleToBeAssumed\"}}},\"eventTime\":\"2014-07-08T17:35:27Z\",\"eventSource\":\"signin.amazonaws.com\",\"eventName\":\"ConsoleLogin\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"192.0.2.100\",\"userAgent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0\",\"errorMessage\":\"Failed authentication\",\"requestParameters\":null,\"responseElements\":{\"ConsoleLogin\":\"Failure\"},\"additionalEventData\":{\"MobileVersion\":\"No\",\"LoginTo\":\"https://console.aws.amazon.com/sns\",\"MFAUsed\":\"No\"},\"eventID\":\"11ea990b-4678-4bcd-8fbe-625EXAMPLE\"}",
+ "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName\",\"arn\":\"arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName\",\"accountId\":\"123456789012\",\"accessKeyId\":\"AKIAIOSFODNN7EXAMPLE\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"20131102T010628Z\"},\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"AROAIDPPEZS35WEXAMPLE\",\"arn\":\"arn:aws:iam::123456789012:role/RoleToBeAssumed\",\"accountId\":\"123456789012\",\"userName\":\"RoleToBeAssumed\"}}},\"eventTime\":\"2014-07-08T17:35:27Z\",\"eventSource\":\"signin.amazonaws.com\",\"eventName\":\"ConsoleLogin\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"89.160.20.156\",\"userAgent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0\",\"errorMessage\":\"Failed authentication\",\"requestParameters\":null,\"responseElements\":{\"ConsoleLogin\":\"Failure\"},\"additionalEventData\":{\"MobileVersion\":\"No\",\"LoginTo\":\"https://console.aws.amazon.com/sns\",\"MFAUsed\":\"No\"},\"eventID\":\"11ea990b-4678-4bcd-8fbe-625EXAMPLE\"}",
"provider": "signin.amazonaws.com",
- "created": "2014-07-08T17:35:27.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "ConsoleLogin",
"id": "11ea990b-4678-4bcd-8fbe-625EXAMPLE",
@@ -242,7 +308,10 @@
"name": "Other"
},
"version": "24.0."
- }
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
}
]
}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-access-key-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-access-key-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-access-key-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-access-key-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-access-key-json.log-expected.json
index 4b5721cf4c..fe958a8e1b 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-access-key-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-access-key-json.log-expected.json
@@ -1,6 +1,13 @@
{
"expected": [
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-1",
"account": {
@@ -8,21 +15,19 @@
}
},
"@timestamp": "2020-01-08T20:43:06.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice",
"Bob"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:54.575565508Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-08T15:12:16Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-08T20:43:06Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"CreateAccessKey\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"userName\":\"Bob\"},\"responseElements\":{\"accessKey\":{\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"status\":\"Active\",\"userName\":\"Bob\",\"createDate\":\"Jan 8, 2020 8:43:06 PM\"}},\"requestID\":\"EXAMPLE-823a-48dc-8fa9-EXAMPLE\",\"eventID\":\"EXAMPLE-3cab-40f8-938b-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "iam.amazonaws.com",
- "created": "2020-01-08T20:43:06.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "CreateAccessKey",
"id": "EXAMPLE-3cab-40f8-938b-EXAMPLE",
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-group-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-group-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-group-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-group-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-group-json.log-expected.json
index a7d9d907fb..e8a8378aac 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-group-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-group-json.log-expected.json
@@ -1,6 +1,13 @@
{
"expected": [
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-1",
"account": {
@@ -8,20 +15,18 @@
}
},
"@timestamp": "2020-01-09T01:48:44.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:54.610901167Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"0123456789012\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-08T15:12:16Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-09T01:48:44Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"CreateGroup\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"groupName\":\"TEST-GROUP\"},\"responseElements\":{\"group\":{\"createDate\":\"Jan 9, 2020 1:48:44 AM\",\"path\":\"/\",\"arn\":\"arn:aws:iam::0123456789012:group/TEST-GROUP\",\"groupName\":\"TEST-GROUP\",\"groupId\":\"EXAMPLE_ID\"}},\"requestID\":\"EXAMPLE-769d-4a61-b731-EXAMPLE\",\"eventID\":\"EXAMPLE-37ec-425a-a7ef-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "iam.amazonaws.com",
- "created": "2020-01-09T01:48:44.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "CreateGroup",
"id": "EXAMPLE-37ec-425a-a7ef-EXAMPLE",
@@ -84,6 +89,13 @@
}
},
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-1",
"account": {
@@ -91,20 +103,18 @@
}
},
"@timestamp": "2020-01-09T02:22:03.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:54.610909336Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"0123456789012\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\"},\"eventTime\":\"2020-01-09T02:22:03Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"CreateGroup\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46\",\"errorCode\":\"EntityAlreadyExistsException\",\"errorMessage\":\"Group with name TEST-GROUP already exists.\",\"requestParameters\":{\"groupName\":\"TEST-GROUP\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-c8ae-44dc-8114-EXAMPLE\",\"eventID\":\"EXAMPLE-09c6-4745-af70-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "iam.amazonaws.com",
- "created": "2020-01-09T02:22:03.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "CreateGroup",
"id": "EXAMPLE-09c6-4745-af70-EXAMPLE",
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log
index 5b9c40ad40..81f2d01071 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log
@@ -1 +1 @@
-{"eventVersion":"1.0","userIdentity":{"type":"IAMUser","principalId":"EX_PRINCIPAL_ID","arn":"arn:aws:iam::123456789012:user/Alice","accountId":"123456789012","accessKeyId":"EXAMPLE_KEY_ID","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2014-03-06T15:15:06Z"}}},"eventTime":"2014-03-06T17:10:34Z","eventSource":"ec2.amazonaws.com","eventName":"CreateKeyPair","awsRegion":"us-east-2","sourceIPAddress":"72.21.198.64","userAgent":"EC2ConsoleBackend, aws-sdk-java/Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx","requestParameters":{"keyName":"mykeypair"},"responseElements":{"keyName":"mykeypair","keyFingerprint":"30:1d:46:d0:5b:ad:7e:1b:b6:70:62:8b:ff:38:b5:e9:ab:5d:b8:21","keyMaterial":""}}
+{"eventVersion":"1.0","userIdentity":{"type":"IAMUser","principalId":"EX_PRINCIPAL_ID","arn":"arn:aws:iam::123456789012:user/Alice","accountId":"123456789012","accessKeyId":"EXAMPLE_KEY_ID","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2014-03-06T15:15:06Z"}}},"eventTime":"2014-03-06T17:10:34Z","eventSource":"ec2.amazonaws.com","eventName":"CreateKeyPair","awsRegion":"us-east-2","sourceIPAddress":"89.160.20.156","userAgent":"EC2ConsoleBackend, aws-sdk-java/Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx","requestParameters":{"keyName":"mykeypair"},"responseElements":{"keyName":"mykeypair","keyFingerprint":"30:1d:46:d0:5b:ad:7e:1b:b6:70:62:8b:ff:38:b5:e9:ab:5d:b8:21","keyMaterial":""}}
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-expected.json
index a983c0786d..00bd7e5645 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-key-pair-json.log-expected.json
@@ -1,6 +1,31 @@
{
"expected": [
{
+ "source": {
+ "geo": {
+ "continent_name": "Europe",
+ "region_iso_code": "SE-AB",
+ "city_name": "Tumba",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "region_name": "Stockholm",
+ "location": {
+ "lon": 17.8167,
+ "lat": 59.2
+ }
+ },
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "address": "89.160.20.156",
+ "ip": "89.160.20.156"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-2",
"account": {
@@ -8,38 +33,18 @@
}
},
"@timestamp": "2014-03-06T17:10:34.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice"
]
},
- "source": {
- "geo": {
- "continent_name": "North America",
- "region_iso_code": "US-VA",
- "city_name": "Ashburn",
- "country_iso_code": "US",
- "country_name": "United States",
- "region_name": "Virginia",
- "location": {
- "lon": -77.4728,
- "lat": 39.0481
- }
- },
- "as": {
- "number": 16509,
- "organization": {
- "name": "Amazon.com, Inc."
- }
- },
- "address": "72.21.198.64",
- "ip": "72.21.198.64"
- },
"event": {
- "ingested": "2021-04-23T12:15:54.676175189Z",
- "original": "{\"eventVersion\":\"1.0\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2014-03-06T15:15:06Z\"}}},\"eventTime\":\"2014-03-06T17:10:34Z\",\"eventSource\":\"ec2.amazonaws.com\",\"eventName\":\"CreateKeyPair\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"72.21.198.64\",\"userAgent\":\"EC2ConsoleBackend, aws-sdk-java/Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx\",\"requestParameters\":{\"keyName\":\"mykeypair\"},\"responseElements\":{\"keyName\":\"mykeypair\",\"keyFingerprint\":\"30:1d:46:d0:5b:ad:7e:1b:b6:70:62:8b:ff:38:b5:e9:ab:5d:b8:21\",\"keyMaterial\":\"\u003csensitiveDataRemoved\u003e\"}}",
+ "original": "{\"eventVersion\":\"1.0\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2014-03-06T15:15:06Z\"}}},\"eventTime\":\"2014-03-06T17:10:34Z\",\"eventSource\":\"ec2.amazonaws.com\",\"eventName\":\"CreateKeyPair\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"89.160.20.156\",\"userAgent\":\"EC2ConsoleBackend, aws-sdk-java/Linux/x.xx.fleetxen Java_HotSpot(TM)_64-Bit_Server_VM/xx\",\"requestParameters\":{\"keyName\":\"mykeypair\"},\"responseElements\":{\"keyName\":\"mykeypair\",\"keyFingerprint\":\"30:1d:46:d0:5b:ad:7e:1b:b6:70:62:8b:ff:38:b5:e9:ab:5d:b8:21\",\"keyMaterial\":\"\u003csensitiveDataRemoved\u003e\"}}",
"provider": "ec2.amazonaws.com",
- "created": "2014-03-06T17:10:34.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "CreateKeyPair",
"type": [
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trail-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trail-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trail-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trail-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trail-json.log-expected.json
index d1a2edbbfa..1839c2927b 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trail-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-trail-json.log-expected.json
@@ -1,6 +1,13 @@
{
"expected": [
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-west-2",
"account": {
@@ -8,20 +15,18 @@
}
},
"@timestamp": "2020-01-08T15:30:25.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:54.718155521Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"sessionIssuer\":{},\"webIdFederationData\":{},\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-08T15:12:16Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-08T15:30:25Z\",\"eventSource\":\"cloudtrail.amazonaws.com\",\"eventName\":\"CreateTrail\",\"awsRegion\":\"us-west-2\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"name\":\"TEST-trail\",\"s3BucketName\":\"TEST-cloudtrail-bucket\",\"includeGlobalServiceEvents\":true,\"isMultiRegionTrail\":true,\"enableLogFileValidation\":true,\"kmsKeyId\":\"\",\"isOrganizationTrail\":false},\"responseElements\":{\"name\":\"TEST-trail\",\"s3BucketName\":\"TEST-cloudtrail-bucket\",\"includeGlobalServiceEvents\":true,\"isMultiRegionTrail\":true,\"trailARN\":\"arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail\",\"logFileValidationEnabled\":true,\"isOrganizationTrail\":false},\"requestID\":\"EXAMPLE-5149-4cf2-be99-EXAMPLE\",\"eventID\":\"EXAMPLE-d04b-4eff-833a-EXAMPLE\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "cloudtrail.amazonaws.com",
- "created": "2020-01-08T15:30:25.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "CreateTrail",
"id": "EXAMPLE-d04b-4eff-833a-EXAMPLE",
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-user-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-user-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-user-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-user-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-user-json.log-expected.json
index 9faea88ba2..5fc1e895b7 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-user-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-user-json.log-expected.json
@@ -1,6 +1,13 @@
{
"expected": [
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-2",
"account": {
@@ -8,21 +15,19 @@
}
},
"@timestamp": "2014-03-24T21:11:59.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice",
"Bob"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:54.752417207Z",
"original": "{\"eventVersion\":\"1.0\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\"},\"eventTime\":\"2014-03-24T21:11:59Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"CreateUser\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"aws-cli/1.3.2 Python/2.7.5 Windows/7\",\"requestParameters\":{\"userName\":\"Bob\"},\"responseElements\":{\"user\":{\"createDate\":\"Mar 24, 2014 9:11:59 PM\",\"userName\":\"Bob\",\"arn\":\"arn:aws:iam::123456789012:user/Bob\",\"path\":\"/\",\"userId\":\"EXAMPLEUSERID\"}}}",
"provider": "iam.amazonaws.com",
- "created": "2014-03-24T21:11:59.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "CreateUser",
"type": [
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-virtual-mfa-device-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-virtual-mfa-device-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-virtual-mfa-device-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-virtual-mfa-device-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-virtual-mfa-device-json.log-expected.json
index e01fbdd67b..4a9c4f4240 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-virtual-mfa-device-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-create-virtual-mfa-device-json.log-expected.json
@@ -1,6 +1,13 @@
{
"expected": [
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-1",
"account": {
@@ -8,20 +15,18 @@
}
},
"@timestamp": "2019-11-27T15:10:15.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:54.784993236Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2019-11-27T15:07:22Z\"}}},\"eventTime\":\"2019-11-27T15:10:15Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"CreateVirtualMFADevice\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"console.amazonaws.com\",\"requestParameters\":{\"virtualMFADeviceName\":\"Alice\",\"path\":\"/\"},\"responseElements\":{\"virtualMFADevice\":{\"serialNumber\":\"arn:aws:iam::0123456789012:mfa/Alice\"}},\"requestID\":\"EXAMPLE-303b-4b0e-a8c7-EXAMPLE\",\"eventID\":\"EXAMPLE-351c-472a-b089-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "iam.amazonaws.com",
- "created": "2019-11-27T15:10:15.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "CreateVirtualMFADevice",
"id": "EXAMPLE-351c-472a-b089-EXAMPLE",
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-deactivate-mfa-device-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-deactivate-mfa-device-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-deactivate-mfa-device-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-deactivate-mfa-device-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-deactivate-mfa-device-json.log-expected.json
index c9f1ee9e85..764cc3d905 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-deactivate-mfa-device-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-deactivate-mfa-device-json.log-expected.json
@@ -1,6 +1,13 @@
{
"expected": [
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-1",
"account": {
@@ -8,20 +15,18 @@
}
},
"@timestamp": "2020-01-10T00:34:02.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:54.818318682Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-09T16:36:17Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T00:34:02Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"DeactivateMFADevice\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"userName\":\"Alice\",\"serialNumber\":\"arn:aws:iam::0123456789012:mfa/Alice\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-801a-4624-8fa0-EXAMPLE\",\"eventID\":\"EXAMPLE-1889-416b-ace9-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "iam.amazonaws.com",
- "created": "2020-01-10T00:34:02.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "DeactivateMFADevice",
"id": "EXAMPLE-1889-416b-ace9-EXAMPLE",
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-access-key-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-access-key-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-access-key-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-access-key-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-access-key-json.log-expected.json
index 55f9599c3b..885f9b97c9 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-access-key-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-access-key-json.log-expected.json
@@ -1,6 +1,13 @@
{
"expected": [
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-1",
"account": {
@@ -8,21 +15,19 @@
}
},
"@timestamp": "2020-01-08T19:09:36.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice",
"Bob"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:54.852318084Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-08T15:12:16Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-08T19:09:36Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"DeleteAccessKey\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"userName\":\"Bob\",\"accessKeyId\":\"EXAMPLE_ID\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-3bea-41fa-a0b4-EXAMPLE\",\"eventID\":\"EXAMPLE-0698-46bd-998d-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "iam.amazonaws.com",
- "created": "2020-01-08T19:09:36.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "DeleteAccessKey",
"id": "EXAMPLE-0698-46bd-998d-EXAMPLE",
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log
index 913b109d7c..ab5c34153a 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log
@@ -1 +1 @@
-{"eventVersion":"1.04","userIdentity":{"type":"AssumedRole","principalId":"AIDAQRSTUVWXYZEXAMPLE:devdsk","arn":"arn:aws:sts::777788889999:assumed-role/AssumeNothing/devdsk","accountId":"777788889999","accessKeyId":"AKIAQRSTUVWXYZEXAMPLE","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2016-11-14T17:25:26Z"},"sessionIssuer":{"type":"Role","principalId":"AIDAQRSTUVWXYZEXAMPLE","arn":"arn:aws:iam::777788889999:role/AssumeNothing","accountId":"777788889999","userName":"AssumeNothing"}}},"eventTime":"2016-11-14T17:25:45Z","eventSource":"s3.amazonaws.com","eventName":"DeleteBucket","awsRegion":"us-east-2","sourceIPAddress":"192.0.2.1","userAgent":"[aws-cli/1.11.10 Python/2.7.8 Linux/3.2.45-0.6.wd.865.49.315.metal1.x86_64 botocore/1.4.67]","requestParameters":{"bucketName":"my-test-bucket-cross-account"},"responseElements":null,"requestID":"EXAMPLE463D56D4C","eventID":"dEXAMPLE-265a-41e0-9352-4401bEXAMPLE","eventType":"AwsApiCall","recipientAccountId":"777788889999"}
+{"eventVersion":"1.04","userIdentity":{"type":"AssumedRole","principalId":"AIDAQRSTUVWXYZEXAMPLE:devdsk","arn":"arn:aws:sts::777788889999:assumed-role/AssumeNothing/devdsk","accountId":"777788889999","accessKeyId":"AKIAQRSTUVWXYZEXAMPLE","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"2016-11-14T17:25:26Z"},"sessionIssuer":{"type":"Role","principalId":"AIDAQRSTUVWXYZEXAMPLE","arn":"arn:aws:iam::777788889999:role/AssumeNothing","accountId":"777788889999","userName":"AssumeNothing"}}},"eventTime":"2016-11-14T17:25:45Z","eventSource":"s3.amazonaws.com","eventName":"DeleteBucket","awsRegion":"us-east-2","sourceIPAddress":"89.160.20.156","userAgent":"[aws-cli/1.11.10 Python/2.7.8 Linux/3.2.45-0.6.wd.865.49.315.metal1.x86_64 botocore/1.4.67]","requestParameters":{"bucketName":"my-test-bucket-cross-account"},"responseElements":null,"requestID":"EXAMPLE463D56D4C","eventID":"dEXAMPLE-265a-41e0-9352-4401bEXAMPLE","eventType":"AwsApiCall","recipientAccountId":"777788889999"}
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json
index e5328c7f5d..4ed161acea 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-bucket-json.log-expected.json
@@ -8,15 +8,35 @@
}
},
"@timestamp": "2016-11-14T17:25:45.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"source": {
- "address": "192.0.2.1",
- "ip": "192.0.2.1"
+ "geo": {
+ "continent_name": "Europe",
+ "region_iso_code": "SE-AB",
+ "city_name": "Tumba",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "region_name": "Stockholm",
+ "location": {
+ "lon": 17.8167,
+ "lat": 59.2
+ }
+ },
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "address": "89.160.20.156",
+ "ip": "89.160.20.156"
},
"event": {
- "ingested": "2021-04-23T12:15:54.886661019Z",
- "original": "{\"eventVersion\":\"1.04\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"AIDAQRSTUVWXYZEXAMPLE:devdsk\",\"arn\":\"arn:aws:sts::777788889999:assumed-role/AssumeNothing/devdsk\",\"accountId\":\"777788889999\",\"accessKeyId\":\"AKIAQRSTUVWXYZEXAMPLE\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2016-11-14T17:25:26Z\"},\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"AIDAQRSTUVWXYZEXAMPLE\",\"arn\":\"arn:aws:iam::777788889999:role/AssumeNothing\",\"accountId\":\"777788889999\",\"userName\":\"AssumeNothing\"}}},\"eventTime\":\"2016-11-14T17:25:45Z\",\"eventSource\":\"s3.amazonaws.com\",\"eventName\":\"DeleteBucket\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"192.0.2.1\",\"userAgent\":\"[aws-cli/1.11.10 Python/2.7.8 Linux/3.2.45-0.6.wd.865.49.315.metal1.x86_64 botocore/1.4.67]\",\"requestParameters\":{\"bucketName\":\"my-test-bucket-cross-account\"},\"responseElements\":null,\"requestID\":\"EXAMPLE463D56D4C\",\"eventID\":\"dEXAMPLE-265a-41e0-9352-4401bEXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"777788889999\"}",
+ "original": "{\"eventVersion\":\"1.04\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"AIDAQRSTUVWXYZEXAMPLE:devdsk\",\"arn\":\"arn:aws:sts::777788889999:assumed-role/AssumeNothing/devdsk\",\"accountId\":\"777788889999\",\"accessKeyId\":\"AKIAQRSTUVWXYZEXAMPLE\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2016-11-14T17:25:26Z\"},\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"AIDAQRSTUVWXYZEXAMPLE\",\"arn\":\"arn:aws:iam::777788889999:role/AssumeNothing\",\"accountId\":\"777788889999\",\"userName\":\"AssumeNothing\"}}},\"eventTime\":\"2016-11-14T17:25:45Z\",\"eventSource\":\"s3.amazonaws.com\",\"eventName\":\"DeleteBucket\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"89.160.20.156\",\"userAgent\":\"[aws-cli/1.11.10 Python/2.7.8 Linux/3.2.45-0.6.wd.865.49.315.metal1.x86_64 botocore/1.4.67]\",\"requestParameters\":{\"bucketName\":\"my-test-bucket-cross-account\"},\"responseElements\":null,\"requestID\":\"EXAMPLE463D56D4C\",\"eventID\":\"dEXAMPLE-265a-41e0-9352-4401bEXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"777788889999\"}",
"provider": "s3.amazonaws.com",
- "created": "2016-11-14T17:25:45.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "DeleteBucket",
"id": "dEXAMPLE-265a-41e0-9352-4401bEXAMPLE",
@@ -72,7 +92,10 @@
"name": "Spider"
},
"version": "1.11.10"
- }
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
}
]
}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-group-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-group-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-group-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-group-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-group-json.log-expected.json
index 3b62aa1a31..4495b77d45 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-group-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-group-json.log-expected.json
@@ -1,6 +1,13 @@
{
"expected": [
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-1",
"account": {
@@ -8,20 +15,18 @@
}
},
"@timestamp": "2020-01-09T02:25:44.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:54.924240276Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"0123456789012\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-08T15:12:16Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-09T02:25:44Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"DeleteGroup\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"groupName\":\"TEST-GROUP\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-66cb-4775-a203-EXAMPLE\",\"eventID\":\"EXAMPLE-cbc2-4cc3-8bbc-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "iam.amazonaws.com",
- "created": "2020-01-09T02:25:44.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "DeleteGroup",
"id": "EXAMPLE-cbc2-4cc3-8bbc-EXAMPLE",
@@ -73,6 +78,13 @@
}
},
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-1",
"account": {
@@ -80,20 +92,18 @@
}
},
"@timestamp": "2020-01-09T02:25:11.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:54.924251898Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_PRINCIPLE\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\"},\"eventTime\":\"2020-01-09T02:25:11Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"DeleteGroup\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46\",\"errorCode\":\"DeleteConflictException\",\"errorMessage\":\"Cannot delete entity, must detach all policies first.\",\"requestParameters\":{\"groupName\":\"TEST-GROUP\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-2a3c-4a94-b24f-EXAMPLE\",\"eventID\":\"EXAMPLE-5aa2-4b5f-a52a-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "iam.amazonaws.com",
- "created": "2020-01-09T02:25:11.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "DeleteGroup",
"id": "EXAMPLE-5aa2-4b5f-a52a-EXAMPLE",
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-ssh-public-key-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-ssh-public-key-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-ssh-public-key-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-ssh-public-key-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-ssh-public-key-json.log-expected.json
index e775452704..6ffa98520d 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-ssh-public-key-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-ssh-public-key-json.log-expected.json
@@ -1,6 +1,13 @@
{
"expected": [
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-1",
"account": {
@@ -8,21 +15,19 @@
}
},
"@timestamp": "2020-01-10T16:07:08.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice",
"Bob"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:54.987346466Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-10T14:38:30Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T16:07:08Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"DeleteSSHPublicKey\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"sSHPublicKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Bob\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-7b34-44ae-a22f-EXAMPLE\",\"eventID\":\"EXAMPLE-72ff-4d4f-9a8d-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "iam.amazonaws.com",
- "created": "2020-01-10T16:07:08.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "DeleteSSHPublicKey",
"id": "EXAMPLE-72ff-4d4f-9a8d-EXAMPLE",
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-trail-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-trail-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-trail-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-trail-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-trail-json.log-expected.json
index e42dafd2d6..2dd33e9881 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-trail-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-trail-json.log-expected.json
@@ -1,6 +1,13 @@
{
"expected": [
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-west-2",
"account": {
@@ -8,20 +15,18 @@
}
},
"@timestamp": "2020-01-09T20:09:51.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:55.024826729Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\"},\"eventTime\":\"2020-01-09T20:09:51Z\",\"eventSource\":\"cloudtrail.amazonaws.com\",\"eventName\":\"DeleteTrail\",\"awsRegion\":\"us-west-2\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46\",\"requestParameters\":{\"name\":\"arn:aws:cloudtrail:us-west-2:0123456789012:trail/test-trail\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-d44f-4a2a-966f-EXAMPLE\",\"eventID\":\"EXAMPLE-3f9d-4634-8ff1-EXAMPLE\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "cloudtrail.amazonaws.com",
- "created": "2020-01-09T20:09:51.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "DeleteTrail",
"id": "EXAMPLE-3f9d-4634-8ff1-EXAMPLE",
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-user-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-user-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-user-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-user-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-user-json.log-expected.json
index 52bafe68e4..6bb1d94f1e 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-user-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-user-json.log-expected.json
@@ -1,6 +1,13 @@
{
"expected": [
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-1",
"account": {
@@ -8,21 +15,19 @@
}
},
"@timestamp": "2020-01-03T15:50:52.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice",
"Bob"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:55.057325041Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-03T15:26:38Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-03T15:50:52Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"DeleteUser\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"userName\":\"Bob\"},\"responseElements\":null,\"requestID\":\"0e794d53-cdb5-4f7d-b7db-5EXAMPLE\",\"eventID\":\"b89eb34b-8fcb-4cba-8439-d4EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"123456789012\"}",
"provider": "iam.amazonaws.com",
- "created": "2020-01-03T15:50:52.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "DeleteUser",
"id": "b89eb34b-8fcb-4cba-8439-d4EXAMPLE",
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-virtual-mfa-device-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-virtual-mfa-device-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-virtual-mfa-device-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-virtual-mfa-device-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-virtual-mfa-device-json.log-expected.json
index c8cb6d6742..a482b81222 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-virtual-mfa-device-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-delete-virtual-mfa-device-json.log-expected.json
@@ -1,6 +1,13 @@
{
"expected": [
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-1",
"account": {
@@ -8,20 +15,18 @@
}
},
"@timestamp": "2020-01-10T00:34:02.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:55.091526013Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-09T16:36:17Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T00:34:02Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"DeleteVirtualMFADevice\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"serialNumber\":\"arn:aws:iam::0123456789012:mfa/Alice\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-af91-4d1a-aaf2-EXAMPLE\",\"eventID\":\"EXAMPLE-f8e6-4d5f-8525-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "iam.amazonaws.com",
- "created": "2020-01-10T00:34:02.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "DeleteVirtualMFADevice",
"id": "EXAMPLE-f8e6-4d5f-8525-EXAMPLE",
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-enable-mfa-device-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-enable-mfa-device-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-enable-mfa-device-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-enable-mfa-device-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-enable-mfa-device-json.log-expected.json
index bff8fbb12b..5a66ad5660 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-enable-mfa-device-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-enable-mfa-device-json.log-expected.json
@@ -1,6 +1,13 @@
{
"expected": [
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-1",
"account": {
@@ -8,21 +15,19 @@
}
},
"@timestamp": "2019-11-27T15:11:09.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice",
"Bob"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:55.125391948Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"2019-11-27T15:07:22Z\"}}},\"eventTime\":\"2019-11-27T15:11:09Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"EnableMFADevice\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"console.amazonaws.com\",\"requestParameters\":{\"userName\":\"Bob\",\"serialNumber\":\"arn:aws:iam::0123456789012:mfa/Bob\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-adea-490a-a806-EXAMPLE\",\"eventID\":\"EXAMPLE-3fdc-4b2a-9885-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "iam.amazonaws.com",
- "created": "2019-11-27T15:11:09.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "EnableMFADevice",
"id": "EXAMPLE-3fdc-4b2a-9885-EXAMPLE",
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-insight-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-insight-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-insight-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-insight-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-insight-json.log-expected.json
index 5c973ebbb8..f8a1c9b1f2 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-insight-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-insight-json.log-expected.json
@@ -5,13 +5,15 @@
"region": "us-east-1"
},
"@timestamp": "2020-09-09T23:00:00.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"event": {
- "ingested": "2021-04-23T12:15:55.161878656Z",
"original": "{\"eventVersion\":\"1.07\",\"eventTime\":\"2020-09-09T23:00:00Z\",\"awsRegion\":\"us-east-1\",\"eventID\":\"41ed77ca-d659-b45a-8e9a-74e504300007\",\"eventType\":\"AwsCloudTrailInsight\",\"recipientAccountId\":\"123456789012\",\"sharedEventID\":\"e672c2b1-e71a-4779-f96c-02da7bb30d2e\",\"insightDetails\":{\"state\":\"End\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"AttachUserPolicy\",\"insightType\":\"ApiCallRateInsight\",\"insffightContext\":{\"statistics\":{\"baseline\":{\"average\":0.0},\"insight\":{\"average\":2.0},\"insightDuration\":1,\"baselineDuration\":11459},\"attributions\":[{\"attribute\":\"userIdentityArn\",\"insight\":[{\"value\":\"arn:aws:iam::123456789012:user/Alice\",\"average\":2.0}],\"baseline\":[]},{\"attribute\":\"userAgent\",\"insight\":[{\"value\":\"console.amazonaws.com\",\"average\":2.0}],\"baseline\":[]},{\"attribute\":\"errorCode\",\"insight\":[{\"value\":\"null\",\"average\":2.0}],\"baseline\":[]}]}},\"eventCategory\":\"Insight\"}",
- "created": "2020-09-09T23:00:00.000Z",
- "kind": "event",
"id": "41ed77ca-d659-b45a-8e9a-74e504300007",
"type": "info",
+ "created": "2021-11-11T01:02:03.123456789Z",
+ "kind": "event",
"outcome": "success"
},
"aws": {
@@ -70,7 +72,10 @@
"recipient_account_id": "123456789012",
"event_category": "Insight"
}
- }
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
}
]
}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-remove-user-from-group-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-remove-user-from-group-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-remove-user-from-group-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-remove-user-from-group-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-remove-user-from-group-json.log-expected.json
index fe39acb048..f3ade51a53 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-remove-user-from-group-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-remove-user-from-group-json.log-expected.json
@@ -1,6 +1,13 @@
{
"expected": [
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-1",
"account": {
@@ -8,21 +15,19 @@
}
},
"@timestamp": "2020-01-06T15:19:50.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice",
"Bob"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:55.180758340Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-06T14:36:28Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-06T15:19:50Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"RemoveUserFromGroup\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"groupName\":\"Admin\",\"userName\":\"Bob\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-0bf0-47be-bc80-EXAMPLE\",\"eventID\":\"EXAMPLE-6e8b-431a-94f4-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "iam.amazonaws.com",
- "created": "2020-01-06T15:19:50.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "RemoveUserFromGroup",
"id": "EXAMPLE-6e8b-431a-94f4-EXAMPLE",
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-logging-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-logging-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-logging-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-logging-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-logging-json.log-expected.json
index fa90a4ca53..3101de44c8 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-logging-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-start-logging-json.log-expected.json
@@ -1,6 +1,13 @@
{
"expected": [
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-west-2",
"account": {
@@ -8,20 +15,18 @@
}
},
"@timestamp": "2020-01-08T15:30:25.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:55.217310455Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"sessionIssuer\":{},\"webIdFederationData\":{},\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-08T15:12:16Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-08T15:30:25Z\",\"eventSource\":\"cloudtrail.amazonaws.com\",\"eventName\":\"StartLogging\",\"awsRegion\":\"us-west-2\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"name\":\"TEST-trail\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-1c30-4f43-9763-EXAMPLE\",\"eventID\":\"EXAMPLE-aa78-4a84-a27f-EXAMPLE\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "cloudtrail.amazonaws.com",
- "created": "2020-01-08T15:30:25.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "StartLogging",
"id": "EXAMPLE-aa78-4a84-a27f-EXAMPLE",
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-logging-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-logging-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-logging-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-logging-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-logging-json.log-expected.json
index ccbbcdd9f3..79d7439e30 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-logging-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-stop-logging-json.log-expected.json
@@ -1,6 +1,13 @@
{
"expected": [
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-west-2",
"account": {
@@ -8,20 +15,18 @@
}
},
"@timestamp": "2020-01-09T16:46:16.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:55.250611410Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"sessionIssuer\":{},\"webIdFederationData\":{},\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-09T16:36:17Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-09T16:46:16Z\",\"eventSource\":\"cloudtrail.amazonaws.com\",\"eventName\":\"StopLogging\",\"awsRegion\":\"us-west-2\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"name\":\"arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-869f-4fec-86f9-EXAMPLE\",\"eventID\":\"EXAMPLE-8cc3-42db-9a0d-EXAMPLE\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "cloudtrail.amazonaws.com",
- "created": "2020-01-09T16:46:16.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "StopLogging",
"id": "EXAMPLE-8cc3-42db-9a0d-EXAMPLE",
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-access-key-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-access-key-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-access-key-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-access-key-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-access-key-json.log-expected.json
index efb8442615..0d57cca9cf 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-access-key-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-access-key-json.log-expected.json
@@ -1,6 +1,13 @@
{
"expected": [
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-1",
"account": {
@@ -8,21 +15,19 @@
}
},
"@timestamp": "2020-01-10T15:01:23.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice",
"Bob"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:55.283645028Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-10T14:38:30Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T15:01:23Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UpdateAccessKey\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"status\":\"Inactive\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Bob\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-7d0c-45f4-b25b-EXAMPLE\",\"eventID\":\"EXAMPLE-0ef0-42cd-8551-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "iam.amazonaws.com",
- "created": "2020-01-10T15:01:23.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "UpdateAccessKey",
"id": "EXAMPLE-0ef0-42cd-8551-EXAMPLE",
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-accout-password-policy-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-accout-password-policy-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-accout-password-policy-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-accout-password-policy-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-accout-password-policy-json.log-expected.json
index 22c064cf00..cdc24c9d2f 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-accout-password-policy-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-accout-password-policy-json.log-expected.json
@@ -1,6 +1,13 @@
{
"expected": [
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-1",
"account": {
@@ -8,20 +15,18 @@
}
},
"@timestamp": "2020-01-10T18:05:33.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:55.317715645Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-10T14:38:30Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T18:05:33Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UpdateAccountPasswordPolicy\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"requireLowercaseCharacters\":true,\"requireSymbols\":true,\"requireNumbers\":true,\"minimumPasswordLength\":12,\"requireUppercaseCharacters\":true,\"allowUsersToChangePassword\":true},\"responseElements\":null,\"requestID\":\"EXAMPLE-5ebf-4bc3-a349-EXAMPLE\",\"eventID\":\"EXAMPLE-91f9-49f3-948c-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "iam.amazonaws.com",
- "created": "2020-01-10T18:05:33.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "UpdateAccountPasswordPolicy",
"id": "EXAMPLE-91f9-49f3-948c-EXAMPLE",
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-group-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-group-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-group-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-group-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-group-json.log-expected.json
index 297780c6a2..7b75f3b3ec 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-group-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-group-json.log-expected.json
@@ -1,6 +1,13 @@
{
"expected": [
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-1",
"account": {
@@ -8,20 +15,18 @@
}
},
"@timestamp": "2020-01-09T02:23:11.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:55.350927729Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"0123456789012\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\"},\"eventTime\":\"2020-01-09T02:23:11Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UpdateGroup\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46\",\"requestParameters\":{\"newGroupName\":\"TEST-GROUP2\",\"groupName\":\"TEST-GROUP\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-c22d-4fca-b40a-EXAMPLE\",\"eventID\":\"EXAMPLE-c3aa-487b-b05e-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "iam.amazonaws.com",
- "created": "2020-01-09T02:23:11.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "UpdateGroup",
"id": "EXAMPLE-c3aa-487b-b05e-EXAMPLE",
@@ -70,6 +75,13 @@
}
},
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-1",
"account": {
@@ -77,20 +89,18 @@
}
},
"@timestamp": "2020-01-09T02:24:35.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:55.350935229Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"0123456789012\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\"},\"eventTime\":\"2020-01-09T02:24:35Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UpdateGroup\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46\",\"errorCode\":\"EntityAlreadyExistsException\",\"errorMessage\":\"Group with name TEST-GROUP already exists.\",\"requestParameters\":{\"newGroupName\":\"TEST-GROUP\",\"groupName\":\"TEST-GROUP2\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-f673-4ce7-8529-EXAMPLE\",\"eventID\":\"EXAMPLE-6a0b-475c-b5db-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "iam.amazonaws.com",
- "created": "2020-01-09T02:24:35.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "UpdateGroup",
"id": "EXAMPLE-6a0b-475c-b5db-EXAMPLE",
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-login-profile-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-login-profile-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-login-profile-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-login-profile-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-login-profile-json.log-expected.json
index 395dd48f5e..54e213526e 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-login-profile-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-login-profile-json.log-expected.json
@@ -1,6 +1,13 @@
{
"expected": [
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-1",
"account": {
@@ -8,21 +15,19 @@
}
},
"@timestamp": "2020-01-10T18:25:42.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice",
"Bob"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:55.413508601Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-10T14:38:30Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T18:25:42Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UpdateLoginProfile\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"userName\":\"Bob\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-0dc6-447a-8859-EXAMPLE\",\"eventID\":\"EXAMPLE-c3b6-4498-b818-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "iam.amazonaws.com",
- "created": "2020-01-10T18:25:42.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "UpdateLoginProfile",
"id": "EXAMPLE-c3b6-4498-b818-EXAMPLE",
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-ssh-public-key-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-ssh-public-key-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-ssh-public-key-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-ssh-public-key-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-ssh-public-key-json.log-expected.json
index e8e85e3169..c6ee9087cd 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-ssh-public-key-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-ssh-public-key-json.log-expected.json
@@ -1,6 +1,13 @@
{
"expected": [
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-1",
"account": {
@@ -8,21 +15,19 @@
}
},
"@timestamp": "2020-01-10T16:06:54.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice",
"Bob"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:55.459387853Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-10T14:38:30Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T16:06:54Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UpdateSSHPublicKey\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"status\":\"Inactive\",\"userName\":\"Bob\",\"sSHPublicKeyId\":\"EXAMPLE_KEY_ID\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-32f3-4a92-82e1-EXAMPLE\",\"eventID\":\"EXAMPLE-5c88-4652-9ee9-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "iam.amazonaws.com",
- "created": "2020-01-10T16:06:54.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "UpdateSSHPublicKey",
"id": "EXAMPLE-5c88-4652-9ee9-EXAMPLE",
@@ -76,6 +81,13 @@
}
},
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-1",
"account": {
@@ -83,21 +95,19 @@
}
},
"@timestamp": "2020-01-10T16:06:54.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice",
"Bob"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:55.459396392Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-10T14:38:30Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T16:06:54Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UpdateSSHPublicKey\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"status\":\"Inactive\",\"userName\":\"Bob\",\"sSHPublicKeyId\":\"EXAMPLE_KEY_ID\"},\"responseElements\":null,\"requestID\":\"EXAMPLE-32f3-4a92-82e1-EXAMPLE\",\"eventID\":\"EXAMPLE-5c88-4652-9ee9-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "iam.amazonaws.com",
- "created": "2020-01-10T16:06:54.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "UpdateSSHPublicKey",
"id": "EXAMPLE-5c88-4652-9ee9-EXAMPLE",
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log
index f8a9bc9e2a..9b440298c6 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log
@@ -1,2 +1,2 @@
-{"eventVersion":"1.04","userIdentity":{"type":"IAMUser","principalId":"EX_PRINCIPAL_ID","arn":"arn:aws:iam::123456789012:user/Alice","accountId":"123456789012","accessKeyId":"EXAMPLE_KEY_ID","userName":"Alice"},"eventTime":"2016-07-14T19:15:45Z","eventSource":"cloudtrail.amazonaws.com","eventName":"UpdateTrail","awsRegion":"us-east-2","sourceIPAddress":"205.251.233.182","userAgent":"aws-cli/1.10.32 Python/2.7.9 Windows/7 botocore/1.4.22","errorCode":"TrailNotFoundException","errorMessage":"Unknown trail: myTrail2 for the user: 123456789012","requestParameters":{"name":"myTrail2"},"responseElements":null,"requestID":"5d40662a-49f7-11e6-97e4-dEXAMPLE","eventID":"b7d4398e-b2f0-4faa-9c76-e2EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"123456789012"}
+{"eventVersion":"1.04","userIdentity":{"type":"IAMUser","principalId":"EX_PRINCIPAL_ID","arn":"arn:aws:iam::123456789012:user/Alice","accountId":"123456789012","accessKeyId":"EXAMPLE_KEY_ID","userName":"Alice"},"eventTime":"2016-07-14T19:15:45Z","eventSource":"cloudtrail.amazonaws.com","eventName":"UpdateTrail","awsRegion":"us-east-2","sourceIPAddress":"89.160.20.156","userAgent":"aws-cli/1.10.32 Python/2.7.9 Windows/7 botocore/1.4.22","errorCode":"TrailNotFoundException","errorMessage":"Unknown trail: myTrail2 for the user: 123456789012","requestParameters":{"name":"myTrail2"},"responseElements":null,"requestID":"5d40662a-49f7-11e6-97e4-dEXAMPLE","eventID":"b7d4398e-b2f0-4faa-9c76-e2EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"123456789012"}
{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EXAMPLE_ID","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice","sessionContext":{"sessionIssuer":{},"webIdFederationData":{},"attributes":{"mfaAuthenticated":"true","creationDate":"2020-01-08T15:12:16Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2020-01-08T20:58:45Z","eventSource":"cloudtrail.amazonaws.com","eventName":"UpdateTrail","awsRegion":"us-west-2","sourceIPAddress":"127.0.0.1","userAgent":"signin.amazonaws.com","requestParameters":{"name":"arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail","s3BucketName":"test-cloudtrail-bucket","snsTopicName":"","isMultiRegionTrail":true,"enableLogFileValidation":false,"kmsKeyId":""},"responseElements":{"name":"TEST-trail","s3BucketName":"test-cloudtrail-bucket","snsTopicName":"","snsTopicARN":"","includeGlobalServiceEvents":true,"isMultiRegionTrail":true,"trailARN":"arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail","logFileValidationEnabled":false,"isOrganizationTrail":false},"requestID":"EXAMPLE-f3da-42d1-84f5-EXAMPLE","eventID":"EXAMPLE-b5e9-4846-8407-EXAMPLE","readOnly":false,"eventType":"AwsApiCall","recipientAccountId":"0123456789012"}
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-expected.json
index b9133a03e6..754605022e 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-trail-json.log-expected.json
@@ -1,6 +1,31 @@
{
"expected": [
{
+ "source": {
+ "geo": {
+ "continent_name": "Europe",
+ "region_iso_code": "SE-AB",
+ "city_name": "Tumba",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "region_name": "Stockholm",
+ "location": {
+ "lon": 17.8167,
+ "lat": 59.2
+ }
+ },
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "address": "89.160.20.156",
+ "ip": "89.160.20.156"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-2",
"account": {
@@ -8,38 +33,18 @@
}
},
"@timestamp": "2016-07-14T19:15:45.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice"
]
},
- "source": {
- "geo": {
- "continent_name": "North America",
- "region_iso_code": "US-OR",
- "city_name": "Boardman",
- "country_iso_code": "US",
- "country_name": "United States",
- "region_name": "Oregon",
- "location": {
- "lon": -119.7143,
- "lat": 45.8491
- }
- },
- "as": {
- "number": 16509,
- "organization": {
- "name": "Amazon.com, Inc."
- }
- },
- "address": "205.251.233.182",
- "ip": "205.251.233.182"
- },
"event": {
- "ingested": "2021-04-23T12:15:55.523468018Z",
- "original": "{\"eventVersion\":\"1.04\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\"},\"eventTime\":\"2016-07-14T19:15:45Z\",\"eventSource\":\"cloudtrail.amazonaws.com\",\"eventName\":\"UpdateTrail\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"205.251.233.182\",\"userAgent\":\"aws-cli/1.10.32 Python/2.7.9 Windows/7 botocore/1.4.22\",\"errorCode\":\"TrailNotFoundException\",\"errorMessage\":\"Unknown trail: myTrail2 for the user: 123456789012\",\"requestParameters\":{\"name\":\"myTrail2\"},\"responseElements\":null,\"requestID\":\"5d40662a-49f7-11e6-97e4-dEXAMPLE\",\"eventID\":\"b7d4398e-b2f0-4faa-9c76-e2EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"123456789012\"}",
+ "original": "{\"eventVersion\":\"1.04\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\"},\"eventTime\":\"2016-07-14T19:15:45Z\",\"eventSource\":\"cloudtrail.amazonaws.com\",\"eventName\":\"UpdateTrail\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"89.160.20.156\",\"userAgent\":\"aws-cli/1.10.32 Python/2.7.9 Windows/7 botocore/1.4.22\",\"errorCode\":\"TrailNotFoundException\",\"errorMessage\":\"Unknown trail: myTrail2 for the user: 123456789012\",\"requestParameters\":{\"name\":\"myTrail2\"},\"responseElements\":null,\"requestID\":\"5d40662a-49f7-11e6-97e4-dEXAMPLE\",\"eventID\":\"b7d4398e-b2f0-4faa-9c76-e2EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"123456789012\"}",
"provider": "cloudtrail.amazonaws.com",
- "created": "2016-07-14T19:15:45.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "UpdateTrail",
"id": "b7d4398e-b2f0-4faa-9c76-e2EXAMPLE",
@@ -83,6 +88,13 @@
}
},
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-west-2",
"account": {
@@ -90,20 +102,18 @@
}
},
"@timestamp": "2020-01-08T20:58:45.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:55.523477094Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"sessionIssuer\":{},\"webIdFederationData\":{},\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-08T15:12:16Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-08T20:58:45Z\",\"eventSource\":\"cloudtrail.amazonaws.com\",\"eventName\":\"UpdateTrail\",\"awsRegion\":\"us-west-2\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"name\":\"arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail\",\"s3BucketName\":\"test-cloudtrail-bucket\",\"snsTopicName\":\"\",\"isMultiRegionTrail\":true,\"enableLogFileValidation\":false,\"kmsKeyId\":\"\"},\"responseElements\":{\"name\":\"TEST-trail\",\"s3BucketName\":\"test-cloudtrail-bucket\",\"snsTopicName\":\"\",\"snsTopicARN\":\"\",\"includeGlobalServiceEvents\":true,\"isMultiRegionTrail\":true,\"trailARN\":\"arn:aws:cloudtrail:us-west-2:0123456789012:trail/TEST-trail\",\"logFileValidationEnabled\":false,\"isOrganizationTrail\":false},\"requestID\":\"EXAMPLE-f3da-42d1-84f5-EXAMPLE\",\"eventID\":\"EXAMPLE-b5e9-4846-8407-EXAMPLE\",\"readOnly\":false,\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "cloudtrail.amazonaws.com",
- "created": "2020-01-08T20:58:45.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "UpdateTrail",
"id": "EXAMPLE-b5e9-4846-8407-EXAMPLE",
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log
index 62721399a4..f4ec7b890a 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log
@@ -1,2 +1 @@
-{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EX_PRINCIPAL_ID","arn":"arn:aws:iam::123456789012:user/Alice","accountId":"123456789012","accessKeyId":"EXAMPLE_KEY_ID","userName":"Alice"},"eventTime":"2020-01-08T20:53:12Z","eventSource":"iam.amazonaws.com","eventName":"UpdateUser","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46","requestParameters":{"userName":"Bob","newUserName":"Robert"},"responseElements":null,"requestID":"3a6b3260-739d-465e-9406-bcEXAMPLE","eventID":"9150d546-3564-4262-8e62-110EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"123456789012"}
-
+{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EX_PRINCIPAL_ID","arn":"arn:aws:iam::123456789012:user/Alice","accountId":"123456789012","accessKeyId":"EXAMPLE_KEY_ID","userName":"Alice"},"eventTime":"2020-01-08T20:53:12Z","eventSource":"iam.amazonaws.com","eventName":"UpdateUser","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46","requestParameters":{"userName":"Bob","newUserName":"Robert"},"responseElements":null,"requestID":"3a6b3260-739d-465e-9406-bcEXAMPLE","eventID":"9150d546-3564-4262-8e62-110EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"123456789012"}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log-expected.json
index 7f1b90e98e..e324600a27 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-update-user-json.log-expected.json
@@ -1,6 +1,13 @@
{
"expected": [
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-1",
"account": {
@@ -8,6 +15,9 @@
}
},
"@timestamp": "2020-01-08T20:53:12.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice",
@@ -15,15 +25,10 @@
"Robert"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:55.609811323Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\"},\"eventTime\":\"2020-01-08T20:53:12Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UpdateUser\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46\",\"requestParameters\":{\"userName\":\"Bob\",\"newUserName\":\"Robert\"},\"responseElements\":null,\"requestID\":\"3a6b3260-739d-465e-9406-bcEXAMPLE\",\"eventID\":\"9150d546-3564-4262-8e62-110EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"123456789012\"}",
"provider": "iam.amazonaws.com",
- "created": "2020-01-08T20:53:12.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "UpdateUser",
"id": "9150d546-3564-4262-8e62-110EXAMPLE",
@@ -73,13 +78,6 @@
},
"version": "1.16.310"
}
- },
- {
- "event": {
- "type": "info",
- "ingested": "2021-04-23T12:15:55.609819468Z",
- "kind": "event"
- }
}
]
}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json.log-config.yml b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json.log-expected.json b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json.log-expected.json
index 399c7f10b3..63e08a3cb3 100644
--- a/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json.log-expected.json
+++ b/test/packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-upload-ssh-public-key-json.log-expected.json
@@ -1,6 +1,13 @@
{
"expected": [
{
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
"cloud": {
"region": "us-east-1",
"account": {
@@ -8,20 +15,18 @@
}
},
"@timestamp": "2020-01-10T16:06:40.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"Alice"
]
},
- "source": {
- "address": "127.0.0.1",
- "ip": "127.0.0.1"
- },
"event": {
- "ingested": "2021-04-23T12:15:55.649407821Z",
"original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-10T14:38:30Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T16:06:40Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UploadSSHPublicKey\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"sSHPublicKeyBody\":\"ssh-rsa AAAAdeadcodedeadcode Alice@localhost.domain\",\"userName\":\"Alice\"},\"responseElements\":{\"sSHPublicKey\":{\"fingerprint\":\"de:ad:c0:de:de:ad:c0:de:de:ad:c0:de:de:ad:c0:de\",\"status\":\"Active\",\"uploadDate\":\"Jan 10, 2020 4:06:40 PM\",\"userName\":\"Alice\",\"sSHPublicKeyId\":\"EXAMPLE_KEY_ID\",\"sSHPublicKeyBody\":\"ssh-rsa AAAAdeadcodedeadcode Alice@localhost.domain\"}},\"requestID\":\"EXAMPLE-44b9-41cd-90f2-EXAMPLE\",\"eventID\":\"EXAMPLE-9a9d-4da4-9998-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\"}",
"provider": "iam.amazonaws.com",
- "created": "2020-01-10T16:06:40.000Z",
+ "created": "2021-11-11T01:02:03.123456789Z",
"kind": "event",
"action": "UploadSSHPublicKey",
"id": "EXAMPLE-9a9d-4da4-9998-EXAMPLE",
diff --git a/test/packages/aws/data_stream/cloudtrail/agent/stream/aws-s3.yml.hbs b/test/packages/aws/data_stream/cloudtrail/agent/stream/aws-s3.yml.hbs
new file mode 100644
index 0000000000..50ef9090b8
--- /dev/null
+++ b/test/packages/aws/data_stream/cloudtrail/agent/stream/aws-s3.yml.hbs
@@ -0,0 +1,64 @@
+queue_url: {{queue_url}}
+file_selectors:
+{{#if cloudtrail_regex}}
+ - regex: {{cloudtrail_regex}}
+ expand_event_list_from_field: 'Records'
+{{/if}}
+{{#if cloudtrail_digest_regex}}
+ - regex: {{cloudtrail_digest_regex}}
+{{/if}}
+{{#if cloudtrail_insight_regex}}
+ - regex: {{cloudtrail_insight_regex}}
+ expand_event_list_from_field: 'Records'
+{{/if}}
+expand_event_list_from_field: Records
+{{#if credential_profile_name}}
+credential_profile_name: {{credential_profile_name}}
+{{/if}}
+{{#if shared_credential_file}}
+shared_credential_file: {{shared_credential_file}}
+{{/if}}
+{{#if visibility_timeout}}
+visibility_timeout: {{visibility_timeout}}
+{{/if}}
+{{#if api_timeout}}
+api_timeout: {{api_timeout}}
+{{/if}}
+{{#if max_number_of_messages}}
+max_number_of_messages: {{max_number_of_messages}}
+{{/if}}
+{{#if endpoint}}
+endpoint: {{endpoint}}
+{{/if}}
+{{#if access_key_id}}
+access_key_id: {{access_key_id}}
+{{/if}}
+{{#if secret_access_key}}
+secret_access_key: {{secret_access_key}}
+{{/if}}
+{{#if session_token}}
+session_token: {{session_token}}
+{{/if}}
+{{#if role_arn}}
+role_arn: {{role_arn}}
+{{/if}}
+{{#if fips_enabled}}
+fips_enabled: {{fips_enabled}}
+{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/cloudtrail/agent/stream/httpjson.yml.hbs b/test/packages/aws/data_stream/cloudtrail/agent/stream/httpjson.yml.hbs
new file mode 100644
index 0000000000..27d1775b51
--- /dev/null
+++ b/test/packages/aws/data_stream/cloudtrail/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,63 @@
+config_version: 2
+interval: {{interval}}
+{{#unless token}}
+{{#if username}}
+{{#if password}}
+auth.basic.user: {{username}}
+auth.basic.password: {{password}}
+{{/if}}
+{{/if}}
+{{/unless}}
+cursor:
+ index_earliest:
+ value: '[[.last_event.result.max_indextime]]'
+request.url: {{url}}/services/search/jobs/export
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+request.method: POST
+request.transforms:
+ - set:
+ target: url.params.search
+ value: {{search}} | streamstats max(_indextime) AS max_indextime
+ - set:
+ target: url.params.output_mode
+ value: "json"
+ - set:
+ target: url.params.index_earliest
+ value: '[[ .cursor.index_earliest ]]'
+ default: '[[(now (parseDuration "-{{interval}}")).Unix]]'
+ - set:
+ target: url.params.index_latest
+ value: '[[(now).Unix]]'
+ - set:
+ target: header.Content-Type
+ value: application/x-www-form-urlencoded
+{{#unless username}}
+{{#unless password}}
+{{#if token}}
+ - set:
+ target: header.Authorization
+ value: {{token}}
+{{/if}}
+{{/unless}}
+{{/unless}}
+response.decode_as: application/x-ndjson
+response.split:
+ target: body.result._raw
+ type: string
+ delimiter: "\n"
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml b/test/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml
index 3e0000d26f..bbc66f7fa8 100644
--- a/test/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml
+++ b/test/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml
@@ -1,24 +1,28 @@
---
description: Pipeline for AWS CloudTrail Logs
processors:
- - set:
- field: event.ingested
- value: '{{_ingest.timestamp}}'
- rename:
- field: "message"
- target_field: "event.original"
+ field: message
+ target_field: event.original
+ - set:
+ if: ctx['@timestamp'] != null
+ field: event.created
+ copy_from: '@timestamp'
- json:
- field: "event.original"
- target_field: "json"
+ field: event.original
+ target_field: json
+ - pipeline:
+ if: ctx?.json?.preview != null
+ name: '{{ IngestPipeline "third-party" }}'
+ - set:
+ field: ecs.version
+ value: '1.12.0'
- date:
- field: "json.eventTime"
+ field: json.eventTime
target_field: "@timestamp"
ignore_failure: true
formats:
- ISO8601
- - set:
- field: event.created
- value: '{{@timestamp}}'
- script:
description: Drops null/empty values recursively
lang: painless
@@ -37,93 +41,93 @@ processors:
}
drop(ctx);
- rename:
- field: "json.eventVersion"
- target_field: "aws.cloudtrail.event_version"
+ field: json.eventVersion
+ target_field: aws.cloudtrail.event_version
ignore_failure: true
- rename:
- field: "json.userIdentity.type"
- target_field: "aws.cloudtrail.user_identity.type"
+ field: json.userIdentity.type
+ target_field: aws.cloudtrail.user_identity.type
ignore_failure: true
- append:
field: related.user
value: '{{json.userIdentity.userName}}'
allow_duplicates: false
- if: 'ctx.json?.userIdentity?.userName != null'
+ if: ctx.json?.userIdentity?.userName != null
- rename:
- field: "json.userIdentity.userName"
- target_field: "user.name"
+ field: json.userIdentity.userName
+ target_field: user.name
ignore_failure: true
- rename:
- field: "json.userIdentity.principalId"
- target_field: "user.id"
+ field: json.userIdentity.principalId
+ target_field: user.id
ignore_failure: true
- rename:
- field: "json.userIdentity.arn"
- target_field: "aws.cloudtrail.user_identity.arn"
+ field: json.userIdentity.arn
+ target_field: aws.cloudtrail.user_identity.arn
ignore_failure: true
- rename:
- field: "json.userIdentity.accountId"
- target_field: "cloud.account.id"
+ field: json.userIdentity.accountId
+ target_field: cloud.account.id
ignore_failure: true
- rename:
- field: "json.userIdentity.accessKeyId"
- target_field: "aws.cloudtrail.user_identity.access_key_id"
+ field: json.userIdentity.accessKeyId
+ target_field: aws.cloudtrail.user_identity.access_key_id
ignore_failure: true
- rename:
- field: "json.userIdentity.sessionContext.attributes.mfaAuthenticated"
- target_field: "aws.cloudtrail.user_identity.session_context.mfa_authenticated"
+ field: json.userIdentity.sessionContext.attributes.mfaAuthenticated
+ target_field: aws.cloudtrail.user_identity.session_context.mfa_authenticated
ignore_failure: true
- date:
- field: "json.userIdentity.sessionContext.attributes.creationDate"
- target_field: "aws.cloudtrail.user_identity.session_context.creation_date"
+ field: json.userIdentity.sessionContext.attributes.creationDate
+ target_field: aws.cloudtrail.user_identity.session_context.creation_date
ignore_failure: true
formats:
- ISO8601
- rename:
- field: "json.userIdentity.sessionContext.sessionIssuer.type"
- target_field: "aws.cloudtrail.user_identity.session_context.session_issuer.type"
+ field: json.userIdentity.sessionContext.sessionIssuer.type
+ target_field: aws.cloudtrail.user_identity.session_context.session_issuer.type
ignore_failure: true
# userIdentity.sessionIssuer.userName is only set with assumed roles.
- rename:
- field: "json.userIdentity.sessionContext.sessionIssuer.userName"
- target_field: "user.name"
+ field: json.userIdentity.sessionContext.sessionIssuer.userName
+ target_field: user.name
ignore_failure: true
- rename:
- field: "json.userIdentity.sessionContext.sessionIssuer.principalId"
- target_field: "aws.cloudtrail.user_identity.session_context.session_issuer.principal_id"
+ field: json.userIdentity.sessionContext.sessionIssuer.principalId
+ target_field: aws.cloudtrail.user_identity.session_context.session_issuer.principal_id
ignore_failure: true
- rename:
- field: "json.userIdentity.sessionContext.sessionIssuer.arn"
- target_field: "aws.cloudtrail.user_identity.session_context.session_issuer.arn"
+ field: json.userIdentity.sessionContext.sessionIssuer.arn
+ target_field: aws.cloudtrail.user_identity.session_context.session_issuer.arn
ignore_failure: true
- rename:
- field: "json.userIdentity.sessionContext.sessionIssuer.accountId"
- target_field: "aws.cloudtrail.user_identity.session_context.session_issuer.account_id"
+ field: json.userIdentity.sessionContext.sessionIssuer.accountId
+ target_field: aws.cloudtrail.user_identity.session_context.session_issuer.account_id
ignore_failure: true
- rename:
- field: "json.userIdentity.invokedBy"
- target_field: "aws.cloudtrail.user_identity.invoked_by"
+ field: json.userIdentity.invokedBy
+ target_field: aws.cloudtrail.user_identity.invoked_by
ignore_failure: true
- rename:
- field: "json.eventSource"
- target_field: "event.provider"
+ field: json.eventSource
+ target_field: event.provider
ignore_failure: true
- set:
- field: "event.action"
- value: "{{json.eventName}}"
+ field: event.action
+ value: '{{json.eventName}}'
ignore_failure: true
ignore_empty_value: true
- rename:
- field: "json.eventCategory"
- target_field: "aws.cloudtrail.event_category"
+ field: json.eventCategory
+ target_field: aws.cloudtrail.event_category
ignore_failure: true
- rename:
- field: "json.awsRegion"
- target_field: "cloud.region"
+ field: json.awsRegion
+ target_field: cloud.region
ignore_failure: true
- rename:
- field: "json.sourceIPAddress"
- target_field: "source.address"
+ field: json.sourceIPAddress
+ target_field: source.address
ignore_failure: true
- grok:
field: source.address
@@ -131,8 +135,8 @@ processors:
patterns:
- ^%{IP:source.ip}$
- geoip:
- field: "source.ip"
- target_field: "source.geo"
+ field: source.ip
+ target_field: source.geo
ignore_failure: true
ignore_missing: true
- geoip:
@@ -152,20 +156,20 @@ processors:
target_field: source.as.organization.name
ignore_missing: true
- user_agent:
- field: "json.userAgent"
- target_field: "user_agent"
+ field: json.userAgent
+ target_field: user_agent
on_failure:
- rename:
- field: "json.userAgent"
- target_field: "user_agent.original"
+ field: json.userAgent
+ target_field: user_agent.original
ignore_failure: true
- rename:
- field: "json.errorCode"
- target_field: "aws.cloudtrail.error_code"
+ field: json.errorCode
+ target_field: aws.cloudtrail.error_code
ignore_failure: true
- rename:
- field: "json.errorMessage"
- target_field: "aws.cloudtrail.error_message"
+ field: json.errorMessage
+ target_field: aws.cloudtrail.error_message
ignore_failure: true
- script:
lang: painless
@@ -200,63 +204,63 @@ processors:
}
ignore_failure: true
- rename:
- field: "json.requestId"
- target_field: "aws.cloudtrail.request_id"
+ field: json.requestId
+ target_field: aws.cloudtrail.request_id
ignore_failure: true
- rename:
- field: "json.eventID"
+ field: json.eventID
target_field: event.id
ignore_failure: true
- rename:
- field: "json.eventType"
- target_field: "aws.cloudtrail.event_type"
+ field: json.eventType
+ target_field: aws.cloudtrail.event_type
ignore_failure: true
- rename:
- field: "json.apiVersion"
- target_field: "aws.cloudtrail.api_version"
+ field: json.apiVersion
+ target_field: aws.cloudtrail.api_version
ignore_failure: true
- rename:
- field: "json.managementEvent"
- target_field: "aws.cloudtrail.management_event"
+ field: json.managementEvent
+ target_field: aws.cloudtrail.management_event
ignore_failure: true
- rename:
- field: "json.readOnly"
- target_field: "aws.cloudtrail.read_only"
+ field: json.readOnly
+ target_field: aws.cloudtrail.read_only
ignore_failure: true
- rename:
- field: "json.resources.ARN"
- target_field: "aws.cloudtrail.resources.arn"
+ field: json.resources.ARN
+ target_field: aws.cloudtrail.resources.arn
ignore_failure: true
- rename:
- field: "json.resources.accountId"
- target_field: "aws.cloudtrail.resources.account_id"
+ field: json.resources.accountId
+ target_field: aws.cloudtrail.resources.account_id
ignore_failure: true
- rename:
- field: "json.resources.type"
- target_field: "aws.cloudtrail.resources.type"
+ field: json.resources.type
+ target_field: aws.cloudtrail.resources.type
ignore_failure: true
- rename:
- field: "json.recipientAccountId"
- target_field: "aws.cloudtrail.recipient_account_id"
+ field: json.recipientAccountId
+ target_field: aws.cloudtrail.recipient_account_id
ignore_failure: true
- rename:
- field: "json.sharedEventId"
- target_field: "aws.cloudtrail.shared_event_id"
+ field: json.sharedEventId
+ target_field: aws.cloudtrail.shared_event_id
ignore_failure: true
- rename:
- field: "json.vpcEndpointId"
- target_field: "aws.cloudtrail.vpc_endpoint_id"
+ field: json.vpcEndpointId
+ target_field: aws.cloudtrail.vpc_endpoint_id
ignore_failure: true
- append:
field: related.user
value: '{{aws.cloudtrail.flattened.request_parameters.userName}}'
allow_duplicates: false
- if: 'ctx.aws?.cloudtrail?.flattened?.request_parameters?.userName != null'
+ if: ctx.aws?.cloudtrail?.flattened?.request_parameters?.userName != null
- append:
field: related.user
value: '{{aws.cloudtrail.flattened.request_parameters.newUserName}}'
allow_duplicates: false
- if: 'ctx.aws?.cloudtrail?.flattened?.request_parameters?.newUserName != null'
+ if: ctx.aws?.cloudtrail?.flattened?.request_parameters?.newUserName != null
- script:
lang: painless
ignore_failure: true
@@ -289,7 +293,7 @@ processors:
}
- script:
lang: painless
- ignore_failure: true
+ tag: Add ECS categorization
params:
AddUserToGroup:
category:
@@ -603,7 +607,7 @@ processors:
ctx.event.kind = 'event';
ctx.event.type = 'info';
- if (ctx.aws.cloudtrail.error_code != null || ctx.aws.cloudtrail.error_message != null) {
+ if (ctx?.aws?.cloudtrail?.error_code != null || ctx?.aws?.cloudtrail?.error_message != null) {
ctx.event.outcome = 'failure'
} else {
ctx.event.outcome = 'success'
@@ -617,83 +621,87 @@ processors:
ctx.event.outcome = Processors.lowercase(ctx.aws.cloudtrail.flattened.response_elements.ConsoleLogin);
}
+ if (params.get(ctx.event.action) == null) {
+ return;
+ }
+
def hm = new HashMap(params.get(ctx.event.action));
hm.forEach((k, v) -> ctx.event[k] = v);
- rename:
- field: "json.awsAccountId"
- target_field: "cloud.account.id"
+ field: json.awsAccountId
+ target_field: cloud.account.id
ignore_failure: true
- rename:
- field: "json.previousDigestS3Object"
- target_field: "file.path"
+ field: json.previousDigestS3Object
+ target_field: file.path
ignore_failure: true
- rename:
- field: "json.previousDigestSignature"
- target_field: "file.hash.sha256"
+ field: json.previousDigestSignature
+ target_field: file.hash.sha256
if: >-
- ctx?.json?.previousDigestHashAlgorithm != null && ctx.json.previousDigestHashAlgorithm == 'SHA-256'
+ ctx.json?.previousDigestHashAlgorithm != null && ctx.json?.previousDigestHashAlgorithm == 'SHA-256'
- append:
- field: "related.hash"
- value: "{{file.hash.sha256}}"
- if: "ctx?.file?.hash?.sha256 != null"
+ field: related.hash
+ value: '{{file.hash.sha256}}'
+ if: ctx.file?.hash?.sha256 != null
- rename:
- field: "json.logFiles"
- target_field: "aws.cloudtrail.digest.log_files"
+ field: json.logFiles
+ target_field: aws.cloudtrail.digest.log_files
ignore_failure: true
- date:
- field: "json.digestStartTime"
- target_field: "aws.cloudtrail.digest.start_time"
+ field: json.digestStartTime
+ target_field: aws.cloudtrail.digest.start_time
ignore_failure: true
formats:
- ISO8601
- date:
- field: "json.digestEndTime"
+ field: json.digestEndTime
target_field: "@timestamp"
ignore_failure: true
formats:
- ISO8601
- date:
- field: "json.digestEndTime"
- target_field: "aws.cloudtrail.digest.end_time"
+ field: json.digestEndTime
+ target_field: aws.cloudtrail.digest.end_time
ignore_failure: true
formats:
- ISO8601
- rename:
- field: "json.digestS3Bucket"
- target_field: "aws.cloudtrail.digest.s3_bucket"
+ field: json.digestS3Bucket
+ target_field: aws.cloudtrail.digest.s3_bucket
ignore_failure: true
- date:
- field: "json.newestEventTime"
- target_field: "aws.cloudtrail.digest.newest_event_time"
+ field: json.newestEventTime
+ target_field: aws.cloudtrail.digest.newest_event_time
ignore_failure: true
formats:
- ISO8601
- date:
- field: "json.oldestEventTime"
- target_field: "aws.cloudtrail.digest.oldest_event_time"
+ field: json.oldestEventTime
+ target_field: aws.cloudtrail.digest.oldest_event_time
ignore_failure: true
formats:
- ISO8601
- rename:
- field: "json.previousDigestS3Bucket"
- target_field: "aws.cloudtrail.digest.previous_s3_bucket"
+ field: json.previousDigestS3Bucket
+ target_field: aws.cloudtrail.digest.previous_s3_bucket
ignore_failure: true
- rename:
- field: "json.previousDigestHashAlgorithm"
- target_field: "aws.cloudtrail.digest.previous_hash_algorithm"
+ field: json.previousDigestHashAlgorithm
+ target_field: aws.cloudtrail.digest.previous_hash_algorithm
ignore_failure: true
- rename:
- field: "json.publicKeyFingerprint"
- target_field: "aws.cloudtrail.digest.public_key_fingerprint"
+ field: json.publicKeyFingerprint
+ target_field: aws.cloudtrail.digest.public_key_fingerprint
ignore_failure: true
- rename:
- field: "json.digestSignatureAlgorithm"
- target_field: "aws.cloudtrail.digest.signature_algorithm"
+ field: json.digestSignatureAlgorithm
+ target_field: aws.cloudtrail.digest.signature_algorithm
ignore_failure: true
- rename:
- field: "json.insightDetails"
- target_field: "aws.cloudtrail.insight_details"
+ field: json.insightDetails
+ target_field: aws.cloudtrail.insight_details
ignore_failure: true
- set:
field: group.id
@@ -731,7 +739,13 @@ processors:
- remove:
field: json
ignore_missing: true
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
on_failure:
- set:
- field: "error.message"
- value: "{{ _ingest.on_failure_message }}"
+ field: error.message
+ value: |-
+ Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}"
diff --git a/test/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/third-party.yml b/test/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/third-party.yml
new file mode 100644
index 0000000000..4fc9012b3a
--- /dev/null
+++ b/test/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/third-party.yml
@@ -0,0 +1,32 @@
+---
+description: Pipeline for parsing CloudTrail logs from third party api
+processors:
+ - drop:
+ if: ctx?.json?._raw == null
+ description: JSON doesn't have CloudTrail data
+ - fingerprint:
+ fields:
+ - _temp_.result._cd
+ - _temp_.result._indextime
+ - _temp_.result._raw
+ - _temp_.result._time
+ target_field: '_id'
+ ignore_missing: true
+ - set:
+ field: event.original
+ copy_from: json.result._raw
+ ignore_empty_value: true
+ - remove:
+ field: json
+ ignore_missing: true
+ - json:
+ field: event.original
+ target_field: json
+on_failure:
+ - append:
+ field: error.message
+ value: >-
+ error in third party api pipeline:
+ error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}}
+ with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}}
+ {{ _ingest.on_failure_message }}
diff --git a/test/packages/aws/data_stream/cloudtrail/fields/base-fields.yml b/test/packages/aws/data_stream/cloudtrail/fields/base-fields.yml
index 7c798f4534..436bcaec7b 100644
--- a/test/packages/aws/data_stream/cloudtrail/fields/base-fields.yml
+++ b/test/packages/aws/data_stream/cloudtrail/fields/base-fields.yml
@@ -10,3 +10,11 @@
- name: '@timestamp'
type: date
description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: aws
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: aws.cloudtrail
diff --git a/test/packages/aws/data_stream/cloudtrail/fields/ecs.yml b/test/packages/aws/data_stream/cloudtrail/fields/ecs.yml
index 81ba6c50b9..f420f22b6b 100644
--- a/test/packages/aws/data_stream/cloudtrail/fields/ecs.yml
+++ b/test/packages/aws/data_stream/cloudtrail/fields/ecs.yml
@@ -1,150 +1,90 @@
-- name: error.message
- type: text
- description: Error message.
-- name: event.action
- type: keyword
- description: The action captured by the event.
-- name: event.ingested
- type: date
- description: Timestamp when an event arrived in the central data store.
-- name: event.original
- type: keyword
- description: Raw text message of entire event. Used to demonstrate log integrity.
-- name: user.name
- type: keyword
- description: Short name or login of the user.
-- name: user.id
- type: keyword
- description: Unique identifier of the user.
-- name: user.target.name
- type: keyword
- description: Short name or login of the user.
-- name: user.target.id
- type: keyword
- description: Unique identifier of the user.
-- name: user.changes.name
- type: keyword
- description: Short name or login of the user.
-- name: group.id
- type: keyword
- description: Unique identifier for the group on the system/platform.
-- name: group.name
- type: keyword
- description: Name of the group.
-- name: file
- title: File
- type: group
- fields:
- - name: path
- type: keyword
- ignore_above: 1024
- multi_fields:
- - name: text
- type: text
- norms: false
- default_field: false
- description: Full path to the file, including the file name. It should include the drive letter, when appropriate.
- - name: hash.md5
- type: keyword
- ignore_above: 1024
- description: MD5 hash.
- - name: hash.sha1
- type: keyword
- ignore_above: 1024
- description: SHA1 hash.
- - name: hash.sha256
- type: keyword
- ignore_above: 1024
- description: SHA256 hash.
- - name: hash.sha512
- type: keyword
- ignore_above: 1024
- description: SHA512 hash.
-- name: cloud.account.id
- type: keyword
- description: The cloud account or organization id used to identify different entities in a multi-tenant environment.
-- name: event.provider
- type: keyword
- description: Source of the event.
-- name: cloud.region
- type: keyword
- description: Region in which this host is running.
-- name: source.address
- type: keyword
- description: Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field.
-- name: source.ip
- type: ip
- description: IP address of the source (IPv4 or IPv6).
-- name: user_agent.device.name
- type: keyword
- description: Name of the device.
-- name: user_agent.name
- type: keyword
- description: Name of the user agent.
-- name: user_agent.original
- type: keyword
- description: Unparsed user_agent string.
-- name: user_agent.os.full
- type: keyword
- description: Operating system name, including the version or code name.
-- name: user_agent.os.name
- type: keyword
- description: Operating system name, without the version.
-- name: user_agent.os.version
- type: keyword
- description: Operating system version as a raw string.
-- name: user_agent.version
- type: keyword
- description: Version of the user agent.
-- name: related.user
- type: keyword
- description: All the user names seen on your event.
-- name: related.hash
- type: keyword
- description: All the hashes seen on your event.
-- name: event.kind
- type: keyword
- description: Event kind (e.g. event, alert, metric, state, pipeline_error, signal)
-- name: event.type
- type: keyword
- description: Event severity (e.g. info, error)
-- name: source.as.number
- type: long
- description: >-
- Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-- name: source.as.organization.name
- type: keyword
- ignore_above: 1024
- multi_fields:
- - name: text
- type: text
- norms: false
- default_field: false
- description: Organization name.
-- name: source.geo.city_name
- type: keyword
- ignore_above: 1024
- description: City name.
-- name: source.geo.continent_name
- type: keyword
- ignore_above: 1024
- description: Name of the continent.
-- name: source.geo.country_iso_code
- type: keyword
- ignore_above: 1024
- description: Country ISO code.
-- name: source.geo.country_name
- type: keyword
- ignore_above: 1024
- description: Country name.
-- name: source.geo.location
+- external: ecs
+ name: cloud.account.id
+- external: ecs
+ name: cloud.region
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error.message
+- external: ecs
+ name: event.action
+- external: ecs
+ name: event.created
+- external: ecs
+ name: event.ingested
+- external: ecs
+ name: event.kind
+- external: ecs
+ name: event.original
+- external: ecs
+ name: event.provider
+- external: ecs
+ name: event.type
+- external: ecs
+ name: file.hash.md5
+- external: ecs
+ name: file.hash.sha1
+- external: ecs
+ name: file.hash.sha256
+- external: ecs
+ name: file.hash.sha512
+- external: ecs
+ name: file.path
+- external: ecs
+ name: group.id
+- external: ecs
+ name: group.name
+- external: ecs
+ name: related.hash
+- external: ecs
+ name: related.user
+- external: ecs
+ name: source.address
+- external: ecs
+ name: source.as.number
+- external: ecs
+ name: source.as.organization.name
+- external: ecs
+ name: source.geo.city_name
+- external: ecs
+ name: source.geo.continent_name
+- external: ecs
+ name: source.geo.country_iso_code
+- external: ecs
+ name: source.geo.country_name
+- description: Longitude and latitude.
+ level: core
+ name: source.geo.location
type: geo_point
- description: Longitude and latitude.
-- name: source.geo.region_iso_code
- type: keyword
- ignore_above: 1024
- description: Region ISO code.
-- name: source.geo.region_name
- type: keyword
- ignore_above: 1024
- description: Region name.
+- external: ecs
+ name: source.geo.region_iso_code
+- external: ecs
+ name: source.geo.region_name
+- external: ecs
+ name: source.ip
+- external: ecs
+ name: tags
+- external: ecs
+ name: user.changes.name
+- external: ecs
+ name: user.id
+- external: ecs
+ name: user.name
+- external: ecs
+ name: user.target.id
+- external: ecs
+ name: user.target.name
+- external: ecs
+ name: user_agent.device.name
+- external: ecs
+ name: user_agent.name
+- external: ecs
+ name: user_agent.original
+- external: ecs
+ name: user_agent.os.full
+- external: ecs
+ name: user_agent.os.name
+- external: ecs
+ name: user_agent.os.version
+- external: ecs
+ name: user_agent.version
diff --git a/test/packages/aws/data_stream/cloudtrail/manifest.yml b/test/packages/aws/data_stream/cloudtrail/manifest.yml
index 94b8c1d0e3..5db302b0f8 100644
--- a/test/packages/aws/data_stream/cloudtrail/manifest.yml
+++ b/test/packages/aws/data_stream/cloudtrail/manifest.yml
@@ -1,12 +1,25 @@
-title: AWS CloudTrail logs
-release: beta
+title: AWS CloudTrail Logs
type: logs
streams:
- - input: s3
- template_path: s3.yml.hbs
- title: AWS CloudTrail logs
+ - input: aws-s3
+ template_path: aws-s3.yml.hbs
+ title: AWS CloudTrail Logs
description: Collect AWS CloudTrail logs using s3 input
vars:
+ - name: visibility_timeout
+ type: text
+ title: Visibility Timeout
+ multi: false
+ required: false
+ show_user: false
+ description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours.
+ - name: api_timeout
+ type: text
+ title: API Timeout
+ multi: false
+ required: false
+ show_user: false
+ description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value.
- name: queue_url
type: text
title: Queue URL
@@ -22,3 +35,161 @@ streams:
required: false
show_user: false
description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ show_user: false
+ default:
+ - forwarded
+ - aws-cloudtrail
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: cloudtrail_regex
+ type: text
+ title: CloudTrail Logs regex
+ default: '/CloudTrail/'
+ required: false
+ show_user: false
+ description: |
+ Regex to match path of CloudTrail S3 Objects. If blank
+ CloudTrail logs will be skipped.
+ - name: cloudtrail_digest_regex
+ type: text
+ title: CloudTrail Digest Logs regex
+ default: '/CloudTrail-Digest/'
+ required: false
+ show_user: false
+ description: |
+ Regex to match path of CloudTrail Digest S3 Objects. If
+ blank CloudTrail Digest logs will be skipped.
+ - name: cloudtrail_insight_regex
+ type: text
+ title: CloudTrail Insight Logs regex
+ default: '/CloudTrail-Insight/'
+ required: false
+ show_user: false
+ description: |
+ Regex to match path of CloudTrail Insight S3 Objects. If
+ blank CloudTrail Insight logs will be skipped.
+ - name: max_number_of_messages
+ type: integer
+ title: Maximum Concurrent SQS Messages
+ description: The maximum number of SQS messages that can be inflight at any time.
+ default: 5
+ required: false
+ show_user: false
+ - input: httpjson
+ title: AWS CloudTrail Logs via Splunk Enterprise REST API
+ description: Collect AWS CloudTrail logs via Splunk Enterprise REST API
+ enabled: false
+ template_path: httpjson.yml.hbs
+ vars:
+ - name: url
+ type: text
+ title: URL of Splunk Enterprise Server
+ description: i.e. scheme://host:port, path is automatic
+ show_user: true
+ required: true
+ default: https://server.example.com:8089
+ - name: username
+ type: text
+ title: Splunk REST API Username
+ show_user: true
+ required: false
+ - name: password
+ type: password
+ title: Splunk REST API Password
+ required: false
+ show_user: true
+ - name: token
+ type: password
+ title: Splunk Authorization Token
+ description: |
+ Bearer Token or Session Key, e.g. "Bearer eyJFd3e46..."
+ or "Splunk 192fd3e...". Cannot be used with username
+ and password.
+ show_user: true
+ required: false
+ - name: ssl
+ type: yaml
+ title: SSL Configuration
+ multi: false
+ required: false
+ show_user: false
+ description: i.e. certificate_authorities, supported_protocols, verification_mode etc.
+ default: |
+ #certificate_authorities:
+ # - |
+ # -----BEGIN CERTIFICATE-----
+ # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+ # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+ # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+ # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+ # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+ # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+ # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+ # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+ # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+ # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+ # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+ # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+ # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+ # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+ # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+ # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+ # sxSmbIUfc2SGJGCJD4I=
+ # -----END CERTIFICATE-----
+ - name: interval
+ type: text
+ title: Interval to query Splunk Enterprise REST API
+ description: Go Duration syntax (eg. 10s)
+ show_user: true
+ required: true
+ default: 10s
+ - name: search
+ type: text
+ title: Splunk search string
+ show_user: true
+ required: true
+ default: "search sourcetype=aws:cloudtrail"
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ show_user: false
+ default:
+ - forwarded
+ - aws-cloudtrail
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
diff --git a/test/packages/aws/data_stream/cloudtrail/sample_event.json b/test/packages/aws/data_stream/cloudtrail/sample_event.json
new file mode 100644
index 0000000000..0c8df40b3d
--- /dev/null
+++ b/test/packages/aws/data_stream/cloudtrail/sample_event.json
@@ -0,0 +1,85 @@
+{
+ "data_stream": {
+ "namespace": "default",
+ "type": "logs",
+ "dataset": "aws.cloudtrail"
+ },
+ "source": {
+ "address": "127.0.0.1",
+ "ip": "127.0.0.1"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "cloud": {
+ "region": "us-east-1",
+ "account": {
+ "id": "123456789012"
+ }
+ },
+ "@timestamp": "2020-01-08T20:53:12.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "related": {
+ "user": [
+ "Alice",
+ "Bob",
+ "Robert"
+ ]
+ },
+ "event": {
+ "ingested": "2021-10-05T23:06:12.229540200Z",
+ "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EX_PRINCIPAL_ID\",\"arn\":\"arn:aws:iam::123456789012:user/Alice\",\"accountId\":\"123456789012\",\"accessKeyId\":\"EXAMPLE_KEY_ID\",\"userName\":\"Alice\"},\"eventTime\":\"2020-01-08T20:53:12Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UpdateUser\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46\",\"requestParameters\":{\"userName\":\"Bob\",\"newUserName\":\"Robert\"},\"responseElements\":null,\"requestID\":\"3a6b3260-739d-465e-9406-bcEXAMPLE\",\"eventID\":\"9150d546-3564-4262-8e62-110EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"123456789012\"}",
+ "provider": "iam.amazonaws.com",
+ "created": "2020-01-08T20:53:12.000Z",
+ "kind": "event",
+ "action": "UpdateUser",
+ "id": "9150d546-3564-4262-8e62-110EXAMPLE",
+ "type": [
+ "user",
+ "change"
+ ],
+ "category": [
+ "iam"
+ ],
+ "outcome": "success"
+ },
+ "aws": {
+ "cloudtrail": {
+ "event_version": "1.05",
+ "flattened": {
+ "request_parameters": {
+ "userName": "Bob",
+ "newUserName": "Robert"
+ }
+ },
+ "user_identity": {
+ "access_key_id": "EXAMPLE_KEY_ID",
+ "type": "IAMUser",
+ "arn": "arn:aws:iam::123456789012:user/Alice"
+ },
+ "event_type": "AwsApiCall",
+ "recipient_account_id": "123456789012",
+ "request_parameters": "{newUserName=Robert, userName=Bob}"
+ }
+ },
+ "user": {
+ "name": "Alice",
+ "changes": {
+ "name": "Robert"
+ },
+ "id": "EX_PRINCIPAL_ID",
+ "target": {
+ "name": "Bob"
+ }
+ },
+ "user_agent": {
+ "name": "aws-cli",
+ "original": "aws-cli/1.16.310 Python/3.8.1 Darwin/18.7.0 botocore/1.13.46",
+ "device": {
+ "name": "Spider"
+ },
+ "version": "1.16.310"
+ }
+}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/cloudwatch_logs/_dev/test/pipeline/test-cloudwatch-ec2.log b/test/packages/aws/data_stream/cloudwatch_logs/_dev/test/pipeline/test-cloudwatch-ec2.log
new file mode 100644
index 0000000000..4487fdf08d
--- /dev/null
+++ b/test/packages/aws/data_stream/cloudwatch_logs/_dev/test/pipeline/test-cloudwatch-ec2.log
@@ -0,0 +1,6 @@
+2020-02-20T07:01:01.000Z Feb 20 07:01:01 ip-172-31-81-156 systemd: Stopping User Slice of root.
+2020-02-20T07:02:18.000Z Feb 20 07:02:18 ip-172-31-81-156 dhclient[3000]: XMT: Solicit on eth0, interval 125240ms.
+2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: DHCPREQUEST on eth0 to 172.31.80.1 port 67 (xid=0x4575af22)
+2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: DHCPACK from 172.31.80.1 (xid=0x4575af22)
+2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: bound to 172.31.81.156 -- renewal in 1599 seconds.
+2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 ec2net: [get_meta] Trying to get http://169.254.169.254/latest/meta-data/network/interfaces/macs/12:e2:a9:95:8b:97/local-ipv4s
diff --git a/test/packages/aws/data_stream/cloudwatch_logs/_dev/test/pipeline/test-cloudwatch-ec2.log-expected.json b/test/packages/aws/data_stream/cloudwatch_logs/_dev/test/pipeline/test-cloudwatch-ec2.log-expected.json
new file mode 100644
index 0000000000..8e4cce3a5f
--- /dev/null
+++ b/test/packages/aws/data_stream/cloudwatch_logs/_dev/test/pipeline/test-cloudwatch-ec2.log-expected.json
@@ -0,0 +1,112 @@
+{
+ "expected": [
+ {
+ "@timestamp": "2020-02-20T07:01:01.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "event": {
+ "ingested": "2021-12-09T16:11:58.525004600Z",
+ "original": "2020-02-20T07:01:01.000Z Feb 20 07:01:01 ip-172-31-81-156 systemd: Stopping User Slice of root."
+ },
+ "aws": {
+ "cloudwatch": {
+ "message": "ip-172-31-81-156 systemd: Stopping User Slice of root."
+ }
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2020-02-20T07:02:18.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "event": {
+ "ingested": "2021-12-09T16:11:58.525012700Z",
+ "original": "2020-02-20T07:02:18.000Z Feb 20 07:02:18 ip-172-31-81-156 dhclient[3000]: XMT: Solicit on eth0, interval 125240ms."
+ },
+ "aws": {
+ "cloudwatch": {
+ "message": "ip-172-31-81-156 dhclient[3000]: XMT: Solicit on eth0, interval 125240ms."
+ }
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2020-02-20T07:02:37.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "event": {
+ "ingested": "2021-12-09T16:11:58.525017900Z",
+ "original": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: DHCPREQUEST on eth0 to 172.31.80.1 port 67 (xid=0x4575af22)"
+ },
+ "aws": {
+ "cloudwatch": {
+ "message": "ip-172-31-81-156 dhclient[2898]: DHCPREQUEST on eth0 to 172.31.80.1 port 67 (xid=0x4575af22)"
+ }
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2020-02-20T07:02:37.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "event": {
+ "ingested": "2021-12-09T16:11:58.525022500Z",
+ "original": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: DHCPACK from 172.31.80.1 (xid=0x4575af22)"
+ },
+ "aws": {
+ "cloudwatch": {
+ "message": "ip-172-31-81-156 dhclient[2898]: DHCPACK from 172.31.80.1 (xid=0x4575af22)"
+ }
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2020-02-20T07:02:37.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "event": {
+ "ingested": "2021-12-09T16:11:58.525027400Z",
+ "original": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: bound to 172.31.81.156 -- renewal in 1599 seconds."
+ },
+ "aws": {
+ "cloudwatch": {
+ "message": "ip-172-31-81-156 dhclient[2898]: bound to 172.31.81.156 -- renewal in 1599 seconds."
+ }
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "@timestamp": "2020-02-20T07:02:37.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "event": {
+ "ingested": "2021-12-09T16:11:58.525032300Z",
+ "original": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 ec2net: [get_meta] Trying to get http://169.254.169.254/latest/meta-data/network/interfaces/macs/12:e2:a9:95:8b:97/local-ipv4s"
+ },
+ "aws": {
+ "cloudwatch": {
+ "message": "ip-172-31-81-156 ec2net: [get_meta] Trying to get http://169.254.169.254/latest/meta-data/network/interfaces/macs/12:e2:a9:95:8b:97/local-ipv4s"
+ }
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/cloudwatch_logs/_dev/test/pipeline/test-common-config.yml b/test/packages/aws/data_stream/cloudwatch_logs/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 0000000000..5622947e4b
--- /dev/null
+++ b/test/packages/aws/data_stream/cloudwatch_logs/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,5 @@
+dynamic_fields:
+ event.ingested: ".*"
+fields:
+ tags:
+ - preserve_original_event
diff --git a/test/packages/aws/data_stream/cloudtrail/agent/stream/s3.yml.hbs b/test/packages/aws/data_stream/cloudwatch_logs/agent/stream/aws-s3.yml.hbs
similarity index 64%
rename from test/packages/aws/data_stream/cloudtrail/agent/stream/s3.yml.hbs
rename to test/packages/aws/data_stream/cloudwatch_logs/agent/stream/aws-s3.yml.hbs
index 309c650769..ccf43bcddc 100644
--- a/test/packages/aws/data_stream/cloudtrail/agent/stream/s3.yml.hbs
+++ b/test/packages/aws/data_stream/cloudwatch_logs/agent/stream/aws-s3.yml.hbs
@@ -1,5 +1,4 @@
queue_url: {{queue_url}}
-expand_event_list_from_field: Records
{{#if credential_profile_name}}
credential_profile_name: {{credential_profile_name}}
{{/if}}
@@ -12,6 +11,9 @@ visibility_timeout: {{visibility_timeout}}
{{#if api_timeout}}
api_timeout: {{api_timeout}}
{{/if}}
+{{#if max_number_of_messages}}
+max_number_of_messages: {{max_number_of_messages}}
+{{/if}}
{{#if endpoint}}
endpoint: {{endpoint}}
{{/if}}
@@ -30,8 +32,20 @@ role_arn: {{role_arn}}
{{#if fips_enabled}}
fips_enabled: {{fips_enabled}}
{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
processors:
- - add_fields:
- target: ''
- fields:
- ecs.version: 1.8.0
\ No newline at end of file
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/cloudwatch_logs/elasticsearch/ingest_pipeline/default.yml b/test/packages/aws/data_stream/cloudwatch_logs/elasticsearch/ingest_pipeline/default.yml
index 1f7317d6dc..af65d9c1a6 100644
--- a/test/packages/aws/data_stream/cloudwatch_logs/elasticsearch/ingest_pipeline/default.yml
+++ b/test/packages/aws/data_stream/cloudwatch_logs/elasticsearch/ingest_pipeline/default.yml
@@ -2,25 +2,37 @@
description: "Pipeline for CloudWatch logs"
processors:
- - grok:
+ - set:
+ field: event.ingested
+ value: '{{_ingest.timestamp}}'
+ - set:
+ field: ecs.version
+ value: '1.12.0'
+ - rename:
field: message
+ target_field: event.original
+ ignore_missing: true
+ - grok:
+ field: event.original
patterns:
- - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{SYSLOGTIMESTAMP:_tmp.syslog_timestamp} %{GREEDYDATA:aws.cloudwatch.message}"
- - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{GREEDYDATA:aws.cloudwatch.message}"
-
+ - '%{TIMESTAMP_ISO8601:_tmp.timestamp} %{SYSLOGTIMESTAMP:_tmp.syslog_timestamp} %{GREEDYDATA:aws.cloudwatch.message}'
+ - '%{TIMESTAMP_ISO8601:_tmp.timestamp} %{GREEDYDATA:aws.cloudwatch.message}'
- date:
- field: '_tmp.timestamp'
+ field: _tmp.timestamp
target_field: "@timestamp"
ignore_failure: true
formats:
- - 'ISO8601'
-
+ - ISO8601
- remove:
field:
- _tmp
ignore_missing: true
-
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
on_failure:
- set:
- field: "error.message"
- value: "{{ _ingest.on_failure_message }}"
+ field: error.message
+ value: '{{ _ingest.on_failure_message }}'
diff --git a/test/packages/aws/data_stream/cloudwatch_logs/fields/base-fields.yml b/test/packages/aws/data_stream/cloudwatch_logs/fields/base-fields.yml
index 7c798f4534..4fbeaa06a9 100644
--- a/test/packages/aws/data_stream/cloudwatch_logs/fields/base-fields.yml
+++ b/test/packages/aws/data_stream/cloudwatch_logs/fields/base-fields.yml
@@ -10,3 +10,11 @@
- name: '@timestamp'
type: date
description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: aws
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: aws.cloudwatch_logs
diff --git a/test/packages/aws/data_stream/cloudwatch_logs/fields/ecs.yml b/test/packages/aws/data_stream/cloudwatch_logs/fields/ecs.yml
new file mode 100644
index 0000000000..def0bf767f
--- /dev/null
+++ b/test/packages/aws/data_stream/cloudwatch_logs/fields/ecs.yml
@@ -0,0 +1,6 @@
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error.message
+- external: ecs
+ name: tags
diff --git a/test/packages/aws/data_stream/cloudwatch_logs/manifest.yml b/test/packages/aws/data_stream/cloudwatch_logs/manifest.yml
index 6fc61a757b..7608cf4037 100644
--- a/test/packages/aws/data_stream/cloudwatch_logs/manifest.yml
+++ b/test/packages/aws/data_stream/cloudwatch_logs/manifest.yml
@@ -1,12 +1,25 @@
title: AWS CloudWatch logs
-release: beta
type: logs
streams:
- - input: s3
- template_path: s3.yml.hbs
+ - input: aws-s3
+ template_path: aws-s3.yml.hbs
title: AWS CloudWatch logs
description: Collect AWS CloudWatch logs using s3 input
vars:
+ - name: visibility_timeout
+ type: text
+ title: Visibility Timeout
+ multi: false
+ required: false
+ show_user: false
+ description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours.
+ - name: api_timeout
+ type: text
+ title: API Timeout
+ multi: false
+ required: false
+ show_user: false
+ description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value.
- name: queue_url
type: text
title: Queue URL
@@ -22,3 +35,36 @@ streams:
required: false
show_user: false
description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - aws-cloudwatch-logs
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: max_number_of_messages
+ type: integer
+ title: Maximum Concurrent SQS Messages
+ description: The maximum number of SQS messages that can be inflight at any time.
+ default: 5
+ required: false
+ show_user: false
diff --git a/test/packages/aws/data_stream/cloudwatch_logs/sample_event.json b/test/packages/aws/data_stream/cloudwatch_logs/sample_event.json
new file mode 100644
index 0000000000..b41878aaf2
--- /dev/null
+++ b/test/packages/aws/data_stream/cloudwatch_logs/sample_event.json
@@ -0,0 +1,23 @@
+{
+ "@timestamp": "2020-02-20T07:02:37.000Z",
+ "data_stream": {
+ "namespace": "default",
+ "type": "logs",
+ "dataset": "aws.cloudwatch_logs"
+ },
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "event": {
+ "ingested": "2021-07-19T21:47:04.696803300Z",
+ "original": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 ec2net: [get_meta] Trying to get http://169.254.169.254/latest/meta-data/network/interfaces/macs/12:e2:a9:95:8b:97/local-ipv4s"
+ },
+ "aws": {
+ "cloudwatch": {
+ "message": "ip-172-31-81-156 ec2net: [get_meta] Trying to get http://169.254.169.254/latest/meta-data/network/interfaces/macs/12:e2:a9:95:8b:97/local-ipv4s"
+ }
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/cloudwatch_metrics/agent/stream/stream.yml.hbs b/test/packages/aws/data_stream/cloudwatch_metrics/agent/stream/stream.yml.hbs
index 40e4c2530b..71d53c29ac 100644
--- a/test/packages/aws/data_stream/cloudwatch_metrics/agent/stream/stream.yml.hbs
+++ b/test/packages/aws/data_stream/cloudwatch_metrics/agent/stream/stream.yml.hbs
@@ -30,3 +30,6 @@ latency: {{latency}}
{{#if metrics}}
metrics: {{metrics}}
{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
+{{/if}}
diff --git a/test/packages/aws/data_stream/cloudwatch_metrics/fields/base-fields.yml b/test/packages/aws/data_stream/cloudwatch_metrics/fields/base-fields.yml
index 7c798f4534..901d85d431 100644
--- a/test/packages/aws/data_stream/cloudwatch_metrics/fields/base-fields.yml
+++ b/test/packages/aws/data_stream/cloudwatch_metrics/fields/base-fields.yml
@@ -10,3 +10,11 @@
- name: '@timestamp'
type: date
description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: aws
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: aws.cloudwatch_metrics
diff --git a/test/packages/aws/data_stream/cloudwatch_metrics/fields/ecs.yml b/test/packages/aws/data_stream/cloudwatch_metrics/fields/ecs.yml
index a02d7269c5..83e3f6f122 100644
--- a/test/packages/aws/data_stream/cloudwatch_metrics/fields/ecs.yml
+++ b/test/packages/aws/data_stream/cloudwatch_metrics/fields/ecs.yml
@@ -1,53 +1,24 @@
-- name: cloud
- title: Cloud
- group: 2
- type: group
- footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
- fields:
- - name: account.id
- level: extended
- type: keyword
- description: |-
- The cloud account or organization id used to identify different entities in a multi-tenant environment.
- Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
- ignore_above: 1024
- - name: account.name
- level: extended
- type: keyword
- description: |-
- The cloud account name or alias used to identify different entities in a multi-tenant environment.
- Examples: AWS account name, Google Cloud ORG display name.
- ignore_above: 1024
- - name: availability_zone
- level: extended
- type: keyword
- description: Availability zone in which this host is running.
- ignore_above: 1024
- - name: instance.id
- level: extended
- type: keyword
- description: Instance ID of the host machine.
- ignore_above: 1024
- - name: machine.type
- level: extended
- type: keyword
- description: Machine type of the host machine.
- ignore_above: 1024
- - name: provider
- level: extended
- type: keyword
- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
- ignore_above: 1024
- - name: region
- level: extended
- type: keyword
- description: Region in which this host is running.
- ignore_above: 1024
-- name: ecs.version
- type: keyword
- description: ECS version this event conforms to.
- example: 1.0.0
- ignore_above: 1024
-- name: service.type
- type: keyword
- description: Service type
+- external: ecs
+ name: cloud
+- external: ecs
+ name: cloud.account.id
+- external: ecs
+ name: cloud.account.name
+- external: ecs
+ name: cloud.availability_zone
+- external: ecs
+ name: cloud.instance.id
+- external: ecs
+ name: cloud.machine.type
+- external: ecs
+ name: cloud.provider
+- external: ecs
+ name: cloud.region
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error
+- external: ecs
+ name: error.message
+- external: ecs
+ name: service.type
diff --git a/test/packages/aws/data_stream/cloudwatch_metrics/manifest.yml b/test/packages/aws/data_stream/cloudwatch_metrics/manifest.yml
index dae477ae67..543c24a8c5 100644
--- a/test/packages/aws/data_stream/cloudwatch_metrics/manifest.yml
+++ b/test/packages/aws/data_stream/cloudwatch_metrics/manifest.yml
@@ -1,5 +1,4 @@
title: AWS CloudWatch metrics
-release: beta
type: metrics
streams:
- input: aws/metrics
diff --git a/test/packages/aws/data_stream/cloudwatch_metrics/sample_event.json b/test/packages/aws/data_stream/cloudwatch_metrics/sample_event.json
index 431705cacd..bf25e887b5 100644
--- a/test/packages/aws/data_stream/cloudwatch_metrics/sample_event.json
+++ b/test/packages/aws/data_stream/cloudwatch_metrics/sample_event.json
@@ -2,7 +2,7 @@
"@timestamp": "2020-05-28T17:17:02.812Z",
"event": {
"duration": 14119105951,
- "dataset": "aws.cloudwatch",
+ "dataset": "aws.cloudwatch_metrics",
"module": "aws"
},
"ecs": {
diff --git a/test/packages/aws/data_stream/dynamodb/agent/stream/stream.yml.hbs b/test/packages/aws/data_stream/dynamodb/agent/stream/stream.yml.hbs
index 07e4a166ac..f6662fd6ce 100644
--- a/test/packages/aws/data_stream/dynamodb/agent/stream/stream.yml.hbs
+++ b/test/packages/aws/data_stream/dynamodb/agent/stream/stream.yml.hbs
@@ -29,4 +29,7 @@ latency: {{latency}}
{{/if}}
{{#if tags_filter}}
tags_filter: {{tags_filter}}
+{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
{{/if}}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/dynamodb/fields/base-fields.yml b/test/packages/aws/data_stream/dynamodb/fields/base-fields.yml
index 7c798f4534..f4dcea38bf 100644
--- a/test/packages/aws/data_stream/dynamodb/fields/base-fields.yml
+++ b/test/packages/aws/data_stream/dynamodb/fields/base-fields.yml
@@ -10,3 +10,11 @@
- name: '@timestamp'
type: date
description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: aws
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: aws.dynamodb
diff --git a/test/packages/aws/data_stream/dynamodb/fields/ecs.yml b/test/packages/aws/data_stream/dynamodb/fields/ecs.yml
index a02d7269c5..83e3f6f122 100644
--- a/test/packages/aws/data_stream/dynamodb/fields/ecs.yml
+++ b/test/packages/aws/data_stream/dynamodb/fields/ecs.yml
@@ -1,53 +1,24 @@
-- name: cloud
- title: Cloud
- group: 2
- type: group
- footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
- fields:
- - name: account.id
- level: extended
- type: keyword
- description: |-
- The cloud account or organization id used to identify different entities in a multi-tenant environment.
- Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
- ignore_above: 1024
- - name: account.name
- level: extended
- type: keyword
- description: |-
- The cloud account name or alias used to identify different entities in a multi-tenant environment.
- Examples: AWS account name, Google Cloud ORG display name.
- ignore_above: 1024
- - name: availability_zone
- level: extended
- type: keyword
- description: Availability zone in which this host is running.
- ignore_above: 1024
- - name: instance.id
- level: extended
- type: keyword
- description: Instance ID of the host machine.
- ignore_above: 1024
- - name: machine.type
- level: extended
- type: keyword
- description: Machine type of the host machine.
- ignore_above: 1024
- - name: provider
- level: extended
- type: keyword
- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
- ignore_above: 1024
- - name: region
- level: extended
- type: keyword
- description: Region in which this host is running.
- ignore_above: 1024
-- name: ecs.version
- type: keyword
- description: ECS version this event conforms to.
- example: 1.0.0
- ignore_above: 1024
-- name: service.type
- type: keyword
- description: Service type
+- external: ecs
+ name: cloud
+- external: ecs
+ name: cloud.account.id
+- external: ecs
+ name: cloud.account.name
+- external: ecs
+ name: cloud.availability_zone
+- external: ecs
+ name: cloud.instance.id
+- external: ecs
+ name: cloud.machine.type
+- external: ecs
+ name: cloud.provider
+- external: ecs
+ name: cloud.region
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error
+- external: ecs
+ name: error.message
+- external: ecs
+ name: service.type
diff --git a/test/packages/aws/data_stream/dynamodb/manifest.yml b/test/packages/aws/data_stream/dynamodb/manifest.yml
index 12bec6c6e8..437195faec 100644
--- a/test/packages/aws/data_stream/dynamodb/manifest.yml
+++ b/test/packages/aws/data_stream/dynamodb/manifest.yml
@@ -1,5 +1,4 @@
title: AWS DynamoDB metrics
-release: beta
type: metrics
streams:
- input: aws/metrics
diff --git a/test/packages/aws/data_stream/ebs/agent/stream/stream.yml.hbs b/test/packages/aws/data_stream/ebs/agent/stream/stream.yml.hbs
index b0d8e145fa..df4b1aaf07 100644
--- a/test/packages/aws/data_stream/ebs/agent/stream/stream.yml.hbs
+++ b/test/packages/aws/data_stream/ebs/agent/stream/stream.yml.hbs
@@ -29,4 +29,7 @@ latency: {{latency}}
{{/if}}
{{#if tags_filter}}
tags_filter: {{tags_filter}}
+{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
{{/if}}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/ebs/fields/base-fields.yml b/test/packages/aws/data_stream/ebs/fields/base-fields.yml
index 7c798f4534..85dfe5c907 100644
--- a/test/packages/aws/data_stream/ebs/fields/base-fields.yml
+++ b/test/packages/aws/data_stream/ebs/fields/base-fields.yml
@@ -10,3 +10,11 @@
- name: '@timestamp'
type: date
description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: aws
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: aws.ebs
diff --git a/test/packages/aws/data_stream/ebs/fields/ecs.yml b/test/packages/aws/data_stream/ebs/fields/ecs.yml
index a02d7269c5..83e3f6f122 100644
--- a/test/packages/aws/data_stream/ebs/fields/ecs.yml
+++ b/test/packages/aws/data_stream/ebs/fields/ecs.yml
@@ -1,53 +1,24 @@
-- name: cloud
- title: Cloud
- group: 2
- type: group
- footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
- fields:
- - name: account.id
- level: extended
- type: keyword
- description: |-
- The cloud account or organization id used to identify different entities in a multi-tenant environment.
- Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
- ignore_above: 1024
- - name: account.name
- level: extended
- type: keyword
- description: |-
- The cloud account name or alias used to identify different entities in a multi-tenant environment.
- Examples: AWS account name, Google Cloud ORG display name.
- ignore_above: 1024
- - name: availability_zone
- level: extended
- type: keyword
- description: Availability zone in which this host is running.
- ignore_above: 1024
- - name: instance.id
- level: extended
- type: keyword
- description: Instance ID of the host machine.
- ignore_above: 1024
- - name: machine.type
- level: extended
- type: keyword
- description: Machine type of the host machine.
- ignore_above: 1024
- - name: provider
- level: extended
- type: keyword
- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
- ignore_above: 1024
- - name: region
- level: extended
- type: keyword
- description: Region in which this host is running.
- ignore_above: 1024
-- name: ecs.version
- type: keyword
- description: ECS version this event conforms to.
- example: 1.0.0
- ignore_above: 1024
-- name: service.type
- type: keyword
- description: Service type
+- external: ecs
+ name: cloud
+- external: ecs
+ name: cloud.account.id
+- external: ecs
+ name: cloud.account.name
+- external: ecs
+ name: cloud.availability_zone
+- external: ecs
+ name: cloud.instance.id
+- external: ecs
+ name: cloud.machine.type
+- external: ecs
+ name: cloud.provider
+- external: ecs
+ name: cloud.region
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error
+- external: ecs
+ name: error.message
+- external: ecs
+ name: service.type
diff --git a/test/packages/aws/data_stream/ebs/manifest.yml b/test/packages/aws/data_stream/ebs/manifest.yml
index 5d0cce0e85..483fb237a5 100644
--- a/test/packages/aws/data_stream/ebs/manifest.yml
+++ b/test/packages/aws/data_stream/ebs/manifest.yml
@@ -1,5 +1,4 @@
title: AWS EBS metrics
-release: beta
type: metrics
streams:
- input: aws/metrics
diff --git a/test/packages/aws/data_stream/ec2_logs/_dev/test/pipeline/test-common-config.yml b/test/packages/aws/data_stream/ec2_logs/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 0000000000..5622947e4b
--- /dev/null
+++ b/test/packages/aws/data_stream/ec2_logs/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,5 @@
+dynamic_fields:
+ event.ingested: ".*"
+fields:
+ tags:
+ - preserve_original_event
diff --git a/test/packages/aws/data_stream/ec2_logs/_dev/test/pipeline/test-ec2.log b/test/packages/aws/data_stream/ec2_logs/_dev/test/pipeline/test-ec2.log
new file mode 100644
index 0000000000..4487fdf08d
--- /dev/null
+++ b/test/packages/aws/data_stream/ec2_logs/_dev/test/pipeline/test-ec2.log
@@ -0,0 +1,6 @@
+2020-02-20T07:01:01.000Z Feb 20 07:01:01 ip-172-31-81-156 systemd: Stopping User Slice of root.
+2020-02-20T07:02:18.000Z Feb 20 07:02:18 ip-172-31-81-156 dhclient[3000]: XMT: Solicit on eth0, interval 125240ms.
+2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: DHCPREQUEST on eth0 to 172.31.80.1 port 67 (xid=0x4575af22)
+2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: DHCPACK from 172.31.80.1 (xid=0x4575af22)
+2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: bound to 172.31.81.156 -- renewal in 1599 seconds.
+2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 ec2net: [get_meta] Trying to get http://169.254.169.254/latest/meta-data/network/interfaces/macs/12:e2:a9:95:8b:97/local-ipv4s
diff --git a/test/packages/aws/data_stream/ec2_logs/_dev/test/pipeline/test-ec2.log-expected.json b/test/packages/aws/data_stream/ec2_logs/_dev/test/pipeline/test-ec2.log-expected.json
new file mode 100644
index 0000000000..4298569cb3
--- /dev/null
+++ b/test/packages/aws/data_stream/ec2_logs/_dev/test/pipeline/test-ec2.log-expected.json
@@ -0,0 +1,136 @@
+{
+ "expected": [
+ {
+ "process": {
+ "name": "systemd"
+ },
+ "@timestamp": "2020-02-20T07:01:01.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "event": {
+ "ingested": "2021-12-09T16:11:58.684169900Z",
+ "original": "2020-02-20T07:01:01.000Z Feb 20 07:01:01 ip-172-31-81-156 systemd: Stopping User Slice of root."
+ },
+ "aws": {
+ "ec2": {
+ "ip_address": "ip-172-31-81-156"
+ }
+ },
+ "message": "Stopping User Slice of root.",
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "process": {
+ "name": "dhclient[3000]"
+ },
+ "@timestamp": "2020-02-20T07:02:18.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "event": {
+ "ingested": "2021-12-09T16:11:58.684178100Z",
+ "original": "2020-02-20T07:02:18.000Z Feb 20 07:02:18 ip-172-31-81-156 dhclient[3000]: XMT: Solicit on eth0, interval 125240ms."
+ },
+ "aws": {
+ "ec2": {
+ "ip_address": "ip-172-31-81-156"
+ }
+ },
+ "message": "XMT: Solicit on eth0, interval 125240ms.",
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "process": {
+ "name": "dhclient[2898]"
+ },
+ "@timestamp": "2020-02-20T07:02:37.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "event": {
+ "ingested": "2021-12-09T16:11:58.684183300Z",
+ "original": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: DHCPREQUEST on eth0 to 172.31.80.1 port 67 (xid=0x4575af22)"
+ },
+ "aws": {
+ "ec2": {
+ "ip_address": "ip-172-31-81-156"
+ }
+ },
+ "message": "DHCPREQUEST on eth0 to 172.31.80.1 port 67 (xid=0x4575af22)",
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "process": {
+ "name": "dhclient[2898]"
+ },
+ "@timestamp": "2020-02-20T07:02:37.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "event": {
+ "ingested": "2021-12-09T16:11:58.684188400Z",
+ "original": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: DHCPACK from 172.31.80.1 (xid=0x4575af22)"
+ },
+ "aws": {
+ "ec2": {
+ "ip_address": "ip-172-31-81-156"
+ }
+ },
+ "message": "DHCPACK from 172.31.80.1 (xid=0x4575af22)",
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "process": {
+ "name": "dhclient[2898]"
+ },
+ "@timestamp": "2020-02-20T07:02:37.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "event": {
+ "ingested": "2021-12-09T16:11:58.684193500Z",
+ "original": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: bound to 172.31.81.156 -- renewal in 1599 seconds."
+ },
+ "aws": {
+ "ec2": {
+ "ip_address": "ip-172-31-81-156"
+ }
+ },
+ "message": "bound to 172.31.81.156 -- renewal in 1599 seconds.",
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "process": {
+ "name": "ec2net"
+ },
+ "@timestamp": "2020-02-20T07:02:37.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "event": {
+ "ingested": "2021-12-09T16:11:58.684198500Z",
+ "original": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 ec2net: [get_meta] Trying to get http://169.254.169.254/latest/meta-data/network/interfaces/macs/12:e2:a9:95:8b:97/local-ipv4s"
+ },
+ "aws": {
+ "ec2": {
+ "ip_address": "ip-172-31-81-156"
+ }
+ },
+ "message": "[get_meta] Trying to get http://169.254.169.254/latest/meta-data/network/interfaces/macs/12:e2:a9:95:8b:97/local-ipv4s",
+ "tags": [
+ "preserve_original_event"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/cloudwatch_logs/agent/stream/s3.yml.hbs b/test/packages/aws/data_stream/ec2_logs/agent/stream/aws-s3.yml.hbs
similarity index 64%
rename from test/packages/aws/data_stream/cloudwatch_logs/agent/stream/s3.yml.hbs
rename to test/packages/aws/data_stream/ec2_logs/agent/stream/aws-s3.yml.hbs
index 6a00835778..ccf43bcddc 100644
--- a/test/packages/aws/data_stream/cloudwatch_logs/agent/stream/s3.yml.hbs
+++ b/test/packages/aws/data_stream/ec2_logs/agent/stream/aws-s3.yml.hbs
@@ -11,6 +11,9 @@ visibility_timeout: {{visibility_timeout}}
{{#if api_timeout}}
api_timeout: {{api_timeout}}
{{/if}}
+{{#if max_number_of_messages}}
+max_number_of_messages: {{max_number_of_messages}}
+{{/if}}
{{#if endpoint}}
endpoint: {{endpoint}}
{{/if}}
@@ -29,8 +32,20 @@ role_arn: {{role_arn}}
{{#if fips_enabled}}
fips_enabled: {{fips_enabled}}
{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
processors:
- - add_fields:
- target: ''
- fields:
- ecs.version: 1.5.0
\ No newline at end of file
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/ec2_logs/elasticsearch/ingest_pipeline/default.yml b/test/packages/aws/data_stream/ec2_logs/elasticsearch/ingest_pipeline/default.yml
index 002e3d24df..db6732f5e0 100644
--- a/test/packages/aws/data_stream/ec2_logs/elasticsearch/ingest_pipeline/default.yml
+++ b/test/packages/aws/data_stream/ec2_logs/elasticsearch/ingest_pipeline/default.yml
@@ -2,24 +2,36 @@
description: "Pipeline for EC2 logs in CloudWatch"
processors:
- - grok:
+ - set:
+ field: event.ingested
+ value: '{{_ingest.timestamp}}'
+ - set:
+ field: ecs.version
+ value: '1.12.0'
+ - rename:
field: message
+ target_field: event.original
+ ignore_missing: true
+ - grok:
+ field: event.original
patterns:
- - "%{TIMESTAMP_ISO8601:_tmp.timestamp} %{SYSLOGTIMESTAMP:_tmp.syslog_timestamp} %{IPORHOST:aws.ec2.ip_address} %{DATA:process.name}(?:\\[%{POSINT:process.pid}\\])?: %{GREEDYDATA:message}"
-
+ - '%{TIMESTAMP_ISO8601:_tmp.timestamp} %{SYSLOGTIMESTAMP:_tmp.syslog_timestamp} %{IPORHOST:aws.ec2.ip_address} %{DATA:process.name}(?:\\[%{POSINT:process.pid}\\])?: %{GREEDYDATA:message}'
- date:
- field: '_tmp.timestamp'
- target_field: "@timestamp"
+ field: _tmp.timestamp
+ target_field: '@timestamp'
ignore_failure: true
formats:
- - 'ISO8601'
-
+ - ISO8601
- remove:
field:
- _tmp
ignore_missing: true
-
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
on_failure:
- set:
- field: "error.message"
- value: "{{ _ingest.on_failure_message }}"
+ field: 'error.message'
+ value: '{{ _ingest.on_failure_message }}'
diff --git a/test/packages/aws/data_stream/ec2_logs/fields/base-fields.yml b/test/packages/aws/data_stream/ec2_logs/fields/base-fields.yml
index 7c798f4534..1cb7e48820 100644
--- a/test/packages/aws/data_stream/ec2_logs/fields/base-fields.yml
+++ b/test/packages/aws/data_stream/ec2_logs/fields/base-fields.yml
@@ -10,3 +10,11 @@
- name: '@timestamp'
type: date
description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: aws
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: aws.ec2_logs
diff --git a/test/packages/aws/data_stream/ec2_logs/fields/ecs.yml b/test/packages/aws/data_stream/ec2_logs/fields/ecs.yml
new file mode 100644
index 0000000000..b190938377
--- /dev/null
+++ b/test/packages/aws/data_stream/ec2_logs/fields/ecs.yml
@@ -0,0 +1,8 @@
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error.message
+- external: ecs
+ name: message
+- external: ecs
+ name: tags
diff --git a/test/packages/aws/data_stream/ec2_logs/manifest.yml b/test/packages/aws/data_stream/ec2_logs/manifest.yml
index aca6fb44b4..3c7e8961cd 100644
--- a/test/packages/aws/data_stream/ec2_logs/manifest.yml
+++ b/test/packages/aws/data_stream/ec2_logs/manifest.yml
@@ -1,12 +1,25 @@
title: AWS EC2 logs
-release: beta
type: logs
streams:
- - input: s3
- template_path: s3.yml.hbs
+ - input: aws-s3
+ template_path: aws-s3.yml.hbs
title: AWS EC2 logs
description: Collect AWS EC2 logs using s3 input
vars:
+ - name: visibility_timeout
+ type: text
+ title: Visibility Timeout
+ multi: false
+ required: false
+ show_user: false
+ description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours.
+ - name: api_timeout
+ type: text
+ title: API Timeout
+ multi: false
+ required: false
+ show_user: false
+ description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value.
- name: queue_url
type: text
title: Queue URL
@@ -22,3 +35,36 @@ streams:
required: false
show_user: false
description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - aws-ec2-logs
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: max_number_of_messages
+ type: integer
+ title: Maximum Concurrent SQS Messages
+ description: The maximum number of SQS messages that can be inflight at any time.
+ default: 5
+ required: false
+ show_user: false
diff --git a/test/packages/aws/data_stream/ec2_logs/sample_event.json b/test/packages/aws/data_stream/ec2_logs/sample_event.json
new file mode 100644
index 0000000000..a121694710
--- /dev/null
+++ b/test/packages/aws/data_stream/ec2_logs/sample_event.json
@@ -0,0 +1,27 @@
+{
+ "data_stream": {
+ "namespace": "default",
+ "type": "logs",
+ "dataset": "aws.ec2_logs"
+ },
+ "process": {
+ "name": "systemd"
+ },
+ "@timestamp": "2020-02-20T07:01:01.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "event": {
+ "ingested": "2021-07-19T21:47:04.871450600Z",
+ "original": "2020-02-20T07:01:01.000Z Feb 20 07:01:01 ip-172-31-81-156 systemd: Stopping User Slice of root."
+ },
+ "aws": {
+ "ec2": {
+ "ip_address": "ip-172-31-81-156"
+ }
+ },
+ "message": "Stopping User Slice of root.",
+ "tags": [
+ "preserve_original_event"
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/ec2_metrics/_dev/test/system/test-default-config.yml b/test/packages/aws/data_stream/ec2_metrics/_dev/test/system/test-default-config.yml
index 0f384a1fe5..15d7d57b30 100644
--- a/test/packages/aws/data_stream/ec2_metrics/_dev/test/system/test-default-config.yml
+++ b/test/packages/aws/data_stream/ec2_metrics/_dev/test/system/test-default-config.yml
@@ -1,4 +1,4 @@
-wait_for_data_timeout: 20m # AWS CloudWatch may delay metrics delivery for more that 10 minutes.
+wait_for_data_timeout: 20m # AWS CloudWatch may delay metrics delivery for more than 10 minutes.
vars:
access_key_id: '{{AWS_ACCESS_KEY_ID}}'
secret_access_key: '{{AWS_SECRET_ACCESS_KEY}}'
diff --git a/test/packages/aws/data_stream/ec2_metrics/agent/stream/stream.yml.hbs b/test/packages/aws/data_stream/ec2_metrics/agent/stream/stream.yml.hbs
index 5eb40ca78b..d1c7ff7dd4 100644
--- a/test/packages/aws/data_stream/ec2_metrics/agent/stream/stream.yml.hbs
+++ b/test/packages/aws/data_stream/ec2_metrics/agent/stream/stream.yml.hbs
@@ -29,4 +29,7 @@ latency: {{latency}}
{{/if}}
{{#if tags_filter}}
tags_filter: {{tags_filter}}
+{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
{{/if}}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/ec2_metrics/fields/base-fields.yml b/test/packages/aws/data_stream/ec2_metrics/fields/base-fields.yml
index 7c798f4534..9e545fc4a7 100644
--- a/test/packages/aws/data_stream/ec2_metrics/fields/base-fields.yml
+++ b/test/packages/aws/data_stream/ec2_metrics/fields/base-fields.yml
@@ -10,3 +10,11 @@
- name: '@timestamp'
type: date
description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: aws
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: aws.ec2_metrics
diff --git a/test/packages/aws/data_stream/ec2_metrics/fields/ecs.yml b/test/packages/aws/data_stream/ec2_metrics/fields/ecs.yml
index a02d7269c5..83e3f6f122 100644
--- a/test/packages/aws/data_stream/ec2_metrics/fields/ecs.yml
+++ b/test/packages/aws/data_stream/ec2_metrics/fields/ecs.yml
@@ -1,53 +1,24 @@
-- name: cloud
- title: Cloud
- group: 2
- type: group
- footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
- fields:
- - name: account.id
- level: extended
- type: keyword
- description: |-
- The cloud account or organization id used to identify different entities in a multi-tenant environment.
- Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
- ignore_above: 1024
- - name: account.name
- level: extended
- type: keyword
- description: |-
- The cloud account name or alias used to identify different entities in a multi-tenant environment.
- Examples: AWS account name, Google Cloud ORG display name.
- ignore_above: 1024
- - name: availability_zone
- level: extended
- type: keyword
- description: Availability zone in which this host is running.
- ignore_above: 1024
- - name: instance.id
- level: extended
- type: keyword
- description: Instance ID of the host machine.
- ignore_above: 1024
- - name: machine.type
- level: extended
- type: keyword
- description: Machine type of the host machine.
- ignore_above: 1024
- - name: provider
- level: extended
- type: keyword
- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
- ignore_above: 1024
- - name: region
- level: extended
- type: keyword
- description: Region in which this host is running.
- ignore_above: 1024
-- name: ecs.version
- type: keyword
- description: ECS version this event conforms to.
- example: 1.0.0
- ignore_above: 1024
-- name: service.type
- type: keyword
- description: Service type
+- external: ecs
+ name: cloud
+- external: ecs
+ name: cloud.account.id
+- external: ecs
+ name: cloud.account.name
+- external: ecs
+ name: cloud.availability_zone
+- external: ecs
+ name: cloud.instance.id
+- external: ecs
+ name: cloud.machine.type
+- external: ecs
+ name: cloud.provider
+- external: ecs
+ name: cloud.region
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error
+- external: ecs
+ name: error.message
+- external: ecs
+ name: service.type
diff --git a/test/packages/aws/data_stream/ec2_metrics/manifest.yml b/test/packages/aws/data_stream/ec2_metrics/manifest.yml
index 8a3d5fb87f..1a78ff9099 100644
--- a/test/packages/aws/data_stream/ec2_metrics/manifest.yml
+++ b/test/packages/aws/data_stream/ec2_metrics/manifest.yml
@@ -1,5 +1,4 @@
title: AWS EC2 metrics
-release: beta
type: metrics
streams:
- input: aws/metrics
diff --git a/test/packages/aws/data_stream/ec2_metrics/sample_event.json b/test/packages/aws/data_stream/ec2_metrics/sample_event.json
index ffdd822660..6969b62dbc 100644
--- a/test/packages/aws/data_stream/ec2_metrics/sample_event.json
+++ b/test/packages/aws/data_stream/ec2_metrics/sample_event.json
@@ -83,7 +83,7 @@
"event": {
"module": "aws",
"duration": 23217499283,
- "dataset": "aws.ec2"
+ "dataset": "aws.ec2_metrics"
},
"metricset": {
"period": 300000,
diff --git a/test/packages/aws/data_stream/elb_logs/_dev/test/pipeline/test-alb.log-expected.json b/test/packages/aws/data_stream/elb_logs/_dev/test/pipeline/test-alb.log-expected.json
index 69935eea78..baf96cc0f7 100644
--- a/test/packages/aws/data_stream/elb_logs/_dev/test/pipeline/test-alb.log-expected.json
+++ b/test/packages/aws/data_stream/elb_logs/_dev/test/pipeline/test-alb.log-expected.json
@@ -1,22 +1,38 @@
{
"expected": [
{
- "cloud": {
- "provider": "aws"
- },
"tracing": {
"trace": {
"id": "Root=1-58337262-36d228ad5d99923122bbe354"
}
},
+ "source": {
+ "port": "2817",
+ "ip": "192.168.131.39"
+ },
+ "url": {
+ "path": "/",
+ "original": "http://www.example.com:80/",
+ "scheme": "http",
+ "port": 80,
+ "domain": "www.example.com"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "cloud": {
+ "provider": "aws"
+ },
"@timestamp": "2018-07-02T22:23:00.186Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"http": {
"request": {
"method": "get",
"body": {
"bytes": 34
- },
- "referrer": "http://www.example.com:80/"
+ }
},
"version": "1.1",
"response": {
@@ -26,9 +42,14 @@
"status_code": 200
}
},
- "source": {
- "port": "2817",
- "ip": "192.168.131.39"
+ "event": {
+ "ingested": "2021-12-09T16:11:58.868846100Z",
+ "original": "http 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 192.168.131.39:2817 10.0.0.1:80 0.000 0.001 0.000 200 200 34 366 \"GET http://www.example.com:80/ HTTP/1.1\" \"curl/7.46.0\" - - arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 \"Root=1-58337262-36d228ad5d99923122bbe354\" \"-\" \"-\" 0 2018-07-02T22:22:48.364000Z \"forward,redirect\" \"-\" \"-\" \"10.0.0.1:80\" \"200\" \"-\" \"-\"",
+ "kind": "event",
+ "start": "2018-07-02T22:22:48.364000Z",
+ "end": "2018-07-02T22:23:00.186Z",
+ "category": "web",
+ "outcome": "success"
},
"aws": {
"elb": {
@@ -70,15 +91,13 @@
]
}
},
- "event": {
- "start": "2018-07-02T22:22:48.364000Z",
- "end": "2018-07-02T22:23:00.186Z",
- "category": "web",
- "kind": "event",
- "outcome": "success"
- },
"user_agent": {
- "original": "curl/7.46.0"
+ "name": "curl",
+ "original": "curl/7.46.0",
+ "device": {
+ "name": "Other"
+ },
+ "version": "7.46.0"
}
}
]
diff --git a/test/packages/aws/data_stream/elb_logs/_dev/test/pipeline/test-common-config.yml b/test/packages/aws/data_stream/elb_logs/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 0000000000..5622947e4b
--- /dev/null
+++ b/test/packages/aws/data_stream/elb_logs/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,5 @@
+dynamic_fields:
+ event.ingested: ".*"
+fields:
+ tags:
+ - preserve_original_event
diff --git a/test/packages/aws/data_stream/ec2_logs/agent/stream/s3.yml.hbs b/test/packages/aws/data_stream/elb_logs/agent/stream/aws-s3.yml.hbs
similarity index 64%
rename from test/packages/aws/data_stream/ec2_logs/agent/stream/s3.yml.hbs
rename to test/packages/aws/data_stream/elb_logs/agent/stream/aws-s3.yml.hbs
index 6a00835778..ccf43bcddc 100644
--- a/test/packages/aws/data_stream/ec2_logs/agent/stream/s3.yml.hbs
+++ b/test/packages/aws/data_stream/elb_logs/agent/stream/aws-s3.yml.hbs
@@ -11,6 +11,9 @@ visibility_timeout: {{visibility_timeout}}
{{#if api_timeout}}
api_timeout: {{api_timeout}}
{{/if}}
+{{#if max_number_of_messages}}
+max_number_of_messages: {{max_number_of_messages}}
+{{/if}}
{{#if endpoint}}
endpoint: {{endpoint}}
{{/if}}
@@ -29,8 +32,20 @@ role_arn: {{role_arn}}
{{#if fips_enabled}}
fips_enabled: {{fips_enabled}}
{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
processors:
- - add_fields:
- target: ''
- fields:
- ecs.version: 1.5.0
\ No newline at end of file
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/elb_logs/elasticsearch/ingest_pipeline/default.yml b/test/packages/aws/data_stream/elb_logs/elasticsearch/ingest_pipeline/default.yml
index b7edf61ada..10dbec91e2 100644
--- a/test/packages/aws/data_stream/elb_logs/elasticsearch/ingest_pipeline/default.yml
+++ b/test/packages/aws/data_stream/elb_logs/elasticsearch/ingest_pipeline/default.yml
@@ -2,8 +2,18 @@
description: "Pipeline for ELB logs"
processors:
- - grok:
+ - set:
+ field: event.ingested
+ value: '{{_ingest.timestamp}}'
+ - set:
+ field: ecs.version
+ value: '1.12.0'
+ - rename:
field: message
+ target_field: event.original
+ ignore_missing: true
+ - grok:
+ field: event.original
# Classic ELB patterns documented in https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html
# ELB v2 Application load balancers https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html
# ELB v2 Netwwork load balancers https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html
@@ -75,8 +85,8 @@ processors:
(?:-|%{NUMBER:aws.elb.backend.http.response.status_code:long})
%{NUMBER:http.request.body.bytes:long}
%{NUMBER:http.response.body.bytes:long}
- \"(?:-|%{WORD:http.request.method}) (?:-|%{NOTSPACE:http.request.referrer}) (?:-|HTTP/%{NOTSPACE:http.version})\"
- \"%{DATA:user_agent.original}\"
+ \"(?:-|%{WORD:http.request.method}) (?:-|%{NOTSPACE:_tmp.uri_orig}) (?:-|HTTP/%{NOTSPACE:http.version})\"
+ \"%{DATA:_tmp.user_agent}\"
%{ELBSSL}
ELBTCPLOG: >-
%{ELBCOMMON}
@@ -89,110 +99,100 @@ processors:
%{ELBSSL}
ELBV2TYPE: '%{WORD:aws.elb.type}'
ELBV2LOGVERSION: '%{NOTSPACE}' # Could be used to support different log versions, only 1.0 exists now
-
- set:
field: event.kind
value: event
-
- set:
field: cloud.provider
value: aws
-
- set:
- if: 'ctx.http != null'
- field: 'aws.elb.protocol'
- value: 'http'
+ if: ctx.http != null
+ field: aws.elb.protocol
+ value: http
+
+ - uri_parts:
+ if: 'ctx?._tmp?.uri_orig != null'
+ field: _tmp.uri_orig
+ ignore_failure: true
+
+ - user_agent:
+ if: 'ctx?._tmp?.user_agent != null'
+ field: _tmp.user_agent
+ ignore_missing: true
- set:
- if: 'ctx.http != null'
+ if: ctx.http != null
field: event.category
value: web
-
- set:
- if: 'ctx.http == null'
- field: 'aws.elb.protocol'
- value: 'tcp'
-
+ field: aws.elb.protocol
+ value: tcp
+ if: ctx.http == null
- set:
- if: 'ctx.http == null'
field: event.category
value: network
-
+ if: ctx.http == null
- set:
- if: 'ctx?.http?.response?.status_code != null && ctx.http.response.status_code < 400'
field: event.outcome
value: success
-
+ if: 'ctx?.http?.response?.status_code != null && ctx.http.response.status_code < 400'
- set:
- if: 'ctx?.http?.response?.status_code != null && ctx.http.response.status_code >= 400'
field: event.outcome
value: failure
-
+ if: 'ctx?.http?.response?.status_code != null && ctx.http.response.status_code >= 400'
- lowercase:
field: http.request.method
ignore_missing: true
-
- set:
- if: "ctx?.aws?.elb?.trace_id != null"
field: tracing.trace.id
- value: "{{aws.elb.trace_id}}"
-
+ value: '{{aws.elb.trace_id}}'
+ if: ctx?.aws?.elb?.trace_id != null
- split:
- field: '_tmp.actions_executed'
- target_field: 'aws.elb.action_executed'
+ field: _tmp.actions_executed
+ target_field: aws.elb.action_executed
separator: ','
ignore_missing: true
-
- split:
- field: '_tmp.target_port'
- target_field: 'aws.elb.target_port'
+ field: _tmp.target_port
+ target_field: aws.elb.target_port
separator: ' '
ignore_missing: true
-
- split:
- field: '_tmp.target_status_code'
- target_field: 'aws.elb.target_status_code'
+ field: _tmp.target_status_code
+ target_field: aws.elb.target_status_code
separator: ' '
ignore_missing: true
-
- date:
- field: '_tmp.timestamp'
+ field: _tmp.timestamp
formats:
- - 'ISO8601'
-
+ - ISO8601
- set:
- field: 'event.end'
+ field: event.end
value: '{{ @timestamp }}'
-
- geoip:
- field: 'source.ip'
- target_field: 'source.geo'
+ field: source.ip
+ target_field: source.geo
ignore_missing: true
-
- geoip:
- database_file: 'GeoLite2-ASN.mmdb'
- field: 'source.ip'
- target_field: 'source.as'
+ database_file: GeoLite2-ASN.mmdb
+ field: source.ip
+ target_field: source.as
properties:
- - 'asn'
- - 'organization_name'
+ - asn
+ - organization_name
ignore_missing: true
-
- rename:
field: source.as.asn
target_field: source.as.number
ignore_missing: true
-
- rename:
field: source.as.organization_name
target_field: source.as.organization.name
ignore_missing: true
-
- set:
field: tls.cipher
value: '{{aws.elb.ssl_cipher}}'
if: ctx.aws?.elb?.ssl_cipher != null
-
- script:
lang: painless
if: ctx.aws?.elb?.ssl_protocol != null
@@ -207,14 +207,16 @@ processors:
ctx.tls.version = parts[1].substring(0,1) + "." + parts[1].substring(1);
}
ctx.tls.version_protocol = parts[0].toLowerCase();
-
- remove:
field:
- - message
- _tmp
ignore_missing: true
-
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
on_failure:
- set:
- field: "error.message"
- value: "{{ _ingest.on_failure_message }}"
+ field: 'error.message'
+ value: '{{ _ingest.on_failure_message }}'
diff --git a/test/packages/aws/data_stream/elb_logs/fields/base-fields.yml b/test/packages/aws/data_stream/elb_logs/fields/base-fields.yml
index 7c798f4534..fedbf54e90 100644
--- a/test/packages/aws/data_stream/elb_logs/fields/base-fields.yml
+++ b/test/packages/aws/data_stream/elb_logs/fields/base-fields.yml
@@ -10,3 +10,11 @@
- name: '@timestamp'
type: date
description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: aws
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: aws.elb_logs
diff --git a/test/packages/aws/data_stream/elb_logs/fields/ecs.yml b/test/packages/aws/data_stream/elb_logs/fields/ecs.yml
new file mode 100644
index 0000000000..00a5436510
--- /dev/null
+++ b/test/packages/aws/data_stream/elb_logs/fields/ecs.yml
@@ -0,0 +1,22 @@
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error.message
+- external: ecs
+ name: tags
+- external: ecs
+ name: url.domain
+- external: ecs
+ name: url.original
+- external: ecs
+ name: url.path
+- external: ecs
+ name: url.port
+- external: ecs
+ name: url.scheme
+- external: ecs
+ name: user_agent.device.name
+- external: ecs
+ name: user_agent.name
+- external: ecs
+ name: user_agent.version
diff --git a/test/packages/aws/data_stream/elb_logs/manifest.yml b/test/packages/aws/data_stream/elb_logs/manifest.yml
index 4fcba786fc..fdd4f2549e 100644
--- a/test/packages/aws/data_stream/elb_logs/manifest.yml
+++ b/test/packages/aws/data_stream/elb_logs/manifest.yml
@@ -1,12 +1,25 @@
title: AWS ELB logs
-release: beta
type: logs
streams:
- - input: s3
- template_path: s3.yml.hbs
+ - input: aws-s3
+ template_path: aws-s3.yml.hbs
title: AWS ELB logs
description: Collect AWS ELB logs using s3 input
vars:
+ - name: visibility_timeout
+ type: text
+ title: Visibility Timeout
+ multi: false
+ required: false
+ show_user: false
+ description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours.
+ - name: api_timeout
+ type: text
+ title: API Timeout
+ multi: false
+ required: false
+ show_user: false
+ description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value.
- name: queue_url
type: text
title: Queue URL
@@ -22,3 +35,36 @@ streams:
required: false
show_user: false
description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - aws-elb-logs
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: max_number_of_messages
+ type: integer
+ title: Maximum Concurrent SQS Messages
+ description: The maximum number of SQS messages that can be inflight at any time.
+ default: 5
+ required: false
+ show_user: false
diff --git a/test/packages/aws/data_stream/elb_logs/sample_event.json b/test/packages/aws/data_stream/elb_logs/sample_event.json
new file mode 100644
index 0000000000..d0d9729d89
--- /dev/null
+++ b/test/packages/aws/data_stream/elb_logs/sample_event.json
@@ -0,0 +1,105 @@
+{
+ "data_stream": {
+ "namespace": "default",
+ "type": "logs",
+ "dataset": "aws.elb_logs"
+ },
+ "tracing": {
+ "trace": {
+ "id": "Root=1-58337262-36d228ad5d99923122bbe354"
+ }
+ },
+ "source": {
+ "port": "2817",
+ "ip": "192.168.131.39"
+ },
+ "url": {
+ "path": "/",
+ "original": "http://www.example.com:80/",
+ "scheme": "http",
+ "port": 80,
+ "domain": "www.example.com"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "cloud": {
+ "provider": "aws"
+ },
+ "@timestamp": "2018-07-02T22:23:00.186Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "http": {
+ "request": {
+ "method": "get",
+ "body": {
+ "bytes": 34
+ }
+ },
+ "version": "1.1",
+ "response": {
+ "body": {
+ "bytes": 366
+ },
+ "status_code": 200
+ }
+ },
+ "event": {
+ "ingested": "2021-07-19T21:47:05.084930900Z",
+ "original": "http 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 192.168.131.39:2817 10.0.0.1:80 0.000 0.001 0.000 200 200 34 366 \"GET http://www.example.com:80/ HTTP/1.1\" \"curl/7.46.0\" - - arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 \"Root=1-58337262-36d228ad5d99923122bbe354\" \"-\" \"-\" 0 2018-07-02T22:22:48.364000Z \"forward,redirect\" \"-\" \"-\" \"10.0.0.1:80\" \"200\" \"-\" \"-\"",
+ "kind": "event",
+ "start": "2018-07-02T22:22:48.364000Z",
+ "end": "2018-07-02T22:23:00.186Z",
+ "category": "web",
+ "outcome": "success"
+ },
+ "aws": {
+ "elb": {
+ "trace_id": "Root=1-58337262-36d228ad5d99923122bbe354",
+ "matched_rule_priority": "0",
+ "type": "http",
+ "request_processing_time": {
+ "sec": 0.0
+ },
+ "response_processing_time": {
+ "sec": 0.0
+ },
+ "target_port": [
+ "10.0.0.1:80"
+ ],
+ "protocol": "http",
+ "target_status_code": [
+ "200"
+ ],
+ "name": "app/my-loadbalancer/50dc6c495c0c9188",
+ "backend": {
+ "port": "80",
+ "http": {
+ "response": {
+ "status_code": 200
+ }
+ },
+ "ip": "10.0.0.1"
+ },
+ "target_group": {
+ "arn": "arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067"
+ },
+ "backend_processing_time": {
+ "sec": 0.001
+ },
+ "action_executed": [
+ "forward",
+ "redirect"
+ ]
+ }
+ },
+ "user_agent": {
+ "name": "curl",
+ "original": "curl/7.46.0",
+ "device": {
+ "name": "Other"
+ },
+ "version": "7.46.0"
+ }
+}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/elb_metrics/agent/stream/stream.yml.hbs b/test/packages/aws/data_stream/elb_metrics/agent/stream/stream.yml.hbs
index 57c5acdd4c..1fbf0974f1 100644
--- a/test/packages/aws/data_stream/elb_metrics/agent/stream/stream.yml.hbs
+++ b/test/packages/aws/data_stream/elb_metrics/agent/stream/stream.yml.hbs
@@ -29,4 +29,7 @@ latency: {{latency}}
{{/if}}
{{#if tags_filter}}
tags_filter: {{tags_filter}}
+{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
{{/if}}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/elb_metrics/fields/base-fields.yml b/test/packages/aws/data_stream/elb_metrics/fields/base-fields.yml
index 7c798f4534..63e855deea 100644
--- a/test/packages/aws/data_stream/elb_metrics/fields/base-fields.yml
+++ b/test/packages/aws/data_stream/elb_metrics/fields/base-fields.yml
@@ -10,3 +10,11 @@
- name: '@timestamp'
type: date
description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: aws
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: aws.elb_metrics
diff --git a/test/packages/aws/data_stream/elb_metrics/fields/ecs.yml b/test/packages/aws/data_stream/elb_metrics/fields/ecs.yml
index a02d7269c5..83e3f6f122 100644
--- a/test/packages/aws/data_stream/elb_metrics/fields/ecs.yml
+++ b/test/packages/aws/data_stream/elb_metrics/fields/ecs.yml
@@ -1,53 +1,24 @@
-- name: cloud
- title: Cloud
- group: 2
- type: group
- footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
- fields:
- - name: account.id
- level: extended
- type: keyword
- description: |-
- The cloud account or organization id used to identify different entities in a multi-tenant environment.
- Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
- ignore_above: 1024
- - name: account.name
- level: extended
- type: keyword
- description: |-
- The cloud account name or alias used to identify different entities in a multi-tenant environment.
- Examples: AWS account name, Google Cloud ORG display name.
- ignore_above: 1024
- - name: availability_zone
- level: extended
- type: keyword
- description: Availability zone in which this host is running.
- ignore_above: 1024
- - name: instance.id
- level: extended
- type: keyword
- description: Instance ID of the host machine.
- ignore_above: 1024
- - name: machine.type
- level: extended
- type: keyword
- description: Machine type of the host machine.
- ignore_above: 1024
- - name: provider
- level: extended
- type: keyword
- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
- ignore_above: 1024
- - name: region
- level: extended
- type: keyword
- description: Region in which this host is running.
- ignore_above: 1024
-- name: ecs.version
- type: keyword
- description: ECS version this event conforms to.
- example: 1.0.0
- ignore_above: 1024
-- name: service.type
- type: keyword
- description: Service type
+- external: ecs
+ name: cloud
+- external: ecs
+ name: cloud.account.id
+- external: ecs
+ name: cloud.account.name
+- external: ecs
+ name: cloud.availability_zone
+- external: ecs
+ name: cloud.instance.id
+- external: ecs
+ name: cloud.machine.type
+- external: ecs
+ name: cloud.provider
+- external: ecs
+ name: cloud.region
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error
+- external: ecs
+ name: error.message
+- external: ecs
+ name: service.type
diff --git a/test/packages/aws/data_stream/elb_metrics/manifest.yml b/test/packages/aws/data_stream/elb_metrics/manifest.yml
index 1e6ed4e207..91ea317594 100644
--- a/test/packages/aws/data_stream/elb_metrics/manifest.yml
+++ b/test/packages/aws/data_stream/elb_metrics/manifest.yml
@@ -1,5 +1,4 @@
title: AWS ELB metrics
-release: beta
type: metrics
streams:
- input: aws/metrics
diff --git a/test/packages/aws/data_stream/elb_metrics/sample_event.json b/test/packages/aws/data_stream/elb_metrics/sample_event.json
index d187909719..a2def82582 100644
--- a/test/packages/aws/data_stream/elb_metrics/sample_event.json
+++ b/test/packages/aws/data_stream/elb_metrics/sample_event.json
@@ -53,7 +53,7 @@
"period": 60000
},
"event": {
- "dataset": "aws.elb",
+ "dataset": "aws.elb_metrics",
"module": "aws",
"duration": 15044430616
},
diff --git a/test/packages/aws/data_stream/lambda/agent/stream/stream.yml.hbs b/test/packages/aws/data_stream/lambda/agent/stream/stream.yml.hbs
index cf17d23388..0819b829a7 100644
--- a/test/packages/aws/data_stream/lambda/agent/stream/stream.yml.hbs
+++ b/test/packages/aws/data_stream/lambda/agent/stream/stream.yml.hbs
@@ -29,4 +29,7 @@ latency: {{latency}}
{{/if}}
{{#if tags_filter}}
tags_filter: {{tags_filter}}
+{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
{{/if}}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/lambda/fields/base-fields.yml b/test/packages/aws/data_stream/lambda/fields/base-fields.yml
index 7c798f4534..07320d3db7 100644
--- a/test/packages/aws/data_stream/lambda/fields/base-fields.yml
+++ b/test/packages/aws/data_stream/lambda/fields/base-fields.yml
@@ -10,3 +10,11 @@
- name: '@timestamp'
type: date
description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: aws
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: aws.lambda
diff --git a/test/packages/aws/data_stream/lambda/fields/ecs.yml b/test/packages/aws/data_stream/lambda/fields/ecs.yml
index a02d7269c5..83e3f6f122 100644
--- a/test/packages/aws/data_stream/lambda/fields/ecs.yml
+++ b/test/packages/aws/data_stream/lambda/fields/ecs.yml
@@ -1,53 +1,24 @@
-- name: cloud
- title: Cloud
- group: 2
- type: group
- footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
- fields:
- - name: account.id
- level: extended
- type: keyword
- description: |-
- The cloud account or organization id used to identify different entities in a multi-tenant environment.
- Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
- ignore_above: 1024
- - name: account.name
- level: extended
- type: keyword
- description: |-
- The cloud account name or alias used to identify different entities in a multi-tenant environment.
- Examples: AWS account name, Google Cloud ORG display name.
- ignore_above: 1024
- - name: availability_zone
- level: extended
- type: keyword
- description: Availability zone in which this host is running.
- ignore_above: 1024
- - name: instance.id
- level: extended
- type: keyword
- description: Instance ID of the host machine.
- ignore_above: 1024
- - name: machine.type
- level: extended
- type: keyword
- description: Machine type of the host machine.
- ignore_above: 1024
- - name: provider
- level: extended
- type: keyword
- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
- ignore_above: 1024
- - name: region
- level: extended
- type: keyword
- description: Region in which this host is running.
- ignore_above: 1024
-- name: ecs.version
- type: keyword
- description: ECS version this event conforms to.
- example: 1.0.0
- ignore_above: 1024
-- name: service.type
- type: keyword
- description: Service type
+- external: ecs
+ name: cloud
+- external: ecs
+ name: cloud.account.id
+- external: ecs
+ name: cloud.account.name
+- external: ecs
+ name: cloud.availability_zone
+- external: ecs
+ name: cloud.instance.id
+- external: ecs
+ name: cloud.machine.type
+- external: ecs
+ name: cloud.provider
+- external: ecs
+ name: cloud.region
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error
+- external: ecs
+ name: error.message
+- external: ecs
+ name: service.type
diff --git a/test/packages/aws/data_stream/lambda/manifest.yml b/test/packages/aws/data_stream/lambda/manifest.yml
index 5e0684218b..61505e42ed 100644
--- a/test/packages/aws/data_stream/lambda/manifest.yml
+++ b/test/packages/aws/data_stream/lambda/manifest.yml
@@ -1,5 +1,4 @@
title: AWS Lambda metrics
-release: beta
type: metrics
streams:
- input: aws/metrics
diff --git a/test/packages/aws/data_stream/lambda/sample_event.json b/test/packages/aws/data_stream/lambda/sample_event.json
index b1542233bd..11d616213b 100644
--- a/test/packages/aws/data_stream/lambda/sample_event.json
+++ b/test/packages/aws/data_stream/lambda/sample_event.json
@@ -8,7 +8,7 @@
"version": "8.0.0"
},
"event": {
- "dataset": "aws.dynamodb",
+ "dataset": "aws.lambda",
"module": "aws",
"duration": 10266182336
},
diff --git a/test/packages/aws/data_stream/natgateway/agent/stream/stream.yml.hbs b/test/packages/aws/data_stream/natgateway/agent/stream/stream.yml.hbs
index 94bed66ae8..23a1ed0cab 100644
--- a/test/packages/aws/data_stream/natgateway/agent/stream/stream.yml.hbs
+++ b/test/packages/aws/data_stream/natgateway/agent/stream/stream.yml.hbs
@@ -29,4 +29,7 @@ latency: {{latency}}
{{/if}}
{{#if tags_filter}}
tags_filter: {{tags_filter}}
+{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
{{/if}}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/natgateway/fields/base-fields.yml b/test/packages/aws/data_stream/natgateway/fields/base-fields.yml
index 7c798f4534..436e8fb587 100644
--- a/test/packages/aws/data_stream/natgateway/fields/base-fields.yml
+++ b/test/packages/aws/data_stream/natgateway/fields/base-fields.yml
@@ -10,3 +10,11 @@
- name: '@timestamp'
type: date
description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: aws
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: aws.natgateway
diff --git a/test/packages/aws/data_stream/natgateway/fields/ecs.yml b/test/packages/aws/data_stream/natgateway/fields/ecs.yml
index a02d7269c5..83e3f6f122 100644
--- a/test/packages/aws/data_stream/natgateway/fields/ecs.yml
+++ b/test/packages/aws/data_stream/natgateway/fields/ecs.yml
@@ -1,53 +1,24 @@
-- name: cloud
- title: Cloud
- group: 2
- type: group
- footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
- fields:
- - name: account.id
- level: extended
- type: keyword
- description: |-
- The cloud account or organization id used to identify different entities in a multi-tenant environment.
- Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
- ignore_above: 1024
- - name: account.name
- level: extended
- type: keyword
- description: |-
- The cloud account name or alias used to identify different entities in a multi-tenant environment.
- Examples: AWS account name, Google Cloud ORG display name.
- ignore_above: 1024
- - name: availability_zone
- level: extended
- type: keyword
- description: Availability zone in which this host is running.
- ignore_above: 1024
- - name: instance.id
- level: extended
- type: keyword
- description: Instance ID of the host machine.
- ignore_above: 1024
- - name: machine.type
- level: extended
- type: keyword
- description: Machine type of the host machine.
- ignore_above: 1024
- - name: provider
- level: extended
- type: keyword
- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
- ignore_above: 1024
- - name: region
- level: extended
- type: keyword
- description: Region in which this host is running.
- ignore_above: 1024
-- name: ecs.version
- type: keyword
- description: ECS version this event conforms to.
- example: 1.0.0
- ignore_above: 1024
-- name: service.type
- type: keyword
- description: Service type
+- external: ecs
+ name: cloud
+- external: ecs
+ name: cloud.account.id
+- external: ecs
+ name: cloud.account.name
+- external: ecs
+ name: cloud.availability_zone
+- external: ecs
+ name: cloud.instance.id
+- external: ecs
+ name: cloud.machine.type
+- external: ecs
+ name: cloud.provider
+- external: ecs
+ name: cloud.region
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error
+- external: ecs
+ name: error.message
+- external: ecs
+ name: service.type
diff --git a/test/packages/aws/data_stream/natgateway/manifest.yml b/test/packages/aws/data_stream/natgateway/manifest.yml
index fc6cf801c3..53dbac0141 100644
--- a/test/packages/aws/data_stream/natgateway/manifest.yml
+++ b/test/packages/aws/data_stream/natgateway/manifest.yml
@@ -1,5 +1,4 @@
title: AWS NAT gateway metrics
-release: beta
type: metrics
streams:
- input: aws/metrics
diff --git a/test/packages/aws/data_stream/rds/agent/stream/stream.yml.hbs b/test/packages/aws/data_stream/rds/agent/stream/stream.yml.hbs
index bf6deefcf8..0bafbe98c0 100644
--- a/test/packages/aws/data_stream/rds/agent/stream/stream.yml.hbs
+++ b/test/packages/aws/data_stream/rds/agent/stream/stream.yml.hbs
@@ -29,4 +29,7 @@ latency: {{latency}}
{{/if}}
{{#if tags_filter}}
tags_filter: {{tags_filter}}
+{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
{{/if}}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/rds/fields/base-fields.yml b/test/packages/aws/data_stream/rds/fields/base-fields.yml
index 7c798f4534..8166b56ec2 100644
--- a/test/packages/aws/data_stream/rds/fields/base-fields.yml
+++ b/test/packages/aws/data_stream/rds/fields/base-fields.yml
@@ -10,3 +10,11 @@
- name: '@timestamp'
type: date
description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: aws
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: aws.rds
diff --git a/test/packages/aws/data_stream/rds/fields/ecs.yml b/test/packages/aws/data_stream/rds/fields/ecs.yml
index a02d7269c5..83e3f6f122 100644
--- a/test/packages/aws/data_stream/rds/fields/ecs.yml
+++ b/test/packages/aws/data_stream/rds/fields/ecs.yml
@@ -1,53 +1,24 @@
-- name: cloud
- title: Cloud
- group: 2
- type: group
- footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
- fields:
- - name: account.id
- level: extended
- type: keyword
- description: |-
- The cloud account or organization id used to identify different entities in a multi-tenant environment.
- Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
- ignore_above: 1024
- - name: account.name
- level: extended
- type: keyword
- description: |-
- The cloud account name or alias used to identify different entities in a multi-tenant environment.
- Examples: AWS account name, Google Cloud ORG display name.
- ignore_above: 1024
- - name: availability_zone
- level: extended
- type: keyword
- description: Availability zone in which this host is running.
- ignore_above: 1024
- - name: instance.id
- level: extended
- type: keyword
- description: Instance ID of the host machine.
- ignore_above: 1024
- - name: machine.type
- level: extended
- type: keyword
- description: Machine type of the host machine.
- ignore_above: 1024
- - name: provider
- level: extended
- type: keyword
- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
- ignore_above: 1024
- - name: region
- level: extended
- type: keyword
- description: Region in which this host is running.
- ignore_above: 1024
-- name: ecs.version
- type: keyword
- description: ECS version this event conforms to.
- example: 1.0.0
- ignore_above: 1024
-- name: service.type
- type: keyword
- description: Service type
+- external: ecs
+ name: cloud
+- external: ecs
+ name: cloud.account.id
+- external: ecs
+ name: cloud.account.name
+- external: ecs
+ name: cloud.availability_zone
+- external: ecs
+ name: cloud.instance.id
+- external: ecs
+ name: cloud.machine.type
+- external: ecs
+ name: cloud.provider
+- external: ecs
+ name: cloud.region
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error
+- external: ecs
+ name: error.message
+- external: ecs
+ name: service.type
diff --git a/test/packages/aws/data_stream/rds/fields/fields.yml b/test/packages/aws/data_stream/rds/fields/fields.yml
index 5f0deb4866..ba79cf1083 100644
--- a/test/packages/aws/data_stream/rds/fields/fields.yml
+++ b/test/packages/aws/data_stream/rds/fields/fields.yml
@@ -343,3 +343,9 @@
type: long
description: |
The remaining available space for the cluster volume, measured in bytes.
+ - name: cloudwatch
+ type: group
+ fields:
+ - name: namespace
+ type: keyword
+ description: The namespace specified when query cloudwatch api.
diff --git a/test/packages/aws/data_stream/rds/manifest.yml b/test/packages/aws/data_stream/rds/manifest.yml
index c920727e99..5632176c1c 100644
--- a/test/packages/aws/data_stream/rds/manifest.yml
+++ b/test/packages/aws/data_stream/rds/manifest.yml
@@ -1,5 +1,4 @@
title: AWS RDS metrics
-release: beta
type: metrics
streams:
- input: aws/metrics
diff --git a/test/packages/aws/data_stream/s3_daily_storage/agent/stream/stream.yml.hbs b/test/packages/aws/data_stream/s3_daily_storage/agent/stream/stream.yml.hbs
index cac1cae04a..eaee06ea7a 100644
--- a/test/packages/aws/data_stream/s3_daily_storage/agent/stream/stream.yml.hbs
+++ b/test/packages/aws/data_stream/s3_daily_storage/agent/stream/stream.yml.hbs
@@ -26,4 +26,7 @@ regions:
{{/if}}
{{#if latency}}
latency: {{latency}}
+{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
{{/if}}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/s3_daily_storage/fields/base-fields.yml b/test/packages/aws/data_stream/s3_daily_storage/fields/base-fields.yml
index 7c798f4534..57ae310ca3 100644
--- a/test/packages/aws/data_stream/s3_daily_storage/fields/base-fields.yml
+++ b/test/packages/aws/data_stream/s3_daily_storage/fields/base-fields.yml
@@ -10,3 +10,11 @@
- name: '@timestamp'
type: date
description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: aws
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: aws.s3_daily_storage
diff --git a/test/packages/aws/data_stream/s3_daily_storage/fields/ecs.yml b/test/packages/aws/data_stream/s3_daily_storage/fields/ecs.yml
index a02d7269c5..83e3f6f122 100644
--- a/test/packages/aws/data_stream/s3_daily_storage/fields/ecs.yml
+++ b/test/packages/aws/data_stream/s3_daily_storage/fields/ecs.yml
@@ -1,53 +1,24 @@
-- name: cloud
- title: Cloud
- group: 2
- type: group
- footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
- fields:
- - name: account.id
- level: extended
- type: keyword
- description: |-
- The cloud account or organization id used to identify different entities in a multi-tenant environment.
- Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
- ignore_above: 1024
- - name: account.name
- level: extended
- type: keyword
- description: |-
- The cloud account name or alias used to identify different entities in a multi-tenant environment.
- Examples: AWS account name, Google Cloud ORG display name.
- ignore_above: 1024
- - name: availability_zone
- level: extended
- type: keyword
- description: Availability zone in which this host is running.
- ignore_above: 1024
- - name: instance.id
- level: extended
- type: keyword
- description: Instance ID of the host machine.
- ignore_above: 1024
- - name: machine.type
- level: extended
- type: keyword
- description: Machine type of the host machine.
- ignore_above: 1024
- - name: provider
- level: extended
- type: keyword
- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
- ignore_above: 1024
- - name: region
- level: extended
- type: keyword
- description: Region in which this host is running.
- ignore_above: 1024
-- name: ecs.version
- type: keyword
- description: ECS version this event conforms to.
- example: 1.0.0
- ignore_above: 1024
-- name: service.type
- type: keyword
- description: Service type
+- external: ecs
+ name: cloud
+- external: ecs
+ name: cloud.account.id
+- external: ecs
+ name: cloud.account.name
+- external: ecs
+ name: cloud.availability_zone
+- external: ecs
+ name: cloud.instance.id
+- external: ecs
+ name: cloud.machine.type
+- external: ecs
+ name: cloud.provider
+- external: ecs
+ name: cloud.region
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error
+- external: ecs
+ name: error.message
+- external: ecs
+ name: service.type
diff --git a/test/packages/aws/data_stream/s3_daily_storage/manifest.yml b/test/packages/aws/data_stream/s3_daily_storage/manifest.yml
index 89473f0ebb..f69e1889da 100644
--- a/test/packages/aws/data_stream/s3_daily_storage/manifest.yml
+++ b/test/packages/aws/data_stream/s3_daily_storage/manifest.yml
@@ -1,5 +1,4 @@
title: AWS S3 daily storage metrics
-release: beta
type: metrics
streams:
- input: aws/metrics
diff --git a/test/packages/aws/data_stream/s3_request/agent/stream/stream.yml.hbs b/test/packages/aws/data_stream/s3_request/agent/stream/stream.yml.hbs
index 6f53aab34d..80739aebc5 100644
--- a/test/packages/aws/data_stream/s3_request/agent/stream/stream.yml.hbs
+++ b/test/packages/aws/data_stream/s3_request/agent/stream/stream.yml.hbs
@@ -26,4 +26,7 @@ regions:
{{/if}}
{{#if latency}}
latency: {{latency}}
+{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
{{/if}}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/s3_request/fields/base-fields.yml b/test/packages/aws/data_stream/s3_request/fields/base-fields.yml
index 7c798f4534..e0956c2aab 100644
--- a/test/packages/aws/data_stream/s3_request/fields/base-fields.yml
+++ b/test/packages/aws/data_stream/s3_request/fields/base-fields.yml
@@ -10,3 +10,11 @@
- name: '@timestamp'
type: date
description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: aws
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: aws.s3_request
diff --git a/test/packages/aws/data_stream/s3_request/fields/ecs.yml b/test/packages/aws/data_stream/s3_request/fields/ecs.yml
index a02d7269c5..83e3f6f122 100644
--- a/test/packages/aws/data_stream/s3_request/fields/ecs.yml
+++ b/test/packages/aws/data_stream/s3_request/fields/ecs.yml
@@ -1,53 +1,24 @@
-- name: cloud
- title: Cloud
- group: 2
- type: group
- footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
- fields:
- - name: account.id
- level: extended
- type: keyword
- description: |-
- The cloud account or organization id used to identify different entities in a multi-tenant environment.
- Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
- ignore_above: 1024
- - name: account.name
- level: extended
- type: keyword
- description: |-
- The cloud account name or alias used to identify different entities in a multi-tenant environment.
- Examples: AWS account name, Google Cloud ORG display name.
- ignore_above: 1024
- - name: availability_zone
- level: extended
- type: keyword
- description: Availability zone in which this host is running.
- ignore_above: 1024
- - name: instance.id
- level: extended
- type: keyword
- description: Instance ID of the host machine.
- ignore_above: 1024
- - name: machine.type
- level: extended
- type: keyword
- description: Machine type of the host machine.
- ignore_above: 1024
- - name: provider
- level: extended
- type: keyword
- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
- ignore_above: 1024
- - name: region
- level: extended
- type: keyword
- description: Region in which this host is running.
- ignore_above: 1024
-- name: ecs.version
- type: keyword
- description: ECS version this event conforms to.
- example: 1.0.0
- ignore_above: 1024
-- name: service.type
- type: keyword
- description: Service type
+- external: ecs
+ name: cloud
+- external: ecs
+ name: cloud.account.id
+- external: ecs
+ name: cloud.account.name
+- external: ecs
+ name: cloud.availability_zone
+- external: ecs
+ name: cloud.instance.id
+- external: ecs
+ name: cloud.machine.type
+- external: ecs
+ name: cloud.provider
+- external: ecs
+ name: cloud.region
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error
+- external: ecs
+ name: error.message
+- external: ecs
+ name: service.type
diff --git a/test/packages/aws/data_stream/s3_request/manifest.yml b/test/packages/aws/data_stream/s3_request/manifest.yml
index 472461c764..d02b858648 100644
--- a/test/packages/aws/data_stream/s3_request/manifest.yml
+++ b/test/packages/aws/data_stream/s3_request/manifest.yml
@@ -1,5 +1,4 @@
title: AWS S3 request metrics
-release: beta
type: metrics
streams:
- input: aws/metrics
diff --git a/test/packages/aws/data_stream/s3_storage_lens/agent/stream/stream.yml.hbs b/test/packages/aws/data_stream/s3_storage_lens/agent/stream/stream.yml.hbs
new file mode 100644
index 0000000000..87fbbb280f
--- /dev/null
+++ b/test/packages/aws/data_stream/s3_storage_lens/agent/stream/stream.yml.hbs
@@ -0,0 +1,101 @@
+metricsets: ["cloudwatch"]
+period: {{period}}
+{{#if access_key_id}}
+access_key_id: {{access_key_id}}
+{{/if}}
+{{#if secret_access_key}}
+secret_access_key: {{secret_access_key}}
+{{/if}}
+{{#if session_token}}
+session_token: {{session_token}}
+{{/if}}
+{{#if credential_profile_name}}
+credential_profile_name: {{credential_profile_name}}
+{{/if}}
+{{#if shared_credential_file}}
+shared_credential_file: {{shared_credential_file}}
+{{/if}}
+{{#if role_arn}}
+role_arn: {{role_arn}}
+{{/if}}
+{{#if regions}}
+regions:
+{{#each regions as |region i|}}
+- {{region}}
+{{/each}}
+{{/if}}
+{{#if latency}}
+latency: {{latency}}
+{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
+{{/if}}
+metrics:
+- namespace: "AWS/S3/Storage-Lens"
+ statistic: ["Average"]
+processors:
+ - rename:
+ ignore_missing: true
+ fields:
+ - from: "aws.storage-lens.metrics.4xxErrors.avg"
+ to: "aws.s3_storage_lens.metrics.4xxErrors.avg"
+ - from: "aws.storage-lens.metrics.5xxErrors.avg"
+ to: "aws.s3_storage_lens.metrics.5xxErrors.avg"
+ - from: "aws.storage-lens.metrics.AllRequests.avg"
+ to: "aws.s3_storage_lens.metrics.AllRequests.avg"
+ - from: "aws.storage-lens.metrics.BytesDownloaded.avg"
+ to: "aws.s3_storage_lens.metrics.BytesDownloaded.avg"
+ - from: "aws.storage-lens.metrics.BytesUploaded.avg"
+ to: "aws.s3_storage_lens.metrics.BytesUploaded.avg"
+ - from: "aws.storage-lens.metrics.CurrentVersionObjectCount.avg"
+ to: "aws.s3_storage_lens.metrics.CurrentVersionObjectCount.avg"
+ - from: "aws.storage-lens.metrics.CurrentVersionStorageBytes.avg"
+ to: "aws.s3_storage_lens.metrics.CurrentVersionStorageBytes.avg"
+ - from: "aws.storage-lens.metrics.DeleteMarkerObjectCount.avg"
+ to: "aws.s3_storage_lens.metrics.DeleteMarkerObjectCount.avg"
+ - from: "aws.storage-lens.metrics.DeleteRequests.avg"
+ to: "aws.s3_storage_lens.metrics.DeleteRequests.avg"
+ - from: "aws.storage-lens.metrics.EncryptedObjectCount.avg"
+ to: "aws.s3_storage_lens.metrics.EncryptedObjectCount.avg"
+ - from: "aws.storage-lens.metrics.EncryptedStorageBytes.avg"
+ to: "aws.s3_storage_lens.metrics.EncryptedStorageBytes.avg"
+ - from: "aws.storage-lens.metrics.GetRequests.avg"
+ to: "aws.s3_storage_lens.metrics.GetRequests.avg"
+ - from: "aws.storage-lens.metrics.HeadRequests.avg"
+ to: "aws.s3_storage_lens.metrics.HeadRequests.avg"
+ - from: "aws.storage-lens.metrics.IncompleteMultipartUploadObjectCount.avg"
+ to: "aws.s3_storage_lens.metrics.IncompleteMultipartUploadObjectCount.avg"
+ - from: "aws.storage-lens.metrics.IncompleteMultipartUploadStorageBytes.avg"
+ to: "aws.s3_storage_lens.metrics.IncompleteMultipartUploadStorageBytes.avg"
+ - from: "aws.storage-lens.metrics.ListRequests.avg"
+ to: "aws.s3_storage_lens.metrics.ListRequests.avg"
+ - from: "aws.storage-lens.metrics.NonCurrentVersionObjectCount.avg"
+ to: "aws.s3_storage_lens.metrics.NonCurrentVersionObjectCount.avg"
+ - from: "aws.storage-lens.metrics.NonCurrentVersionStorageBytes.avg"
+ to: "aws.s3_storage_lens.metrics.NonCurrentVersionStorageBytes.avg"
+ - from: "aws.storage-lens.metrics.ObjectCount.avg"
+ to: "aws.s3_storage_lens.metrics.ObjectCount.avg"
+ - from: "aws.storage-lens.metrics.ObjectLockEnabledObjectCount.avg"
+ to: "aws.s3_storage_lens.metrics.ObjectLockEnabledObjectCount.avg"
+ - from: "aws.storage-lens.metrics.ObjectLockEnabledStorageBytes.avg"
+ to: "aws.s3_storage_lens.metrics.ObjectLockEnabledStorageBytes.avg"
+ - from: "aws.storage-lens.metrics.PostRequests.avg"
+ to: "aws.s3_storage_lens.metrics.PostRequests.avg"
+ - from: "aws.storage-lens.metrics.PutRequests.avg"
+ to: "aws.s3_storage_lens.metrics.PutRequests.avg"
+ - from: "aws.storage-lens.metrics.ReplicatedObjectCount.avg"
+ to: "aws.s3_storage_lens.metrics.ReplicatedObjectCount.avg"
+ - from: "aws.storage-lens.metrics.ReplicatedStorageBytes.avg"
+ to: "aws.s3_storage_lens.metrics.ReplicatedStorageBytes.avg"
+ - from: "aws.storage-lens.metrics.SelectRequests.avg"
+ to: "aws.s3_storage_lens.metrics.SelectRequests.avg"
+ - from: "aws.storage-lens.metrics.SelectReturnedBytes.avg"
+ to: "aws.s3_storage_lens.metrics.SelectReturnedBytes.avg"
+ - from: "aws.storage-lens.metrics.SelectScannedBytes.avg"
+ to: "aws.s3_storage_lens.metrics.SelectScannedBytes.avg"
+ - from: "aws.storage-lens.metrics.StorageBytes.avg"
+ to: "aws.s3_storage_lens.metrics.StorageBytes.avg"
+ - drop_fields:
+ ignore_missing: true
+ fields:
+ - "aws.storage-lens"
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/s3_storage_lens/fields/agent.yml b/test/packages/aws/data_stream/s3_storage_lens/fields/agent.yml
new file mode 100644
index 0000000000..da4e652c53
--- /dev/null
+++ b/test/packages/aws/data_stream/s3_storage_lens/fields/agent.yml
@@ -0,0 +1,198 @@
+- name: cloud
+ title: Cloud
+ group: 2
+ description: Fields related to the cloud or infrastructure the events are coming from.
+ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+ type: group
+ fields:
+ - name: account.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+ Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+ example: 666777888999
+ - name: availability_zone
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Availability zone in which this host is running.
+ example: us-east-1c
+ - name: instance.id
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance ID of the host machine.
+ example: i-1234567890abcdef0
+ - name: instance.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Instance name of the host machine.
+ - name: machine.type
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Machine type of the host machine.
+ example: t2.medium
+ - name: provider
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+ example: aws
+ - name: region
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Region in which this host is running.
+ example: us-east-1
+ - name: project.id
+ type: keyword
+ description: Name of the project in Google Cloud.
+ - name: image.id
+ type: keyword
+ description: Image ID for the cloud instance.
+- name: container
+ title: Container
+ group: 2
+ description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+ These fields help correlate data based containers from any runtime.'
+ type: group
+ fields:
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Unique container id.
+ - name: image.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Name of the image the container was built on.
+ - name: labels
+ level: extended
+ type: object
+ object_type: keyword
+ description: Image labels.
+ - name: name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Container name.
+- name: host
+ title: Host
+ group: 2
+ description: 'A host is defined as a general computing instance.
+
+ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+ type: group
+ fields:
+ - name: architecture
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Operating system architecture.
+ example: x86_64
+ - name: domain
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the domain of which the host is a member.
+
+ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+ example: CONTOSO
+ default_field: false
+ - name: hostname
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Hostname of the host.
+
+ It normally contains what the `hostname` command returns on the host machine.'
+ - name: id
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Unique host id.
+
+ As hostname is not always unique, use values that are meaningful in your environment.
+
+ Example: The current usage of `beat.name`.'
+ - name: ip
+ level: core
+ type: ip
+ description: Host ip addresses.
+ - name: mac
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: Host mac addresses.
+ - name: name
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Name of the host.
+
+ It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+ - name: os.family
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: OS family (such as redhat, debian, freebsd, windows).
+ example: debian
+ - name: os.kernel
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system kernel version as a raw string.
+ example: 4.4.0-112-generic
+ - name: os.name
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ multi_fields:
+ - name: text
+ type: text
+ norms: false
+ default_field: false
+ description: Operating system name, without the version.
+ example: Mac OS X
+ - name: os.platform
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system platform (such centos, ubuntu, windows).
+ example: darwin
+ - name: os.version
+ level: extended
+ type: keyword
+ ignore_above: 1024
+ description: Operating system version as a raw string.
+ example: 10.14.1
+ - name: type
+ level: core
+ type: keyword
+ ignore_above: 1024
+ description: 'Type of host.
+
+ For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+ - name: containerized
+ type: boolean
+ description: >
+ If the host is a container.
+
+ - name: os.build
+ type: keyword
+ example: "18D109"
+ description: >
+ OS build information.
+
+ - name: os.codename
+ type: keyword
+ example: "stretch"
+ description: >
+ OS codename, if any.
+
diff --git a/test/packages/aws/data_stream/s3_storage_lens/fields/base-fields.yml b/test/packages/aws/data_stream/s3_storage_lens/fields/base-fields.yml
new file mode 100644
index 0000000000..ed9d40b9d6
--- /dev/null
+++ b/test/packages/aws/data_stream/s3_storage_lens/fields/base-fields.yml
@@ -0,0 +1,20 @@
+- name: data_stream.type
+ type: constant_keyword
+ description: Data stream type.
+- name: data_stream.dataset
+ type: constant_keyword
+ description: Data stream dataset.
+- name: data_stream.namespace
+ type: constant_keyword
+ description: Data stream namespace.
+- name: '@timestamp'
+ type: date
+ description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: aws
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: aws.s3_storage_lens
diff --git a/test/packages/aws/data_stream/s3_storage_lens/fields/ecs.yml b/test/packages/aws/data_stream/s3_storage_lens/fields/ecs.yml
new file mode 100644
index 0000000000..83e3f6f122
--- /dev/null
+++ b/test/packages/aws/data_stream/s3_storage_lens/fields/ecs.yml
@@ -0,0 +1,24 @@
+- external: ecs
+ name: cloud
+- external: ecs
+ name: cloud.account.id
+- external: ecs
+ name: cloud.account.name
+- external: ecs
+ name: cloud.availability_zone
+- external: ecs
+ name: cloud.instance.id
+- external: ecs
+ name: cloud.machine.type
+- external: ecs
+ name: cloud.provider
+- external: ecs
+ name: cloud.region
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error
+- external: ecs
+ name: error.message
+- external: ecs
+ name: service.type
diff --git a/test/packages/aws/data_stream/s3_storage_lens/fields/fields.yml b/test/packages/aws/data_stream/s3_storage_lens/fields/fields.yml
new file mode 100644
index 0000000000..d1230dcc54
--- /dev/null
+++ b/test/packages/aws/data_stream/s3_storage_lens/fields/fields.yml
@@ -0,0 +1,100 @@
+- name: aws
+ type: group
+ release: experimental
+ fields:
+ - name: s3_storage_lens
+ type: group
+ fields:
+ - name: metrics
+ type: group
+ fields:
+ - name: 4xxErrors.avg
+ type: long
+ description: The total 4xx errors in scope.
+ - name: 5xxErrors.avg
+ type: long
+ description: The total 5xx errors in scope.
+ - name: AllRequests.avg
+ type: long
+ description: The total number of requests made.
+ - name: BytesDownloaded.avg
+ type: long
+ description: The number of bytes in scope that were downloaded.
+ - name: BytesUploaded.avg
+ type: long
+ description: The number of bytes uploaded.
+ - name: CurrentVersionObjectCount.avg
+ type: long
+ description: The number of objects that are a current version.
+ - name: CurrentVersionStorageBytes.avg
+ type: long
+ description: The number of bytes that are a current version.
+ - name: DeleteMarkerObjectCount.avg
+ type: long
+ description: The total number of objects with a delete marker.
+ - name: DeleteRequests.avg
+ type: long
+ description: The total number of delete requests made.
+ - name: EncryptedObjectCount.avg
+ type: long
+ description: The total object counts that are encrypted using Amazon S3 server-side encryption.
+ - name: EncryptedStorageBytes.avg
+ type: long
+ description: The total number of encrypted bytes using Amazon S3 server-side encryption.
+ - name: GetRequests.avg
+ type: long
+ description: The total number of GET requests made.
+ - name: HeadRequests.avg
+ type: long
+ description: The total number of head requests made.
+ - name: IncompleteMultipartUploadObjectCount.avg
+ type: long
+ description: The number of objects in scope that are incomplete multipart uploads.
+ - name: IncompleteMultipartUploadStorageBytes.avg
+ type: long
+ description: The total bytes in scope with incomplete multipart uploads.
+ - name: ListRequests.avg
+ type: long
+ description: The total number of list requests made.
+ - name: NonCurrentVersionObjectCount.avg
+ type: long
+ description: The count of the noncurrent version objects.
+ - name: NonCurrentVersionStorageBytes.avg
+ type: long
+ description: The number of noncurrent versioned bytes.
+ - name: ObjectCount.avg
+ type: long
+ description: The total object count.
+ - name: ObjectLockEnabledObjectCount.avg
+ type: long
+ description: The total number of objects in scope that have Object Lock enabled.
+ - name: ObjectLockEnabledStorageBytes.avg
+ type: long
+ description: The total number of bytes in scope that have Object Lock enabled.
+ - name: PostRequests.avg
+ type: long
+ description: The total number of post requests made.
+ - name: PutRequests.avg
+ type: long
+ description: The total number of PUT requests made.
+ - name: ReplicatedObjectCount.avg
+ type: long
+ description: The count of replicated objects.
+ - name: ReplicatedStorageBytes.avg
+ type: long
+ description: The total number of bytes in scope that are replicated.
+ - name: SelectRequests.avg
+ type: long
+ description: The total number of select requests.
+ - name: SelectReturnedBytes.avg
+ type: long
+ description: The number of select bytes returned.
+ - name: SelectScannedBytes.avg
+ type: long
+ description: The number of select bytes scanned.
+ - name: StorageBytes.avg
+ type: long
+ description: The total storage in bytes
+- name: aws.cloudwatch.namespace
+ type: keyword
+ description: The namespace specified when query cloudwatch api.
diff --git a/test/packages/aws/data_stream/s3_storage_lens/fields/package-fields.yml b/test/packages/aws/data_stream/s3_storage_lens/fields/package-fields.yml
new file mode 100644
index 0000000000..a8a7ee8dcc
--- /dev/null
+++ b/test/packages/aws/data_stream/s3_storage_lens/fields/package-fields.yml
@@ -0,0 +1,19 @@
+- name: aws
+ type: group
+ fields:
+ - name: tags.*
+ type: object
+ description: |
+ Tag key value pairs from aws resources.
+ - name: s3.bucket.name
+ type: keyword
+ description: |
+ Name of a S3 bucket.
+ - name: dimensions.*
+ type: object
+ description: |
+ Metric dimensions.
+ - name: '*.metrics.*.*'
+ type: object
+ description: |
+ Metrics that returned from Cloudwatch API query.
diff --git a/test/packages/aws/data_stream/s3_storage_lens/manifest.yml b/test/packages/aws/data_stream/s3_storage_lens/manifest.yml
new file mode 100644
index 0000000000..b325ed0cb8
--- /dev/null
+++ b/test/packages/aws/data_stream/s3_storage_lens/manifest.yml
@@ -0,0 +1,26 @@
+title: AWS S3 Storage Lens metrics
+type: metrics
+streams:
+ - input: aws/metrics
+ vars:
+ - name: period
+ type: text
+ title: Period
+ multi: false
+ required: true
+ show_user: true
+ default: 24h
+ - name: regions
+ type: text
+ title: Regions
+ multi: true
+ required: false
+ show_user: true
+ - name: latency
+ type: text
+ title: Latency
+ multi: false
+ required: false
+ show_user: false
+ title: AWS S3 Storage Lens metrics
+ description: Collect AWS S3 Storage Lens metrics
diff --git a/test/packages/aws/data_stream/s3_storage_lens/sample_event.json b/test/packages/aws/data_stream/s3_storage_lens/sample_event.json
new file mode 100644
index 0000000000..dbc4ccc9cf
--- /dev/null
+++ b/test/packages/aws/data_stream/s3_storage_lens/sample_event.json
@@ -0,0 +1,138 @@
+{
+ "@timestamp": "2021-11-07T20:38:00.000Z",
+ "ecs": {
+ "version": "1.11.0"
+ },
+ "data_stream": {
+ "namespace": "default",
+ "type": "metrics",
+ "dataset": "aws.s3_storage_lens"
+ },
+ "service": {
+ "type": "aws"
+ },
+ "cloud": {
+ "provider": "aws",
+ "region": "us-east-1",
+ "account": {
+ "name": "elastic-beats",
+ "id": "428152502467"
+ }
+ },
+ "metricset": {
+ "period": 86400000,
+ "name": "cloudwatch"
+ },
+ "event": {
+ "duration": 22973251900,
+ "agent_id_status": "verified",
+ "ingested": "2021-11-08T20:38:37Z",
+ "module": "aws",
+ "dataset": "aws.s3_storage_lens"
+ },
+ "aws": {
+ "s3_storage_lens": {
+ "metrics": {
+ "NonCurrentVersionStorageBytes": {
+ "avg": 0
+ },
+ "DeleteMarkerObjectCount": {
+ "avg": 0
+ },
+ "GetRequests": {
+ "avg": 0
+ },
+ "SelectReturnedBytes": {
+ "avg": 0
+ },
+ "ObjectCount": {
+ "avg": 164195
+ },
+ "HeadRequests": {
+ "avg": 0
+ },
+ "ListRequests": {
+ "avg": 0
+ },
+ "DeleteRequests": {
+ "avg": 0
+ },
+ "SelectRequests": {
+ "avg": 0
+ },
+ "5xxErrors": {
+ "avg": 0
+ },
+ "BytesDownloaded": {
+ "avg": 0
+ },
+ "BytesUploaded": {
+ "avg": 82537
+ },
+ "CurrentVersionStorageBytes": {
+ "avg": 154238334
+ },
+ "StorageBytes": {
+ "avg": 154238334
+ },
+ "ObjectLockEnabledStorageBytes": {
+ "avg": 0
+ },
+ "4xxErrors": {
+ "avg": 0
+ },
+ "PutRequests": {
+ "avg": 145
+ },
+ "ObjectLockEnabledObjectCount": {
+ "avg": 0
+ },
+ "EncryptedObjectCount": {
+ "avg": 164191
+ },
+ "CurrentVersionObjectCount": {
+ "avg": 164195
+ },
+ "IncompleteMultipartUploadObjectCount": {
+ "avg": 0
+ },
+ "ReplicatedObjectCount": {
+ "avg": 0
+ },
+ "AllRequests": {
+ "avg": 145
+ },
+ "PostRequests": {
+ "avg": 0
+ },
+ "IncompleteMultipartUploadStorageBytes": {
+ "avg": 0
+ },
+ "NonCurrentVersionObjectCount": {
+ "avg": 0
+ },
+ "ReplicatedStorageBytes": {
+ "avg": 0
+ },
+ "EncryptedStorageBytes": {
+ "avg": 154237917
+ },
+ "SelectScannedBytes": {
+ "avg": 0
+ }
+ }
+ },
+ "cloudwatch": {
+ "namespace": "AWS/S3/Storage-Lens"
+ },
+ "dimensions": {
+ "metrics_version": "1.0",
+ "storage_class": "STANDARD",
+ "aws_region": "eu-central-1",
+ "bucket_name": "filebeat-aws-elb-test",
+ "aws_account_number": "428152502467",
+ "configuration_id": "default-account-dashboard",
+ "record_type": "BUCKET"
+ }
+ }
+}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/s3access/_dev/test/pipeline/test-common-config.yml b/test/packages/aws/data_stream/s3access/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 0000000000..5622947e4b
--- /dev/null
+++ b/test/packages/aws/data_stream/s3access/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,5 @@
+dynamic_fields:
+ event.ingested: ".*"
+fields:
+ tags:
+ - preserve_original_event
diff --git a/test/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log b/test/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log
index f96091a767..bcc9f6af0d 100644
--- a/test/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log
+++ b/test/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log
@@ -1,6 +1,7 @@
-36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:41 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 44EE8651683CB4DA REST.GET.LOCATION - "GET /test-s3-ks/?location&aws-account=627959692251 HTTP/1.1" 200 - 142 - 17 - "-" "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation" - BsCfJedfuSnds2QFoxi+E/O7M6OEWzJnw4dUaes/2hyA363sONRJKzB7EOY+Bt9DTHYUn+HoHxI= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2
-36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:42 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 E26222010BCC32B6 REST.GET.LOCATION - "GET /test-s3-ks/?location&aws-account=627959692251 HTTP/1.1" 200 - 142 - 3 - "-" "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation" - gNl/Q1IzY6nGTBygqI3rnMz/ZFOFwOTDpSMrNca+IcEmMAd6sCIs1ZRLYDekD8LB9lrj9UdQLWE= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2
-36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:43 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 4DD6D17D1C5C401C REST.GET.BUCKET - "GET /test-s3-ks/?max-keys=0&encoding-type=url&aws-account=627959692251 HTTP/1.1" 200 - 265 - 2 1 "-" "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation" - KzvchfojYQnuFC4PABYVJVxIlv/f6r17LRaTSvw7x+bxj4PkkPKT1kX9x8wbqtq40iD4PC881iE= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2
-36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:43 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 706992E2F3CC3C3D REST.GET.LOCATION - "GET /test-s3-ks/?location&aws-account=627959692251 HTTP/1.1" 200 - 142 - 4 - "-" "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation" - cIN12KTrJwx+uTBZD+opZUPE4iGypi8oG/oXGPzFk9CMuHQGuEpmAeNELdtYKDxf2TDor25Nikg= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2
-36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 jsoriano-s3-test [10/Sep/2019:15:11:07 +0000] 77.227.156.41 arn:aws:iam::123456:user/test@elastic.co 8CD7A4A71E2E5C9E BATCH.DELETE.OBJECT jolokia-war-1.5.0.war - 204 - - 344017 - - - - - IeDW5I3wefFxU8iHOcAzi5qr+O+1bdRlcQ0AO2WGjFh7JwYM6qCoKq+1TrUshrXMlBxPFtg97Vk= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.eu-central-1.amazonaws.com TLSv1.2
-36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [19/Sep/2019:17:06:39 +0000] 174.29.206.152 arn:aws:iam::123456:user/test@elastic.co 6CE38F1312D32BDD BATCH.DELETE.OBJECT Screen+Shot+2019-09-09+at+9.08.44+AM.png - 204 - - 57138 - - - - - LwRa4w6DbuU48GKQiH3jDbjfTyLCbwasFBsdttugRQ+9lH4jK8lT91+HhGZKMYI3sPyKuQ9LvU0= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3-ap-southeast-1.amazonaws.com TLSv1.2
+36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:41 +0000] 89.160.20.156 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 44EE8651683CB4DA REST.GET.LOCATION - "GET /test-s3-ks/?location&aws-account=627959692251 HTTP/1.1" 200 - 142 - 17 - "-" "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation" - BsCfJedfuSnds2QFoxi+E/O7M6OEWzJnw4dUaes/2hyA363sONRJKzB7EOY+Bt9DTHYUn+HoHxI= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2
+36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:42 +0000] 89.160.20.156 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 E26222010BCC32B6 REST.GET.LOCATION - "GET /test-s3-ks/?location&aws-account=627959692251 HTTP/1.1" 200 - 142 - 3 - "-" "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation" - gNl/Q1IzY6nGTBygqI3rnMz/ZFOFwOTDpSMrNca+IcEmMAd6sCIs1ZRLYDekD8LB9lrj9UdQLWE= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2
+36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:43 +0000] 89.160.20.156 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 4DD6D17D1C5C401C REST.GET.BUCKET - "GET /test-s3-ks/?max-keys=0&encoding-type=url&aws-account=627959692251 HTTP/1.1" 200 - 265 - 2 1 "-" "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation" - KzvchfojYQnuFC4PABYVJVxIlv/f6r17LRaTSvw7x+bxj4PkkPKT1kX9x8wbqtq40iD4PC881iE= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2
+36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:43 +0000] 89.160.20.156 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 706992E2F3CC3C3D REST.GET.LOCATION - "GET /test-s3-ks/?location&aws-account=627959692251 HTTP/1.1" 200 - 142 - 4 - "-" "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation" - cIN12KTrJwx+uTBZD+opZUPE4iGypi8oG/oXGPzFk9CMuHQGuEpmAeNELdtYKDxf2TDor25Nikg= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2
+36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 jsoriano-s3-test [10/Sep/2019:15:11:07 +0000] 89.160.20.156 arn:aws:iam::123456:user/test@elastic.co 8CD7A4A71E2E5C9E BATCH.DELETE.OBJECT jolokia-war-1.5.0.war - 204 - - 344017 - - - - - IeDW5I3wefFxU8iHOcAzi5qr+O+1bdRlcQ0AO2WGjFh7JwYM6qCoKq+1TrUshrXMlBxPFtg97Vk= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.eu-central-1.amazonaws.com TLSv1.2
+36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [19/Sep/2019:17:06:39 +0000] 89.160.20.156 arn:aws:iam::123456:user/test@elastic.co 6CE38F1312D32BDD BATCH.DELETE.OBJECT Screen+Shot+2019-09-09+at+9.08.44+AM.png - 204 - - 57138 - - - - - LwRa4w6DbuU48GKQiH3jDbjfTyLCbwasFBsdttugRQ+9lH4jK8lT91+HhGZKMYI3sPyKuQ9LvU0= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2
+67797214d75628047d9c76b18a78cded1a4b069b71f2a9d5a53649c38da8770b flow-log-test [14/Jul/2021:18:57:31 +0000] - svc:delivery.logs.amazonaws.com MVGXZXEVN3IG9S24 REST.PUT.OBJECT AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-_20210713T1855Z_f12aa632.log.gz "PUT /AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-0e7c13bf00cf15bfe_20210713T1855Z_f12aa632.log.gz HTTP/1.1" 200 - - 773 103 13 "-" "-" - 02SxwfXpO5UysN0GsKGa3uGDQ6E/W7+Hwo/luRH8p1VEexULoe66RCM+nja0dEq2JqLrtgjocvVRRkVt4= SigV4 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader flow-log-test.s3.us-gov-west-1.amazonaws.com TLSv1.2 -
diff --git a/test/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log-config.yml b/test/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log-config.yml
deleted file mode 100644
index c39dc38617..0000000000
--- a/test/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log-config.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-dynamic_fields:
- event.ingested: ".*"
diff --git a/test/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log-expected.json b/test/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log-expected.json
index 214d8e0d35..abd3a9e475 100644
--- a/test/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log-expected.json
+++ b/test/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log-expected.json
@@ -6,28 +6,33 @@
"original": "/test-s3-ks/?location\u0026aws-account=627959692251",
"query": "location\u0026aws-account=627959692251"
},
+ "tags": [
+ "preserve_original_event"
+ ],
"geo": {
- "continent_name": "North America",
- "region_iso_code": "US-VA",
- "city_name": "Ashburn",
- "country_iso_code": "US",
- "country_name": "United States",
- "region_name": "Virginia",
+ "continent_name": "Europe",
+ "region_iso_code": "SE-AB",
+ "city_name": "Tumba",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "region_name": "Stockholm",
"location": {
- "lon": -77.4728,
- "lat": 39.0481
+ "lon": 17.8167,
+ "lat": 59.2
}
},
"cloud": {
"provider": "aws"
},
- "@timestamp": "2019-08-01T00:24:41.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2"
],
"ip": [
- "72.21.217.31"
+ "89.160.20.156"
]
},
"http": {
@@ -46,8 +51,8 @@
"user": {
"id": "arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9"
},
- "address": "72.21.217.31",
- "ip": "72.21.217.31"
+ "address": "89.160.20.156",
+ "ip": "89.160.20.156"
},
"tls": {
"cipher": "ECDHE-RSA-AES128-SHA",
@@ -56,8 +61,8 @@
},
"event": {
"duration": 17000000,
- "ingested": "2021-04-23T12:15:55.855305051Z",
- "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:41 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 44EE8651683CB4DA REST.GET.LOCATION - \"GET /test-s3-ks/?location\u0026aws-account=627959692251 HTTP/1.1\" 200 - 142 - 17 - \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - BsCfJedfuSnds2QFoxi+E/O7M6OEWzJnw4dUaes/2hyA363sONRJKzB7EOY+Bt9DTHYUn+HoHxI= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2",
+ "ingested": "2021-12-09T16:11:59.134194800Z",
+ "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:41 +0000] 89.160.20.156 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 44EE8651683CB4DA REST.GET.LOCATION - \"GET /test-s3-ks/?location\u0026aws-account=627959692251 HTTP/1.1\" 200 - 142 - 17 - \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - BsCfJedfuSnds2QFoxi+E/O7M6OEWzJnw4dUaes/2hyA363sONRJKzB7EOY+Bt9DTHYUn+HoHxI= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2",
"kind": "event",
"action": "REST.GET.LOCATION",
"id": "44EE8651683CB4DA",
@@ -78,7 +83,7 @@
"host_id": "BsCfJedfuSnds2QFoxi+E/O7M6OEWzJnw4dUaes/2hyA363sONRJKzB7EOY+Bt9DTHYUn+HoHxI=",
"host_header": "s3.ap-southeast-1.amazonaws.com",
"bucket": "test-s3-ks",
- "remote_ip": "72.21.217.31",
+ "remote_ip": "89.160.20.156",
"cipher_suite": "ECDHE-RSA-AES128-SHA",
"http_status": 200,
"total_time": 17,
@@ -108,28 +113,33 @@
"original": "/test-s3-ks/?location\u0026aws-account=627959692251",
"query": "location\u0026aws-account=627959692251"
},
+ "tags": [
+ "preserve_original_event"
+ ],
"geo": {
- "continent_name": "North America",
- "region_iso_code": "US-VA",
- "city_name": "Ashburn",
- "country_iso_code": "US",
- "country_name": "United States",
- "region_name": "Virginia",
+ "continent_name": "Europe",
+ "region_iso_code": "SE-AB",
+ "city_name": "Tumba",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "region_name": "Stockholm",
"location": {
- "lon": -77.4728,
- "lat": 39.0481
+ "lon": 17.8167,
+ "lat": 59.2
}
},
"cloud": {
"provider": "aws"
},
- "@timestamp": "2019-08-01T00:24:42.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2"
],
"ip": [
- "72.21.217.31"
+ "89.160.20.156"
]
},
"http": {
@@ -148,8 +158,8 @@
"user": {
"id": "arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9"
},
- "address": "72.21.217.31",
- "ip": "72.21.217.31"
+ "address": "89.160.20.156",
+ "ip": "89.160.20.156"
},
"tls": {
"cipher": "ECDHE-RSA-AES128-SHA",
@@ -158,8 +168,8 @@
},
"event": {
"duration": 3000000,
- "ingested": "2021-04-23T12:15:55.855312724Z",
- "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:42 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 E26222010BCC32B6 REST.GET.LOCATION - \"GET /test-s3-ks/?location\u0026aws-account=627959692251 HTTP/1.1\" 200 - 142 - 3 - \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - gNl/Q1IzY6nGTBygqI3rnMz/ZFOFwOTDpSMrNca+IcEmMAd6sCIs1ZRLYDekD8LB9lrj9UdQLWE= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2",
+ "ingested": "2021-12-09T16:11:59.134198700Z",
+ "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:42 +0000] 89.160.20.156 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 E26222010BCC32B6 REST.GET.LOCATION - \"GET /test-s3-ks/?location\u0026aws-account=627959692251 HTTP/1.1\" 200 - 142 - 3 - \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - gNl/Q1IzY6nGTBygqI3rnMz/ZFOFwOTDpSMrNca+IcEmMAd6sCIs1ZRLYDekD8LB9lrj9UdQLWE= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2",
"kind": "event",
"action": "REST.GET.LOCATION",
"id": "E26222010BCC32B6",
@@ -180,7 +190,7 @@
"host_id": "gNl/Q1IzY6nGTBygqI3rnMz/ZFOFwOTDpSMrNca+IcEmMAd6sCIs1ZRLYDekD8LB9lrj9UdQLWE=",
"host_header": "s3.ap-southeast-1.amazonaws.com",
"bucket": "test-s3-ks",
- "remote_ip": "72.21.217.31",
+ "remote_ip": "89.160.20.156",
"cipher_suite": "ECDHE-RSA-AES128-SHA",
"http_status": 200,
"total_time": 3,
@@ -210,28 +220,33 @@
"original": "/test-s3-ks/?max-keys=0\u0026encoding-type=url\u0026aws-account=627959692251",
"query": "max-keys=0\u0026encoding-type=url\u0026aws-account=627959692251"
},
+ "tags": [
+ "preserve_original_event"
+ ],
"geo": {
- "continent_name": "North America",
- "region_iso_code": "US-VA",
- "city_name": "Ashburn",
- "country_iso_code": "US",
- "country_name": "United States",
- "region_name": "Virginia",
+ "continent_name": "Europe",
+ "region_iso_code": "SE-AB",
+ "city_name": "Tumba",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "region_name": "Stockholm",
"location": {
- "lon": -77.4728,
- "lat": 39.0481
+ "lon": 17.8167,
+ "lat": 59.2
}
},
"cloud": {
"provider": "aws"
},
- "@timestamp": "2019-08-01T00:24:43.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2"
],
"ip": [
- "72.21.217.31"
+ "89.160.20.156"
]
},
"http": {
@@ -250,8 +265,8 @@
"user": {
"id": "arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9"
},
- "address": "72.21.217.31",
- "ip": "72.21.217.31"
+ "address": "89.160.20.156",
+ "ip": "89.160.20.156"
},
"tls": {
"cipher": "ECDHE-RSA-AES128-SHA",
@@ -260,8 +275,8 @@
},
"event": {
"duration": 2000000,
- "ingested": "2021-04-23T12:15:55.855315024Z",
- "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:43 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 4DD6D17D1C5C401C REST.GET.BUCKET - \"GET /test-s3-ks/?max-keys=0\u0026encoding-type=url\u0026aws-account=627959692251 HTTP/1.1\" 200 - 265 - 2 1 \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - KzvchfojYQnuFC4PABYVJVxIlv/f6r17LRaTSvw7x+bxj4PkkPKT1kX9x8wbqtq40iD4PC881iE= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2",
+ "ingested": "2021-12-09T16:11:59.134204100Z",
+ "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:43 +0000] 89.160.20.156 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 4DD6D17D1C5C401C REST.GET.BUCKET - \"GET /test-s3-ks/?max-keys=0\u0026encoding-type=url\u0026aws-account=627959692251 HTTP/1.1\" 200 - 265 - 2 1 \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - KzvchfojYQnuFC4PABYVJVxIlv/f6r17LRaTSvw7x+bxj4PkkPKT1kX9x8wbqtq40iD4PC881iE= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2",
"kind": "event",
"action": "REST.GET.BUCKET",
"id": "4DD6D17D1C5C401C",
@@ -283,7 +298,7 @@
"host_id": "KzvchfojYQnuFC4PABYVJVxIlv/f6r17LRaTSvw7x+bxj4PkkPKT1kX9x8wbqtq40iD4PC881iE=",
"host_header": "s3.ap-southeast-1.amazonaws.com",
"bucket": "test-s3-ks",
- "remote_ip": "72.21.217.31",
+ "remote_ip": "89.160.20.156",
"cipher_suite": "ECDHE-RSA-AES128-SHA",
"http_status": 200,
"total_time": 2,
@@ -313,28 +328,33 @@
"original": "/test-s3-ks/?location\u0026aws-account=627959692251",
"query": "location\u0026aws-account=627959692251"
},
+ "tags": [
+ "preserve_original_event"
+ ],
"geo": {
- "continent_name": "North America",
- "region_iso_code": "US-VA",
- "city_name": "Ashburn",
- "country_iso_code": "US",
- "country_name": "United States",
- "region_name": "Virginia",
+ "continent_name": "Europe",
+ "region_iso_code": "SE-AB",
+ "city_name": "Tumba",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "region_name": "Stockholm",
"location": {
- "lon": -77.4728,
- "lat": 39.0481
+ "lon": 17.8167,
+ "lat": 59.2
}
},
"cloud": {
"provider": "aws"
},
- "@timestamp": "2019-08-01T00:24:43.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2"
],
"ip": [
- "72.21.217.31"
+ "89.160.20.156"
]
},
"http": {
@@ -353,8 +373,8 @@
"user": {
"id": "arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9"
},
- "address": "72.21.217.31",
- "ip": "72.21.217.31"
+ "address": "89.160.20.156",
+ "ip": "89.160.20.156"
},
"tls": {
"cipher": "ECDHE-RSA-AES128-SHA",
@@ -363,8 +383,8 @@
},
"event": {
"duration": 4000000,
- "ingested": "2021-04-23T12:15:55.855317083Z",
- "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:43 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 706992E2F3CC3C3D REST.GET.LOCATION - \"GET /test-s3-ks/?location\u0026aws-account=627959692251 HTTP/1.1\" 200 - 142 - 4 - \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - cIN12KTrJwx+uTBZD+opZUPE4iGypi8oG/oXGPzFk9CMuHQGuEpmAeNELdtYKDxf2TDor25Nikg= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2",
+ "ingested": "2021-12-09T16:11:59.134208400Z",
+ "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:43 +0000] 89.160.20.156 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 706992E2F3CC3C3D REST.GET.LOCATION - \"GET /test-s3-ks/?location\u0026aws-account=627959692251 HTTP/1.1\" 200 - 142 - 4 - \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - cIN12KTrJwx+uTBZD+opZUPE4iGypi8oG/oXGPzFk9CMuHQGuEpmAeNELdtYKDxf2TDor25Nikg= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2",
"kind": "event",
"action": "REST.GET.LOCATION",
"id": "706992E2F3CC3C3D",
@@ -385,7 +405,7 @@
"host_id": "cIN12KTrJwx+uTBZD+opZUPE4iGypi8oG/oXGPzFk9CMuHQGuEpmAeNELdtYKDxf2TDor25Nikg=",
"host_header": "s3.ap-southeast-1.amazonaws.com",
"bucket": "test-s3-ks",
- "remote_ip": "72.21.217.31",
+ "remote_ip": "89.160.20.156",
"cipher_suite": "ECDHE-RSA-AES128-SHA",
"http_status": 200,
"total_time": 4,
@@ -410,36 +430,41 @@
}
},
{
+ "tags": [
+ "preserve_original_event"
+ ],
"geo": {
"continent_name": "Europe",
- "region_iso_code": "ES-TE",
- "city_name": "Teruel",
- "country_iso_code": "ES",
- "country_name": "Spain",
- "region_name": "Teruel",
+ "region_iso_code": "SE-AB",
+ "city_name": "Tumba",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "region_name": "Stockholm",
"location": {
- "lon": -1.1065,
- "lat": 40.3456
+ "lon": 17.8167,
+ "lat": 59.2
}
},
"cloud": {
"provider": "aws"
},
- "@timestamp": "2019-09-10T15:11:07.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2"
],
"ip": [
- "77.227.156.41"
+ "89.160.20.156"
]
},
"client": {
"user": {
"id": "arn:aws:iam::123456:user/test@elastic.co"
},
- "address": "77.227.156.41",
- "ip": "77.227.156.41"
+ "address": "89.160.20.156",
+ "ip": "89.160.20.156"
},
"http": {
"response": {
@@ -452,8 +477,8 @@
"version_protocol": "tls"
},
"event": {
- "ingested": "2021-04-23T12:15:55.855319015Z",
- "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 jsoriano-s3-test [10/Sep/2019:15:11:07 +0000] 77.227.156.41 arn:aws:iam::123456:user/test@elastic.co 8CD7A4A71E2E5C9E BATCH.DELETE.OBJECT jolokia-war-1.5.0.war - 204 - - 344017 - - - - - IeDW5I3wefFxU8iHOcAzi5qr+O+1bdRlcQ0AO2WGjFh7JwYM6qCoKq+1TrUshrXMlBxPFtg97Vk= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.eu-central-1.amazonaws.com TLSv1.2",
+ "ingested": "2021-12-09T16:11:59.134212900Z",
+ "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 jsoriano-s3-test [10/Sep/2019:15:11:07 +0000] 89.160.20.156 arn:aws:iam::123456:user/test@elastic.co 8CD7A4A71E2E5C9E BATCH.DELETE.OBJECT jolokia-war-1.5.0.war - 204 - - 344017 - - - - - IeDW5I3wefFxU8iHOcAzi5qr+O+1bdRlcQ0AO2WGjFh7JwYM6qCoKq+1TrUshrXMlBxPFtg97Vk= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.eu-central-1.amazonaws.com TLSv1.2",
"kind": "event",
"action": "BATCH.DELETE.OBJECT",
"id": "8CD7A4A71E2E5C9E",
@@ -472,7 +497,7 @@
"host_id": "IeDW5I3wefFxU8iHOcAzi5qr+O+1bdRlcQ0AO2WGjFh7JwYM6qCoKq+1TrUshrXMlBxPFtg97Vk=",
"host_header": "s3.eu-central-1.amazonaws.com",
"bucket": "jsoriano-s3-test",
- "remote_ip": "77.227.156.41",
+ "remote_ip": "89.160.20.156",
"cipher_suite": "ECDHE-RSA-AES128-SHA",
"http_status": 204,
"bucket_owner": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2",
@@ -484,36 +509,41 @@
}
},
{
+ "tags": [
+ "preserve_original_event"
+ ],
"geo": {
- "continent_name": "North America",
- "region_iso_code": "US-CO",
- "city_name": "Denver",
- "country_iso_code": "US",
- "country_name": "United States",
- "region_name": "Colorado",
+ "continent_name": "Europe",
+ "region_iso_code": "SE-AB",
+ "city_name": "Tumba",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "region_name": "Stockholm",
"location": {
- "lon": -105.0023,
- "lat": 39.7044
+ "lon": 17.8167,
+ "lat": 59.2
}
},
"cloud": {
"provider": "aws"
},
- "@timestamp": "2019-09-19T17:06:39.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
"related": {
"user": [
"36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2"
],
"ip": [
- "174.29.206.152"
+ "89.160.20.156"
]
},
"client": {
"user": {
"id": "arn:aws:iam::123456:user/test@elastic.co"
},
- "address": "174.29.206.152",
- "ip": "174.29.206.152"
+ "address": "89.160.20.156",
+ "ip": "89.160.20.156"
},
"http": {
"response": {
@@ -526,8 +556,8 @@
"version_protocol": "tls"
},
"event": {
- "ingested": "2021-04-23T12:15:55.855320925Z",
- "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [19/Sep/2019:17:06:39 +0000] 174.29.206.152 arn:aws:iam::123456:user/test@elastic.co 6CE38F1312D32BDD BATCH.DELETE.OBJECT Screen+Shot+2019-09-09+at+9.08.44+AM.png - 204 - - 57138 - - - - - LwRa4w6DbuU48GKQiH3jDbjfTyLCbwasFBsdttugRQ+9lH4jK8lT91+HhGZKMYI3sPyKuQ9LvU0= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3-ap-southeast-1.amazonaws.com TLSv1.2",
+ "ingested": "2021-12-09T16:11:59.134217300Z",
+ "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [19/Sep/2019:17:06:39 +0000] 89.160.20.156 arn:aws:iam::123456:user/test@elastic.co 6CE38F1312D32BDD BATCH.DELETE.OBJECT Screen+Shot+2019-09-09+at+9.08.44+AM.png - 204 - - 57138 - - - - - LwRa4w6DbuU48GKQiH3jDbjfTyLCbwasFBsdttugRQ+9lH4jK8lT91+HhGZKMYI3sPyKuQ9LvU0= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2",
"kind": "event",
"action": "BATCH.DELETE.OBJECT",
"id": "6CE38F1312D32BDD",
@@ -544,9 +574,9 @@
"signature_version": "SigV4",
"authentication_type": "AuthHeader",
"host_id": "LwRa4w6DbuU48GKQiH3jDbjfTyLCbwasFBsdttugRQ+9lH4jK8lT91+HhGZKMYI3sPyKuQ9LvU0=",
- "host_header": "s3-ap-southeast-1.amazonaws.com",
+ "host_header": "s3.ap-southeast-1.amazonaws.com",
"bucket": "test-s3-ks",
- "remote_ip": "174.29.206.152",
+ "remote_ip": "89.160.20.156",
"cipher_suite": "ECDHE-RSA-AES128-SHA",
"http_status": 204,
"bucket_owner": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2",
@@ -556,6 +586,80 @@
"object_size": 57138
}
}
+ },
+ {
+ "url": {
+ "path": "/AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-0e7c13bf00cf15bfe_20210713T1855Z_f12aa632.log.gz",
+ "extension": "gz",
+ "original": "/AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-0e7c13bf00cf15bfe_20210713T1855Z_f12aa632.log.gz"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "cloud": {
+ "provider": "aws"
+ },
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "related": {
+ "user": [
+ "67797214d75628047d9c76b18a78cded1a4b069b71f2a9d5a53649c38da8770b"
+ ]
+ },
+ "http": {
+ "request": {
+ "method": "PUT"
+ },
+ "version": "1.1",
+ "response": {
+ "status_code": 200
+ }
+ },
+ "client": {
+ "user": {
+ "id": "svc:delivery.logs.amazonaws.com"
+ }
+ },
+ "tls": {
+ "cipher": "ECDHE-RSA-AES128-GCM-SHA256",
+ "version": "1.2",
+ "version_protocol": "tls"
+ },
+ "event": {
+ "duration": 103000000,
+ "ingested": "2021-12-09T16:11:59.134221Z",
+ "original": "67797214d75628047d9c76b18a78cded1a4b069b71f2a9d5a53649c38da8770b flow-log-test [14/Jul/2021:18:57:31 +0000] - svc:delivery.logs.amazonaws.com MVGXZXEVN3IG9S24 REST.PUT.OBJECT AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-_20210713T1855Z_f12aa632.log.gz \"PUT /AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-0e7c13bf00cf15bfe_20210713T1855Z_f12aa632.log.gz HTTP/1.1\" 200 - - 773 103 13 \"-\" \"-\" - 02SxwfXpO5UysN0GsKGa3uGDQ6E/W7+Hwo/luRH8p1VEexULoe66RCM+nja0dEq2JqLrtgjocvVRRkVt4= SigV4 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader flow-log-test.s3.us-gov-west-1.amazonaws.com TLSv1.2 -",
+ "kind": "event",
+ "action": "REST.PUT.OBJECT",
+ "id": "MVGXZXEVN3IG9S24",
+ "category": "web",
+ "type": [
+ "access"
+ ],
+ "outcome": "success"
+ },
+ "aws": {
+ "s3access": {
+ "requester": "svc:delivery.logs.amazonaws.com",
+ "tls_version": "TLSv1.2",
+ "signature_version": "SigV4",
+ "turn_around_time": 13,
+ "authentication_type": "AuthHeader",
+ "request_uri": "PUT /AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-0e7c13bf00cf15bfe_20210713T1855Z_f12aa632.log.gz HTTP/1.1",
+ "host_id": "02SxwfXpO5UysN0GsKGa3uGDQ6E/W7+Hwo/luRH8p1VEexULoe66RCM+nja0dEq2JqLrtgjocvVRRkVt4=",
+ "host_header": "flow-log-test.s3.us-gov-west-1.amazonaws.com",
+ "bucket": "flow-log-test",
+ "cipher_suite": "ECDHE-RSA-AES128-GCM-SHA256",
+ "http_status": 200,
+ "total_time": 103,
+ "bucket_owner": "67797214d75628047d9c76b18a78cded1a4b069b71f2a9d5a53649c38da8770b",
+ "operation": "REST.PUT.OBJECT",
+ "request_id": "MVGXZXEVN3IG9S24",
+ "key": "AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-_20210713T1855Z_f12aa632.log.gz",
+ "object_size": 773
+ }
+ }
}
]
}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/elb_logs/agent/stream/s3.yml.hbs b/test/packages/aws/data_stream/s3access/agent/stream/aws-s3.yml.hbs
similarity index 64%
rename from test/packages/aws/data_stream/elb_logs/agent/stream/s3.yml.hbs
rename to test/packages/aws/data_stream/s3access/agent/stream/aws-s3.yml.hbs
index 6a00835778..ccf43bcddc 100644
--- a/test/packages/aws/data_stream/elb_logs/agent/stream/s3.yml.hbs
+++ b/test/packages/aws/data_stream/s3access/agent/stream/aws-s3.yml.hbs
@@ -11,6 +11,9 @@ visibility_timeout: {{visibility_timeout}}
{{#if api_timeout}}
api_timeout: {{api_timeout}}
{{/if}}
+{{#if max_number_of_messages}}
+max_number_of_messages: {{max_number_of_messages}}
+{{/if}}
{{#if endpoint}}
endpoint: {{endpoint}}
{{/if}}
@@ -29,8 +32,20 @@ role_arn: {{role_arn}}
{{#if fips_enabled}}
fips_enabled: {{fips_enabled}}
{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
processors:
- - add_fields:
- target: ''
- fields:
- ecs.version: 1.5.0
\ No newline at end of file
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/s3access/agent/stream/log.yml.hbs b/test/packages/aws/data_stream/s3access/agent/stream/log.yml.hbs
index 31a201bc45..de93a0f025 100644
--- a/test/packages/aws/data_stream/s3access/agent/stream/log.yml.hbs
+++ b/test/packages/aws/data_stream/s3access/agent/stream/log.yml.hbs
@@ -2,9 +2,18 @@ paths:
{{#each paths as |path i|}}
- {{path}}
{{/each}}
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
exclude_files: [".gz$"]
+{{#if processors}}
processors:
- - add_fields:
- target: ''
- fields:
- ecs.version: 1.8.0
\ No newline at end of file
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/s3access/agent/stream/s3.yml.hbs b/test/packages/aws/data_stream/s3access/agent/stream/s3.yml.hbs
deleted file mode 100644
index cea7960b97..0000000000
--- a/test/packages/aws/data_stream/s3access/agent/stream/s3.yml.hbs
+++ /dev/null
@@ -1,36 +0,0 @@
-queue_url: {{queue_url}}
-{{#if credential_profile_name}}
-credential_profile_name: {{credential_profile_name}}
-{{/if}}
-{{#if shared_credential_file}}
-shared_credential_file: {{shared_credential_file}}
-{{/if}}
-{{#if visibility_timeout}}
-visibility_timeout: {{visibility_timeout}}
-{{/if}}
-{{#if api_timeout}}
-api_timeout: {{api_timeout}}
-{{/if}}
-{{#if endpoint}}
-endpoint: {{endpoint}}
-{{/if}}
-{{#if access_key_id}}
-access_key_id: {{access_key_id}}
-{{/if}}
-{{#if secret_access_key}}
-secret_access_key: {{secret_access_key}}
-{{/if}}
-{{#if session_token}}
-session_token: {{session_token}}
-{{/if}}
-{{#if role_arn}}
-role_arn: {{role_arn}}
-{{/if}}
-{{#if fips_enabled}}
-fips_enabled: {{fips_enabled}}
-{{/if}}
-processors:
- - add_fields:
- target: ''
- fields:
- ecs.version: 1.8.0
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/s3access/elasticsearch/ingest_pipeline/default.yml b/test/packages/aws/data_stream/s3access/elasticsearch/ingest_pipeline/default.yml
index 74a565e828..608a800390 100644
--- a/test/packages/aws/data_stream/s3access/elasticsearch/ingest_pipeline/default.yml
+++ b/test/packages/aws/data_stream/s3access/elasticsearch/ingest_pipeline/default.yml
@@ -2,21 +2,28 @@
description: "Pipeline for s3 server access logs"
processors:
+ - set:
+ field: event.ingested
+ value: '{{_ingest.timestamp}}'
+ - set:
+ field: ecs.version
+ value: '1.12.0'
- set:
field: event.category
value: web
- append:
field: event.type
value: access
- - set:
- field: event.ingested
- value: '{{_ingest.timestamp}}'
- - grok:
+ - rename:
field: message
+ target_field: event.original
+ ignore_missing: true
+ - grok:
+ field: event.original
patterns:
- >-
%{BASE16NUM:aws.s3access.bucket_owner} %{HOSTNAME:aws.s3access.bucket} \[%{HTTPDATE:_temp_.s3access_time}\]
- %{IP:aws.s3access.remote_ip} (?:-|%{S3REQUESTER:aws.s3access.requester}) %{S3REQUESTID:aws.s3access.request_id}
+ (?:-|%{IP:aws.s3access.remote_ip}) (?:-|%{S3REQUESTER:aws.s3access.requester}) %{S3REQUESTID:aws.s3access.request_id}
%{S3OPERATION:aws.s3access.operation} (?:-|%{S3KEY:aws.s3access.key}) (?:-|\"%{DATA:aws.s3access.request_uri}\")
%{NUMBER:aws.s3access.http_status:long} (?:-|%{WORD:aws.s3access.error_code}) (?:-|%{NUMBER:aws.s3access.bytes_sent:long})
(?:-|%{NUMBER:aws.s3access.object_size:long}) (?:-|%{NUMBER:aws.s3access.total_time:long}) (?:-|%{NUMBER:aws.s3access.turn_around_time:long})
@@ -30,7 +37,6 @@ processors:
S3KEY: "[a-zA-Z0-9\\/_\\.\\-%+]+"
S3ID: "[a-zA-Z0-9\\/_\\.\\-%+=]+"
S3VERSION: "[a-zA-Z0-9.]+"
-
- script:
description: Drops null/empty values recursively
lang: painless
@@ -48,110 +54,89 @@ processors:
return false;
}
drop(ctx);
-
- grok:
field: aws.s3access.request_uri
ignore_failure: true
patterns:
- - '%{NOTSPACE:http.request.method} %{NOTSPACE:url.original} [hH][tT][tT][pP]/%{NOTSPACE:http.version}'
-
- #
- # Best-effort parse of url.original in the form /path?query"
- #
- - grok:
- field: url.original
- ignore_failure: true
- patterns:
- - '^%{ABS_PATH:url.path}(?:\?%{DATA:url.query})?$'
- pattern_definitions:
- ABS_PATH: '/[^?]*'
+ - '%{NOTSPACE:http.request.method} %{NOTSPACE:_temp_.url} [hH][tT][tT][pP]/%{NOTSPACE:http.version}'
+ - uri_parts:
+ field: _temp_.url
+ target_field: url
+ keep_original: true
+ if: ctx._temp_?.url != null
- append:
- if: "ctx?.aws?.s3access?.bucket_owner != null"
field: related.user
- value: "{{aws.s3access.bucket_owner}}"
-
+ value: '{{aws.s3access.bucket_owner}}'
+ allow_duplicates: false
+ if: ctx?.aws?.s3access?.bucket_owner != null
#
# Parse the date included in s3 access logs
#
- date:
- field: "_temp_.s3access_time"
- target_field: "@timestamp"
+ field: _temp_.s3access_time'
+ target_field: '@timestamp'
ignore_failure: true
formats:
- - "dd/MMM/yyyy:H:m:s Z"
-
+ - dd/MMM/yyyy:H:m:s Z
- set:
field: client.ip
- value: "{{aws.s3access.remote_ip}}"
+ value: '{{aws.s3access.remote_ip}}'
ignore_empty_value: true
-
- append:
- if: "ctx?.aws?.s3access?.remote_ip != null"
field: related.ip
- value: "{{aws.s3access.remote_ip}}"
-
+ value: '{{aws.s3access.remote_ip}}'
+ allow_duplicates: false
+ if: ctx?.aws?.s3access?.remote_ip != null
- set:
field: client.address
- value: "{{aws.s3access.remote_ip}}"
+ value: '{{aws.s3access.remote_ip}}'
ignore_empty_value: true
-
- geoip:
- if: "ctx?.aws?.s3access?.remote_ip != null"
field: aws.s3access.remote_ip
target_field: geo
-
+ if: ctx?.aws?.s3access?.remote_ip != null
- set:
field: client.user.id
- value: "{{aws.s3access.requester}}"
+ value: '{{aws.s3access.requester}}'
ignore_empty_value: true
-
- set:
field: event.id
- value: "{{aws.s3access.request_id}}"
+ value: '{{aws.s3access.request_id}}'
ignore_empty_value: true
-
- set:
field: event.action
- value: "{{aws.s3access.operation}}"
+ value: '{{aws.s3access.operation}}'
ignore_empty_value: true
-
- set:
field: http.response.status_code
- value: "{{aws.s3access.http_status}}"
+ value: '{{aws.s3access.http_status}}'
ignore_empty_value: true
-
- convert:
- if: "ctx?.http?.response?.status_code != null"
field: http.response.status_code
type: long
-
+ if: ctx?.http?.response?.status_code != null
- set:
- if: "ctx?.aws?.s3access?.error_code != null"
field: event.outcome
value: failure
-
+ if: ctx?.aws?.s3access?.error_code != null
- set:
field: event.code
- value: "{{aws.s3access.error_code}}"
+ value: '{{aws.s3access.error_code}}'
ignore_empty_value: true
-
- set:
- if: "ctx?.aws?.s3access?.error_code == null"
field: event.outcome
value: success
-
+ if: ctx?.aws?.s3access?.error_code == null
- convert:
field: aws.s3access.bytes_sent
target_field: http.response.body.bytes
type: long
ignore_failure: true
-
- convert:
field: aws.s3access.total_time
target_field: event.duration
type: long
ignore_failure: true
-
- script:
lang: painless
if: ctx.event?.duration != null
@@ -159,21 +144,17 @@ processors:
MS_TO_NS: 1000000
source: >-
ctx.event.duration *= params.MS_TO_NS;
-
- set:
field: http.request.referrer
- value: "{{aws.s3access.referrer}}"
+ value: '{{aws.s3access.referrer}}'
ignore_empty_value: true
-
- user_agent:
- if: "ctx?.aws?.s3access?.user_agent != null"
+ if: ctx?.aws?.s3access?.user_agent != null
field: aws.s3access.user_agent
-
- set:
field: tls.cipher
value: '{{aws.s3access.cipher_suite}}'
ignore_empty_value: true
-
- script:
lang: painless
if: ctx.aws?.s3access?.tls_version != null
@@ -184,30 +165,48 @@ processors:
}
ctx.tls.version = parts[1];
ctx.tls.version_protocol = parts[0]
-
- set:
field: cloud.provider
value: aws
-
- set:
field: event.kind
value: event
-
- #
- # Save original message into event.original
- #
- - rename:
- field: "message"
- target_field: "event.original"
-
#
# Remove temporary fields
#
- remove:
field: _temp_
ignore_missing: true
-
+ - script:
+ lang: painless
+ description: This script processor iterates over the whole document to remove fields with null values.
+ source: |
+ void handleMap(Map map) {
+ for (def x : map.values()) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ map.values().removeIf(v -> v == null);
+ }
+ void handleList(List list) {
+ for (def x : list) {
+ if (x instanceof Map) {
+ handleMap(x);
+ } else if (x instanceof List) {
+ handleList(x);
+ }
+ }
+ }
+ handleMap(ctx);
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
on_failure:
- set:
- field: "error.message"
- value: "{{ _ingest.on_failure_message }}"
+ field: 'error.message'
+ value: '{{ _ingest.on_failure_message }}'
diff --git a/test/packages/aws/data_stream/s3access/fields/base-fields.yml b/test/packages/aws/data_stream/s3access/fields/base-fields.yml
index 7c798f4534..4d53b53c1c 100644
--- a/test/packages/aws/data_stream/s3access/fields/base-fields.yml
+++ b/test/packages/aws/data_stream/s3access/fields/base-fields.yml
@@ -10,3 +10,11 @@
- name: '@timestamp'
type: date
description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: aws
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: aws.s3access
diff --git a/test/packages/aws/data_stream/s3access/fields/ecs.yml b/test/packages/aws/data_stream/s3access/fields/ecs.yml
index 0d3655b8c1..ce6a6aac98 100644
--- a/test/packages/aws/data_stream/s3access/fields/ecs.yml
+++ b/test/packages/aws/data_stream/s3access/fields/ecs.yml
@@ -1,131 +1,88 @@
-- name: related.user
- type: keyword
- description: All the user names seen on your event.
-- name: related.ip
- type: ip
- description: All of the IPs seen on your event.
-- name: client.ip
- type: ip
- description: IP address of the client.
-- name: client.address
- type: keyword
- description: Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field.
-- name: client.user.id
- type: keyword
- description: Unique identifiers of the user.
-- name: event.id
- type: keyword
- description: Unique ID to describe the event.
-- name: event.action
- type: keyword
- description: The action captured by the event.
-- name: event.outcome
- type: keyword
- description: This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
-- name: event.code
- type: keyword
- description: Identification code for this event, if one exists.
-- name: event.duration
- type: long
- description: Duration of the event in nanoseconds.
-- name: http
- title: HTTP
- type: group
- fields:
- - name: request.method
- type: keyword
- ignore_above: 1024
- description: 'HTTP request method.'
- - name: request.referrer
- type: keyword
- ignore_above: 1024
- description: Referrer for this HTTP request.
- - name: response.body.bytes
- type: long
- format: bytes
- description: Size in bytes of the response body.
- - name: response.status_code
- type: long
- description: HTTP response status code.
- - name: version
- type: keyword
- ignore_above: 1024
- description: HTTP version.
-- name: url
- title: URL
- type: group
- fields:
- - name: original
- type: keyword
- ignore_above: 1024
- multi_fields:
- - name: text
- type: text
- norms: false
- default_field: false
- description: 'Unmodified original url as seen in the event source.'
- - name: path
- type: keyword
- ignore_above: 1024
- description: Path of the request, such as "/search".
- - name: query
- type: keyword
- ignore_above: 1024
- description: 'The query field describes the query string of the request, such as "q=elasticsearch".'
-- name: tls.cipher
- type: keyword
- description: String indicating the cipher used during the current connection.
-- name: tls.version
- type: keyword
- description: Numeric part of the version parsed from the original string.
-- name: tls.version_protocol
- type: keyword
- description: Normalized lowercase protocol name parsed from original string.
-- name: cloud.provider
- type: keyword
- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
-- name: event.kind
- type: keyword
- description: Event kind (e.g. event, alert, metric, state, pipeline_error, signal)
-- name: geo.city_name
- type: keyword
- description: City name.
-- name: geo.country_name
- type: keyword
- description: Country name.
-- name: geo.continent_name
- type: keyword
- description: Name of the continent.
-- name: geo.country_iso_code
- type: keyword
- description: Country ISO code.
-- name: geo.location
+- external: ecs
+ name: client.address
+- external: ecs
+ name: client.ip
+- external: ecs
+ name: client.user.id
+- external: ecs
+ name: cloud.provider
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error.message
+- external: ecs
+ name: event.action
+- external: ecs
+ name: event.code
+- external: ecs
+ name: event.duration
+- external: ecs
+ name: event.id
+- external: ecs
+ name: event.kind
+- external: ecs
+ name: event.outcome
+- external: ecs
+ name: geo.city_name
+- external: ecs
+ name: geo.continent_name
+- external: ecs
+ name: geo.country_iso_code
+- external: ecs
+ name: geo.country_name
+- description: Longitude and latitude.
+ level: core
+ name: geo.location
type: geo_point
- description: Longitude and latitude.
-- name: geo.region_iso_code
- type: keyword
- description: Region ISO code.
-- name: geo.region_name
- type: keyword
- description: Region name.
-- name: user_agent.device.name
- type: keyword
- description: Name of the device.
-- name: user_agent.name
- type: keyword
- description: Name of the user agent.
-- name: user_agent.original
- type: keyword
- description: Unparsed user_agent string.
-- name: user_agent.os.full
- type: keyword
- description: Operating system name, including the version or code name.
-- name: user_agent.os.name
- type: keyword
- description: Operating system name, without the version.
-- name: user_agent.os.version
- type: keyword
- description: Operating system version as a raw string.
-- name: user_agent.version
- type: keyword
- description: Version of the user agent.
+- external: ecs
+ name: geo.region_iso_code
+- external: ecs
+ name: geo.region_name
+- external: ecs
+ name: http.request.method
+- external: ecs
+ name: http.request.referrer
+- external: ecs
+ name: http.response.body.bytes
+- external: ecs
+ name: http.response.status_code
+- external: ecs
+ name: http.version
+- external: ecs
+ name: related.ip
+- external: ecs
+ name: related.user
+- external: ecs
+ name: tags
+- external: ecs
+ name: tls.cipher
+- external: ecs
+ name: tls.version
+- external: ecs
+ name: tls.version_protocol
+- external: ecs
+ name: url.domain
+- external: ecs
+ name: url.extension
+- external: ecs
+ name: url.original
+- external: ecs
+ name: url.path
+- external: ecs
+ name: url.query
+- external: ecs
+ name: url.scheme
+- external: ecs
+ name: user_agent.device.name
+- external: ecs
+ name: user_agent.name
+- external: ecs
+ name: user_agent.original
+- external: ecs
+ name: user_agent.os.full
+- external: ecs
+ name: user_agent.os.name
+- external: ecs
+ name: user_agent.os.version
+- external: ecs
+ name: user_agent.version
diff --git a/test/packages/aws/data_stream/s3access/manifest.yml b/test/packages/aws/data_stream/s3access/manifest.yml
index 648a1d7f6f..b88c6ba490 100644
--- a/test/packages/aws/data_stream/s3access/manifest.yml
+++ b/test/packages/aws/data_stream/s3access/manifest.yml
@@ -1,12 +1,25 @@
title: AWS s3access logs
-release: beta
type: logs
streams:
- - input: s3
- template_path: s3.yml.hbs
+ - input: aws-s3
+ template_path: aws-s3.yml.hbs
title: AWS s3access logs
description: Collect AWS s3access logs using s3 input
vars:
+ - name: visibility_timeout
+ type: text
+ title: Visibility Timeout
+ multi: false
+ required: false
+ show_user: false
+ description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours.
+ - name: api_timeout
+ type: text
+ title: API Timeout
+ multi: false
+ required: false
+ show_user: false
+ description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value.
- name: queue_url
type: text
title: Queue URL
@@ -22,3 +35,36 @@ streams:
required: false
show_user: false
description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - aws-s3access
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: max_number_of_messages
+ type: integer
+ title: Maximum Concurrent SQS Messages
+ description: The maximum number of SQS messages that can be inflight at any time.
+ default: 5
+ required: false
+ show_user: false
diff --git a/test/packages/aws/data_stream/s3access/sample_event.json b/test/packages/aws/data_stream/s3access/sample_event.json
new file mode 100644
index 0000000000..87826bf8af
--- /dev/null
+++ b/test/packages/aws/data_stream/s3access/sample_event.json
@@ -0,0 +1,113 @@
+{
+ "@timestamp": "2021-11-26T14:44:27.652Z",
+ "data_stream": {
+ "namespace": "default",
+ "type": "logs",
+ "dataset": "aws.s3access"
+ },
+ "url": {
+ "path": "/test-s3-ks/",
+ "original": "/test-s3-ks/?location\u0026aws-account=627959692251",
+ "query": "location\u0026aws-account=627959692251"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "geo": {
+ "continent_name": "North America",
+ "region_iso_code": "US-VA",
+ "city_name": "Ashburn",
+ "country_iso_code": "US",
+ "country_name": "United States",
+ "region_name": "Virginia",
+ "location": {
+ "lon": -77.4728,
+ "lat": 39.0481
+ }
+ },
+ "cloud": {
+ "provider": "aws"
+ },
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "related": {
+ "user": [
+ "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2"
+ ],
+ "ip": [
+ "72.21.217.31"
+ ]
+ },
+ "http": {
+ "request": {
+ "method": "GET"
+ },
+ "version": "1.1",
+ "response": {
+ "body": {
+ "bytes": 142
+ },
+ "status_code": 200
+ }
+ },
+ "client": {
+ "user": {
+ "id": "arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9"
+ },
+ "address": "72.21.217.31",
+ "ip": "72.21.217.31"
+ },
+ "tls": {
+ "cipher": "ECDHE-RSA-AES128-SHA",
+ "version": "1.2",
+ "version_protocol": "tls"
+ },
+ "event": {
+ "duration": 17000000,
+ "ingested": "2021-07-19T21:47:05.259665700Z",
+ "original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:41 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 44EE8651683CB4DA REST.GET.LOCATION - \"GET /test-s3-ks/?location\u0026aws-account=627959692251 HTTP/1.1\" 200 - 142 - 17 - \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - BsCfJedfuSnds2QFoxi+E/O7M6OEWzJnw4dUaes/2hyA363sONRJKzB7EOY+Bt9DTHYUn+HoHxI= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2",
+ "kind": "event",
+ "action": "REST.GET.LOCATION",
+ "id": "44EE8651683CB4DA",
+ "category": "web",
+ "type": [
+ "access"
+ ],
+ "outcome": "success"
+ },
+ "aws": {
+ "s3access": {
+ "requester": "arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9",
+ "tls_version": "TLSv1.2",
+ "signature_version": "SigV4",
+ "bytes_sent": 142,
+ "authentication_type": "AuthHeader",
+ "request_uri": "GET /test-s3-ks/?location\u0026aws-account=627959692251 HTTP/1.1",
+ "host_id": "BsCfJedfuSnds2QFoxi+E/O7M6OEWzJnw4dUaes/2hyA363sONRJKzB7EOY+Bt9DTHYUn+HoHxI=",
+ "host_header": "s3.ap-southeast-1.amazonaws.com",
+ "bucket": "test-s3-ks",
+ "remote_ip": "72.21.217.31",
+ "cipher_suite": "ECDHE-RSA-AES128-SHA",
+ "http_status": 200,
+ "total_time": 17,
+ "bucket_owner": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2",
+ "operation": "REST.GET.LOCATION",
+ "request_id": "44EE8651683CB4DA",
+ "user_agent": "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation"
+ }
+ },
+ "user_agent": {
+ "name": "aws-sdk-java",
+ "original": "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation",
+ "os": {
+ "name": "Linux",
+ "version": "4.9.137",
+ "full": "Linux 4.9.137"
+ },
+ "device": {
+ "name": "Other"
+ },
+ "version": "1.11.590"
+ }
+}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/sns/agent/stream/stream.yml.hbs b/test/packages/aws/data_stream/sns/agent/stream/stream.yml.hbs
index 6c56e029fb..9a12668207 100644
--- a/test/packages/aws/data_stream/sns/agent/stream/stream.yml.hbs
+++ b/test/packages/aws/data_stream/sns/agent/stream/stream.yml.hbs
@@ -29,4 +29,7 @@ latency: {{latency}}
{{/if}}
{{#if tags_filter}}
tags_filter: {{tags_filter}}
+{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
{{/if}}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/sns/fields/base-fields.yml b/test/packages/aws/data_stream/sns/fields/base-fields.yml
index 7c798f4534..17fbf36279 100644
--- a/test/packages/aws/data_stream/sns/fields/base-fields.yml
+++ b/test/packages/aws/data_stream/sns/fields/base-fields.yml
@@ -10,3 +10,11 @@
- name: '@timestamp'
type: date
description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: aws
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: aws.sns
diff --git a/test/packages/aws/data_stream/sns/fields/ecs.yml b/test/packages/aws/data_stream/sns/fields/ecs.yml
index a02d7269c5..83e3f6f122 100644
--- a/test/packages/aws/data_stream/sns/fields/ecs.yml
+++ b/test/packages/aws/data_stream/sns/fields/ecs.yml
@@ -1,53 +1,24 @@
-- name: cloud
- title: Cloud
- group: 2
- type: group
- footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
- fields:
- - name: account.id
- level: extended
- type: keyword
- description: |-
- The cloud account or organization id used to identify different entities in a multi-tenant environment.
- Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
- ignore_above: 1024
- - name: account.name
- level: extended
- type: keyword
- description: |-
- The cloud account name or alias used to identify different entities in a multi-tenant environment.
- Examples: AWS account name, Google Cloud ORG display name.
- ignore_above: 1024
- - name: availability_zone
- level: extended
- type: keyword
- description: Availability zone in which this host is running.
- ignore_above: 1024
- - name: instance.id
- level: extended
- type: keyword
- description: Instance ID of the host machine.
- ignore_above: 1024
- - name: machine.type
- level: extended
- type: keyword
- description: Machine type of the host machine.
- ignore_above: 1024
- - name: provider
- level: extended
- type: keyword
- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
- ignore_above: 1024
- - name: region
- level: extended
- type: keyword
- description: Region in which this host is running.
- ignore_above: 1024
-- name: ecs.version
- type: keyword
- description: ECS version this event conforms to.
- example: 1.0.0
- ignore_above: 1024
-- name: service.type
- type: keyword
- description: Service type
+- external: ecs
+ name: cloud
+- external: ecs
+ name: cloud.account.id
+- external: ecs
+ name: cloud.account.name
+- external: ecs
+ name: cloud.availability_zone
+- external: ecs
+ name: cloud.instance.id
+- external: ecs
+ name: cloud.machine.type
+- external: ecs
+ name: cloud.provider
+- external: ecs
+ name: cloud.region
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error
+- external: ecs
+ name: error.message
+- external: ecs
+ name: service.type
diff --git a/test/packages/aws/data_stream/sns/manifest.yml b/test/packages/aws/data_stream/sns/manifest.yml
index 806a5e416b..9ec9ad0daa 100644
--- a/test/packages/aws/data_stream/sns/manifest.yml
+++ b/test/packages/aws/data_stream/sns/manifest.yml
@@ -1,5 +1,4 @@
title: AWS SNS metrics
-release: beta
type: metrics
streams:
- input: aws/metrics
diff --git a/test/packages/aws/data_stream/sqs/agent/stream/stream.yml.hbs b/test/packages/aws/data_stream/sqs/agent/stream/stream.yml.hbs
index 2e9f1a2d15..0cf05645ac 100644
--- a/test/packages/aws/data_stream/sqs/agent/stream/stream.yml.hbs
+++ b/test/packages/aws/data_stream/sqs/agent/stream/stream.yml.hbs
@@ -26,4 +26,7 @@ regions:
{{/if}}
{{#if latency}}
latency: {{latency}}
+{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
{{/if}}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/sqs/fields/base-fields.yml b/test/packages/aws/data_stream/sqs/fields/base-fields.yml
index 7c798f4534..c39e5d890e 100644
--- a/test/packages/aws/data_stream/sqs/fields/base-fields.yml
+++ b/test/packages/aws/data_stream/sqs/fields/base-fields.yml
@@ -10,3 +10,11 @@
- name: '@timestamp'
type: date
description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: aws
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: aws.sqs
diff --git a/test/packages/aws/data_stream/sqs/fields/ecs.yml b/test/packages/aws/data_stream/sqs/fields/ecs.yml
index a02d7269c5..83e3f6f122 100644
--- a/test/packages/aws/data_stream/sqs/fields/ecs.yml
+++ b/test/packages/aws/data_stream/sqs/fields/ecs.yml
@@ -1,53 +1,24 @@
-- name: cloud
- title: Cloud
- group: 2
- type: group
- footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
- fields:
- - name: account.id
- level: extended
- type: keyword
- description: |-
- The cloud account or organization id used to identify different entities in a multi-tenant environment.
- Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
- ignore_above: 1024
- - name: account.name
- level: extended
- type: keyword
- description: |-
- The cloud account name or alias used to identify different entities in a multi-tenant environment.
- Examples: AWS account name, Google Cloud ORG display name.
- ignore_above: 1024
- - name: availability_zone
- level: extended
- type: keyword
- description: Availability zone in which this host is running.
- ignore_above: 1024
- - name: instance.id
- level: extended
- type: keyword
- description: Instance ID of the host machine.
- ignore_above: 1024
- - name: machine.type
- level: extended
- type: keyword
- description: Machine type of the host machine.
- ignore_above: 1024
- - name: provider
- level: extended
- type: keyword
- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
- ignore_above: 1024
- - name: region
- level: extended
- type: keyword
- description: Region in which this host is running.
- ignore_above: 1024
-- name: ecs.version
- type: keyword
- description: ECS version this event conforms to.
- example: 1.0.0
- ignore_above: 1024
-- name: service.type
- type: keyword
- description: Service type
+- external: ecs
+ name: cloud
+- external: ecs
+ name: cloud.account.id
+- external: ecs
+ name: cloud.account.name
+- external: ecs
+ name: cloud.availability_zone
+- external: ecs
+ name: cloud.instance.id
+- external: ecs
+ name: cloud.machine.type
+- external: ecs
+ name: cloud.provider
+- external: ecs
+ name: cloud.region
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error
+- external: ecs
+ name: error.message
+- external: ecs
+ name: service.type
diff --git a/test/packages/aws/data_stream/sqs/fields/fields.yml b/test/packages/aws/data_stream/sqs/fields/fields.yml
index a6f2304201..c1e5e0241e 100644
--- a/test/packages/aws/data_stream/sqs/fields/fields.yml
+++ b/test/packages/aws/data_stream/sqs/fields/fields.yml
@@ -52,3 +52,9 @@
type: keyword
description: |
SQS queue name
+ - name: cloudwatch
+ type: group
+ fields:
+ - name: namespace
+ type: keyword
+ description: The namespace specified when query cloudwatch api.
diff --git a/test/packages/aws/data_stream/sqs/manifest.yml b/test/packages/aws/data_stream/sqs/manifest.yml
index b1a57a9faf..864d57bf98 100644
--- a/test/packages/aws/data_stream/sqs/manifest.yml
+++ b/test/packages/aws/data_stream/sqs/manifest.yml
@@ -1,5 +1,4 @@
title: AWS SQS metrics
-release: beta
type: metrics
streams:
- input: aws/metrics
diff --git a/test/packages/aws/data_stream/transitgateway/agent/stream/stream.yml.hbs b/test/packages/aws/data_stream/transitgateway/agent/stream/stream.yml.hbs
index b5530f1b2c..4a574dfdca 100644
--- a/test/packages/aws/data_stream/transitgateway/agent/stream/stream.yml.hbs
+++ b/test/packages/aws/data_stream/transitgateway/agent/stream/stream.yml.hbs
@@ -29,4 +29,7 @@ latency: {{latency}}
{{/if}}
{{#if tags_filter}}
tags_filter: {{tags_filter}}
+{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
{{/if}}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/transitgateway/fields/base-fields.yml b/test/packages/aws/data_stream/transitgateway/fields/base-fields.yml
index 7c798f4534..291688d695 100644
--- a/test/packages/aws/data_stream/transitgateway/fields/base-fields.yml
+++ b/test/packages/aws/data_stream/transitgateway/fields/base-fields.yml
@@ -10,3 +10,11 @@
- name: '@timestamp'
type: date
description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: aws
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: aws.transitgateway
diff --git a/test/packages/aws/data_stream/transitgateway/fields/ecs.yml b/test/packages/aws/data_stream/transitgateway/fields/ecs.yml
index a02d7269c5..83e3f6f122 100644
--- a/test/packages/aws/data_stream/transitgateway/fields/ecs.yml
+++ b/test/packages/aws/data_stream/transitgateway/fields/ecs.yml
@@ -1,53 +1,24 @@
-- name: cloud
- title: Cloud
- group: 2
- type: group
- footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
- fields:
- - name: account.id
- level: extended
- type: keyword
- description: |-
- The cloud account or organization id used to identify different entities in a multi-tenant environment.
- Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
- ignore_above: 1024
- - name: account.name
- level: extended
- type: keyword
- description: |-
- The cloud account name or alias used to identify different entities in a multi-tenant environment.
- Examples: AWS account name, Google Cloud ORG display name.
- ignore_above: 1024
- - name: availability_zone
- level: extended
- type: keyword
- description: Availability zone in which this host is running.
- ignore_above: 1024
- - name: instance.id
- level: extended
- type: keyword
- description: Instance ID of the host machine.
- ignore_above: 1024
- - name: machine.type
- level: extended
- type: keyword
- description: Machine type of the host machine.
- ignore_above: 1024
- - name: provider
- level: extended
- type: keyword
- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
- ignore_above: 1024
- - name: region
- level: extended
- type: keyword
- description: Region in which this host is running.
- ignore_above: 1024
-- name: ecs.version
- type: keyword
- description: ECS version this event conforms to.
- example: 1.0.0
- ignore_above: 1024
-- name: service.type
- type: keyword
- description: Service type
+- external: ecs
+ name: cloud
+- external: ecs
+ name: cloud.account.id
+- external: ecs
+ name: cloud.account.name
+- external: ecs
+ name: cloud.availability_zone
+- external: ecs
+ name: cloud.instance.id
+- external: ecs
+ name: cloud.machine.type
+- external: ecs
+ name: cloud.provider
+- external: ecs
+ name: cloud.region
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error
+- external: ecs
+ name: error.message
+- external: ecs
+ name: service.type
diff --git a/test/packages/aws/data_stream/transitgateway/manifest.yml b/test/packages/aws/data_stream/transitgateway/manifest.yml
index 36ed6e401b..d433369d08 100644
--- a/test/packages/aws/data_stream/transitgateway/manifest.yml
+++ b/test/packages/aws/data_stream/transitgateway/manifest.yml
@@ -1,5 +1,4 @@
title: AWS Transit Gateway metrics
-release: beta
type: metrics
streams:
- input: aws/metrics
diff --git a/test/packages/aws/data_stream/usage/agent/stream/stream.yml.hbs b/test/packages/aws/data_stream/usage/agent/stream/stream.yml.hbs
index 24c082cd4d..5298d8d404 100644
--- a/test/packages/aws/data_stream/usage/agent/stream/stream.yml.hbs
+++ b/test/packages/aws/data_stream/usage/agent/stream/stream.yml.hbs
@@ -29,4 +29,7 @@ latency: {{latency}}
{{/if}}
{{#if tags_filter}}
tags_filter: {{tags_filter}}
+{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
{{/if}}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/usage/fields/base-fields.yml b/test/packages/aws/data_stream/usage/fields/base-fields.yml
index 7c798f4534..d774fe1ffb 100644
--- a/test/packages/aws/data_stream/usage/fields/base-fields.yml
+++ b/test/packages/aws/data_stream/usage/fields/base-fields.yml
@@ -10,3 +10,11 @@
- name: '@timestamp'
type: date
description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: aws
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: aws.usage
diff --git a/test/packages/aws/data_stream/usage/fields/ecs.yml b/test/packages/aws/data_stream/usage/fields/ecs.yml
index a02d7269c5..83e3f6f122 100644
--- a/test/packages/aws/data_stream/usage/fields/ecs.yml
+++ b/test/packages/aws/data_stream/usage/fields/ecs.yml
@@ -1,53 +1,24 @@
-- name: cloud
- title: Cloud
- group: 2
- type: group
- footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
- fields:
- - name: account.id
- level: extended
- type: keyword
- description: |-
- The cloud account or organization id used to identify different entities in a multi-tenant environment.
- Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
- ignore_above: 1024
- - name: account.name
- level: extended
- type: keyword
- description: |-
- The cloud account name or alias used to identify different entities in a multi-tenant environment.
- Examples: AWS account name, Google Cloud ORG display name.
- ignore_above: 1024
- - name: availability_zone
- level: extended
- type: keyword
- description: Availability zone in which this host is running.
- ignore_above: 1024
- - name: instance.id
- level: extended
- type: keyword
- description: Instance ID of the host machine.
- ignore_above: 1024
- - name: machine.type
- level: extended
- type: keyword
- description: Machine type of the host machine.
- ignore_above: 1024
- - name: provider
- level: extended
- type: keyword
- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
- ignore_above: 1024
- - name: region
- level: extended
- type: keyword
- description: Region in which this host is running.
- ignore_above: 1024
-- name: ecs.version
- type: keyword
- description: ECS version this event conforms to.
- example: 1.0.0
- ignore_above: 1024
-- name: service.type
- type: keyword
- description: Service type
+- external: ecs
+ name: cloud
+- external: ecs
+ name: cloud.account.id
+- external: ecs
+ name: cloud.account.name
+- external: ecs
+ name: cloud.availability_zone
+- external: ecs
+ name: cloud.instance.id
+- external: ecs
+ name: cloud.machine.type
+- external: ecs
+ name: cloud.provider
+- external: ecs
+ name: cloud.region
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error
+- external: ecs
+ name: error.message
+- external: ecs
+ name: service.type
diff --git a/test/packages/aws/data_stream/usage/manifest.yml b/test/packages/aws/data_stream/usage/manifest.yml
index ca2c781a65..bed34afa7c 100644
--- a/test/packages/aws/data_stream/usage/manifest.yml
+++ b/test/packages/aws/data_stream/usage/manifest.yml
@@ -1,5 +1,4 @@
title: AWS usage metrics
-release: beta
type: metrics
streams:
- input: aws/metrics
diff --git a/test/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-common-config.yml b/test/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 0000000000..5622947e4b
--- /dev/null
+++ b/test/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,5 @@
+dynamic_fields:
+ event.ingested: ".*"
+fields:
+ tags:
+ - preserve_original_event
diff --git a/test/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-extra-samples.log b/test/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-extra-samples.log
new file mode 100644
index 0000000000..808ade66dc
--- /dev/null
+++ b/test/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-extra-samples.log
@@ -0,0 +1,7 @@
+2 123456789010 eni-1235b8ca123456789 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 34892 22 6 54 8855 1477913708 1477913820 ACCEPT OK
+2 123456789010 eni-1235b8ca123456789 - - - - - - - 1431280876 1431280934 - NODATA
+2 123456789010 eni-89.160.20.1561aaaaaaaaa - - - - - - - 1431280876 1431280934 - SKIPDATA
+2 123456789010 eni-1235b8ca123456789 89.160.20.156 89.160.20.156 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK
+2 123456789010 eni-1235b8ca123456789 89.160.20.156 89.160.20.156 49761 3389 6 20 4249 1418530010 1418530070 REJECT OK
+2 123456789010 eni-1235b8ca123456789 89.160.20.156 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK
+2 123456789010 eni-1235b8ca123456789 172.31.16.139 89.160.20.156 0 0 1 4 336 1432917094 1432917142 REJECT OK
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-extra-samples.log-expected.json b/test/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-extra-samples.log-expected.json
new file mode 100644
index 0000000000..77a00b72a0
--- /dev/null
+++ b/test/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-extra-samples.log-expected.json
@@ -0,0 +1,504 @@
+{
+ "expected": [
+ {
+ "destination": {
+ "geo": {
+ "continent_name": "Europe",
+ "country_name": "Denmark",
+ "location": {
+ "lon": 10.0,
+ "lat": 56.0
+ },
+ "country_iso_code": "DK"
+ },
+ "as": {
+ "number": 62121,
+ "organization": {
+ "name": "Christian Ebsen ApS"
+ }
+ },
+ "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6",
+ "port": 22,
+ "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"
+ },
+ "source": {
+ "geo": {
+ "continent_name": "Europe",
+ "country_name": "Denmark",
+ "location": {
+ "lon": 10.0,
+ "lat": 56.0
+ },
+ "country_iso_code": "DK"
+ },
+ "as": {
+ "number": 62121,
+ "organization": {
+ "name": "Christian Ebsen ApS"
+ }
+ },
+ "address": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6",
+ "port": 34892,
+ "bytes": 8855,
+ "ip": "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6",
+ "packets": 54
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "network": {
+ "community_id": "1:3piNHoW0DjbrWkF//BeRomCaOZQ=",
+ "transport": "tcp",
+ "type": "ipv6",
+ "bytes": 8855,
+ "iana_number": "6",
+ "packets": 54
+ },
+ "cloud": {
+ "provider": "aws",
+ "account": {
+ "id": "123456789010"
+ }
+ },
+ "@timestamp": "2016-10-31T11:37:00.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "related": {
+ "ip": [
+ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6",
+ "2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6"
+ ]
+ },
+ "event": {
+ "ingested": "2021-12-09T16:12:00.503382700Z",
+ "original": "2 123456789010 eni-1235b8ca123456789 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 2a02:cf40:add:4002:91f2:a9b2:e09a:6fc6 34892 22 6 54 8855 1477913708 1477913820 ACCEPT OK",
+ "kind": "event",
+ "start": "2016-10-31T11:35:08.000Z",
+ "end": "2016-10-31T11:37:00.000Z",
+ "type": "flow",
+ "category": "network_traffic",
+ "outcome": "allow"
+ },
+ "aws": {
+ "vpcflow": {
+ "action": "ACCEPT",
+ "account_id": "123456789010",
+ "log_status": "OK",
+ "interface_id": "eni-1235b8ca123456789",
+ "version": "2"
+ }
+ }
+ },
+ {
+ "cloud": {
+ "provider": "aws",
+ "account": {
+ "id": "123456789010"
+ }
+ },
+ "@timestamp": "2015-05-10T18:02:14.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "event": {
+ "ingested": "2021-12-09T16:12:00.503391600Z",
+ "original": "2 123456789010 eni-1235b8ca123456789 - - - - - - - 1431280876 1431280934 - NODATA",
+ "kind": "event",
+ "start": "2015-05-10T18:01:16.000Z",
+ "end": "2015-05-10T18:02:14.000Z",
+ "type": "flow",
+ "category": "network_traffic"
+ },
+ "aws": {
+ "vpcflow": {
+ "account_id": "123456789010",
+ "log_status": "NODATA",
+ "interface_id": "eni-1235b8ca123456789",
+ "version": "2"
+ }
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "cloud": {
+ "provider": "aws",
+ "account": {
+ "id": "123456789010"
+ }
+ },
+ "@timestamp": "2015-05-10T18:02:14.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "event": {
+ "ingested": "2021-12-09T16:12:00.503397800Z",
+ "original": "2 123456789010 eni-89.160.20.1561aaaaaaaaa - - - - - - - 1431280876 1431280934 - SKIPDATA",
+ "kind": "event",
+ "start": "2015-05-10T18:01:16.000Z",
+ "end": "2015-05-10T18:02:14.000Z",
+ "type": "flow",
+ "category": "network_traffic"
+ },
+ "aws": {
+ "vpcflow": {
+ "account_id": "123456789010",
+ "log_status": "SKIPDATA",
+ "interface_id": "eni-89.160.20.1561aaaaaaaaa",
+ "version": "2"
+ }
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "destination": {
+ "geo": {
+ "continent_name": "Europe",
+ "region_iso_code": "SE-AB",
+ "city_name": "Tumba",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "region_name": "Stockholm",
+ "location": {
+ "lon": 17.8167,
+ "lat": 59.2
+ }
+ },
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "address": "89.160.20.156",
+ "port": 22,
+ "ip": "89.160.20.156"
+ },
+ "source": {
+ "geo": {
+ "continent_name": "Europe",
+ "region_iso_code": "SE-AB",
+ "city_name": "Tumba",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "region_name": "Stockholm",
+ "location": {
+ "lon": 17.8167,
+ "lat": 59.2
+ }
+ },
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "address": "89.160.20.156",
+ "port": 20641,
+ "bytes": 4249,
+ "ip": "89.160.20.156",
+ "packets": 20
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "network": {
+ "community_id": "1:CEGBlG6oEeW2Y5LLdr9GONITz00=",
+ "transport": "tcp",
+ "type": "ipv4",
+ "bytes": 4249,
+ "iana_number": "6",
+ "packets": 20
+ },
+ "cloud": {
+ "provider": "aws",
+ "account": {
+ "id": "123456789010"
+ }
+ },
+ "@timestamp": "2014-12-14T04:07:50.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "related": {
+ "ip": [
+ "89.160.20.156",
+ "89.160.20.156"
+ ]
+ },
+ "event": {
+ "ingested": "2021-12-09T16:12:00.503403700Z",
+ "original": "2 123456789010 eni-1235b8ca123456789 89.160.20.156 89.160.20.156 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK",
+ "kind": "event",
+ "start": "2014-12-14T04:06:50.000Z",
+ "end": "2014-12-14T04:07:50.000Z",
+ "type": "flow",
+ "category": "network_traffic",
+ "outcome": "allow"
+ },
+ "aws": {
+ "vpcflow": {
+ "action": "ACCEPT",
+ "account_id": "123456789010",
+ "log_status": "OK",
+ "interface_id": "eni-1235b8ca123456789",
+ "version": "2"
+ }
+ }
+ },
+ {
+ "destination": {
+ "geo": {
+ "continent_name": "Europe",
+ "region_iso_code": "SE-AB",
+ "city_name": "Tumba",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "region_name": "Stockholm",
+ "location": {
+ "lon": 17.8167,
+ "lat": 59.2
+ }
+ },
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "address": "89.160.20.156",
+ "port": 3389,
+ "ip": "89.160.20.156"
+ },
+ "source": {
+ "geo": {
+ "continent_name": "Europe",
+ "region_iso_code": "SE-AB",
+ "city_name": "Tumba",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "region_name": "Stockholm",
+ "location": {
+ "lon": 17.8167,
+ "lat": 59.2
+ }
+ },
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "address": "89.160.20.156",
+ "port": 49761,
+ "bytes": 4249,
+ "ip": "89.160.20.156",
+ "packets": 20
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "network": {
+ "community_id": "1:va8LK/uEqYpj4NoZ9/5WRLio5rs=",
+ "transport": "tcp",
+ "type": "ipv4",
+ "bytes": 4249,
+ "iana_number": "6",
+ "packets": 20
+ },
+ "cloud": {
+ "provider": "aws",
+ "account": {
+ "id": "123456789010"
+ }
+ },
+ "@timestamp": "2014-12-14T04:07:50.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "related": {
+ "ip": [
+ "89.160.20.156",
+ "89.160.20.156"
+ ]
+ },
+ "event": {
+ "ingested": "2021-12-09T16:12:00.503409900Z",
+ "original": "2 123456789010 eni-1235b8ca123456789 89.160.20.156 89.160.20.156 49761 3389 6 20 4249 1418530010 1418530070 REJECT OK",
+ "kind": "event",
+ "start": "2014-12-14T04:06:50.000Z",
+ "end": "2014-12-14T04:07:50.000Z",
+ "type": "flow",
+ "category": "network_traffic",
+ "outcome": "deny"
+ },
+ "aws": {
+ "vpcflow": {
+ "action": "REJECT",
+ "account_id": "123456789010",
+ "log_status": "OK",
+ "interface_id": "eni-1235b8ca123456789",
+ "version": "2"
+ }
+ }
+ },
+ {
+ "destination": {
+ "port": 0,
+ "address": "172.31.16.139",
+ "ip": "172.31.16.139"
+ },
+ "source": {
+ "geo": {
+ "continent_name": "Europe",
+ "region_iso_code": "SE-AB",
+ "city_name": "Tumba",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "region_name": "Stockholm",
+ "location": {
+ "lon": 17.8167,
+ "lat": 59.2
+ }
+ },
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "address": "89.160.20.156",
+ "port": 0,
+ "bytes": 336,
+ "ip": "89.160.20.156",
+ "packets": 4
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "network": {
+ "community_id": "1:cttDCHp3UNR8SFNTOgVYpAceHf4=",
+ "type": "ipv4",
+ "bytes": 336,
+ "iana_number": "1",
+ "packets": 4
+ },
+ "cloud": {
+ "provider": "aws",
+ "account": {
+ "id": "123456789010"
+ }
+ },
+ "@timestamp": "2015-05-29T16:32:22.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "related": {
+ "ip": [
+ "89.160.20.156",
+ "172.31.16.139"
+ ]
+ },
+ "event": {
+ "ingested": "2021-12-09T16:12:00.503416200Z",
+ "original": "2 123456789010 eni-1235b8ca123456789 89.160.20.156 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK",
+ "kind": "event",
+ "start": "2015-05-29T16:30:27.000Z",
+ "end": "2015-05-29T16:32:22.000Z",
+ "type": "flow",
+ "category": "network_traffic",
+ "outcome": "allow"
+ },
+ "aws": {
+ "vpcflow": {
+ "action": "ACCEPT",
+ "account_id": "123456789010",
+ "log_status": "OK",
+ "interface_id": "eni-1235b8ca123456789",
+ "version": "2"
+ }
+ }
+ },
+ {
+ "destination": {
+ "geo": {
+ "continent_name": "Europe",
+ "region_iso_code": "SE-AB",
+ "city_name": "Tumba",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "region_name": "Stockholm",
+ "location": {
+ "lon": 17.8167,
+ "lat": 59.2
+ }
+ },
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "address": "89.160.20.156",
+ "port": 0,
+ "ip": "89.160.20.156"
+ },
+ "source": {
+ "address": "172.31.16.139",
+ "port": 0,
+ "bytes": 336,
+ "packets": 4,
+ "ip": "172.31.16.139"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "network": {
+ "community_id": "1:XiVZKra6oEtIAPBi9QgeQL4Hp6M=",
+ "type": "ipv4",
+ "bytes": 336,
+ "iana_number": "1",
+ "packets": 4
+ },
+ "cloud": {
+ "provider": "aws",
+ "account": {
+ "id": "123456789010"
+ }
+ },
+ "@timestamp": "2015-05-29T16:32:22.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "related": {
+ "ip": [
+ "172.31.16.139",
+ "89.160.20.156"
+ ]
+ },
+ "event": {
+ "ingested": "2021-12-09T16:12:00.503420100Z",
+ "original": "2 123456789010 eni-1235b8ca123456789 172.31.16.139 89.160.20.156 0 0 1 4 336 1432917094 1432917142 REJECT OK",
+ "kind": "event",
+ "start": "2015-05-29T16:31:34.000Z",
+ "end": "2015-05-29T16:32:22.000Z",
+ "type": "flow",
+ "category": "network_traffic",
+ "outcome": "deny"
+ },
+ "aws": {
+ "vpcflow": {
+ "action": "REJECT",
+ "account_id": "123456789010",
+ "log_status": "OK",
+ "interface_id": "eni-1235b8ca123456789",
+ "version": "2"
+ }
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-tcp-flag-sequence.log b/test/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-tcp-flag-sequence.log
index 4a05514cae..94b874fa6a 100644
--- a/test/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-tcp-flag-sequence.log
+++ b/test/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-tcp-flag-sequence.log
@@ -1,6 +1,3 @@
-version vpc-id subnet-id instance-id interface-id account-id type srcaddr dstaddr srcport dstport pkt-srcaddr pkt-dstaddr protocol bytes packets start end action tcp-flags log-status
-3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 52.213.180.42 10.0.0.62 43416 5001 52.213.180.42 10.0.0.62 6 568 8 1566848875 1566848933 ACCEPT 2 OK
-version vpc-id subnet-id instance-id interface-id account-id type srcaddr dstaddr srcport dstport pkt-srcaddr pkt-dstaddr protocol bytes packets start end action tcp-flags log-status
+3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 89.160.20.156 10.0.0.62 43416 5001 89.160.20.156 10.0.0.62 6 568 8 1566848875 1566848933 ACCEPT 2 OK
3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 - - - - - - - - - - 1566848875 1566848933 - - SKIPDATA
-version vpc-id subnet-id instance-id interface-id account-id type srcaddr dstaddr srcport dstport pkt-srcaddr pkt-dstaddr protocol bytes packets start end action tcp-flags log-status
-3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 - - - - - - - - - - 1566848875 1566848933 - - NODATA
+3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 - - - - - - - - - - 1566848875 1566848933 - - NODATA
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-tcp-flag-sequence.log-expected.json b/test/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-tcp-flag-sequence.log-expected.json
index 9b89812b6e..cca3b2323c 100644
--- a/test/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-tcp-flag-sequence.log-expected.json
+++ b/test/packages/aws/data_stream/vpcflow/_dev/test/pipeline/test-tcp-flag-sequence.log-expected.json
@@ -1,58 +1,171 @@
{
"expected": [
{
- "cloud": {
- "provider": "aws"
+ "destination": {
+ "port": 5001,
+ "address": "10.0.0.62",
+ "ip": "10.0.0.62"
},
- "event": {
- "kind": "event",
- "original": "version vpc-id subnet-id instance-id interface-id account-id type srcaddr dstaddr srcport dstport pkt-srcaddr pkt-dstaddr protocol bytes packets start end action tcp-flags log-status"
- }
- },
- {
- "cloud": {
- "provider": "aws"
+ "source": {
+ "geo": {
+ "continent_name": "Europe",
+ "region_iso_code": "SE-AB",
+ "city_name": "Tumba",
+ "country_iso_code": "SE",
+ "country_name": "Sweden",
+ "region_name": "Stockholm",
+ "location": {
+ "lon": 17.8167,
+ "lat": 59.2
+ }
+ },
+ "as": {
+ "number": 29518,
+ "organization": {
+ "name": "Bredband2 AB"
+ }
+ },
+ "address": "89.160.20.156",
+ "port": 43416,
+ "bytes": 568,
+ "ip": "89.160.20.156",
+ "packets": 8
},
- "event": {
- "kind": "event",
- "original": "3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 52.213.180.42 10.0.0.62 43416 5001 52.213.180.42 10.0.0.62 6 568 8 1566848875 1566848933 ACCEPT 2 OK"
- }
- },
- {
- "cloud": {
- "provider": "aws"
+ "tags": [
+ "preserve_original_event"
+ ],
+ "network": {
+ "community_id": "1:dF5WY79X1yVncj+yH8q27Q5Bnpk=",
+ "transport": "tcp",
+ "type": "ipv4",
+ "bytes": 568,
+ "iana_number": "6",
+ "packets": 8
},
- "event": {
- "kind": "event",
- "original": "version vpc-id subnet-id instance-id interface-id account-id type srcaddr dstaddr srcport dstport pkt-srcaddr pkt-dstaddr protocol bytes packets start end action tcp-flags log-status"
- }
- },
- {
"cloud": {
- "provider": "aws"
+ "provider": "aws",
+ "account": {
+ "id": "123456789010"
+ },
+ "instance": {
+ "id": "i-01234567890123456"
+ }
+ },
+ "@timestamp": "2019-08-26T19:48:53.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "related": {
+ "ip": [
+ "89.160.20.156",
+ "10.0.0.62"
+ ]
},
"event": {
+ "ingested": "2021-12-09T16:12:01.346119700Z",
+ "original": "3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 89.160.20.156 10.0.0.62 43416 5001 89.160.20.156 10.0.0.62 6 568 8 1566848875 1566848933 ACCEPT 2 OK",
"kind": "event",
- "original": "3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 - - - - - - - - - - 1566848875 1566848933 - - SKIPDATA"
+ "start": "2019-08-26T19:47:55.000Z",
+ "end": "2019-08-26T19:48:53.000Z",
+ "type": "flow",
+ "category": "network_traffic",
+ "outcome": "allow"
+ },
+ "aws": {
+ "vpcflow": {
+ "tcp_flags_array": [
+ "syn"
+ ],
+ "vpc_id": "vpc-abcdefab012345678",
+ "pkt_srcaddr": "89.160.20.156",
+ "type": "IPv4",
+ "version": "3",
+ "instance_id": "i-01234567890123456",
+ "account_id": "123456789010",
+ "log_status": "OK",
+ "interface_id": "eni-1235b8ca123456789",
+ "tcp_flags": "2",
+ "subnet_id": "subnet-aaaaaaaa012345678",
+ "action": "ACCEPT",
+ "pkt_dstaddr": "10.0.0.62"
+ }
}
},
{
"cloud": {
- "provider": "aws"
+ "provider": "aws",
+ "account": {
+ "id": "123456789010"
+ },
+ "instance": {
+ "id": "i-01234567890123456"
+ }
+ },
+ "@timestamp": "2019-08-26T19:48:53.000Z",
+ "ecs": {
+ "version": "1.12.0"
},
"event": {
+ "ingested": "2021-12-09T16:12:01.346125500Z",
+ "original": "3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 - - - - - - - - - - 1566848875 1566848933 - - SKIPDATA",
"kind": "event",
- "original": "version vpc-id subnet-id instance-id interface-id account-id type srcaddr dstaddr srcport dstport pkt-srcaddr pkt-dstaddr protocol bytes packets start end action tcp-flags log-status"
- }
+ "start": "2019-08-26T19:47:55.000Z",
+ "end": "2019-08-26T19:48:53.000Z",
+ "type": "flow",
+ "category": "network_traffic"
+ },
+ "aws": {
+ "vpcflow": {
+ "instance_id": "i-01234567890123456",
+ "account_id": "123456789010",
+ "log_status": "SKIPDATA",
+ "interface_id": "eni-1235b8ca123456789",
+ "vpc_id": "vpc-abcdefab012345678",
+ "subnet_id": "subnet-aaaaaaaa012345678",
+ "version": "3"
+ }
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
},
{
"cloud": {
- "provider": "aws"
+ "provider": "aws",
+ "account": {
+ "id": "123456789010"
+ },
+ "instance": {
+ "id": "i-01234567890123456"
+ }
+ },
+ "@timestamp": "2019-08-26T19:48:53.000Z",
+ "ecs": {
+ "version": "1.12.0"
},
"event": {
+ "ingested": "2021-12-09T16:12:01.346129200Z",
+ "original": "3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 - - - - - - - - - - 1566848875 1566848933 - - NODATA",
"kind": "event",
- "original": "3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 - - - - - - - - - - 1566848875 1566848933 - - NODATA"
- }
+ "start": "2019-08-26T19:47:55.000Z",
+ "end": "2019-08-26T19:48:53.000Z",
+ "type": "flow",
+ "category": "network_traffic"
+ },
+ "aws": {
+ "vpcflow": {
+ "instance_id": "i-01234567890123456",
+ "account_id": "123456789010",
+ "log_status": "NODATA",
+ "interface_id": "eni-1235b8ca123456789",
+ "vpc_id": "vpc-abcdefab012345678",
+ "subnet_id": "subnet-aaaaaaaa012345678",
+ "version": "3"
+ }
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
}
]
}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/vpcflow/agent/stream/aws-s3.yml.hbs b/test/packages/aws/data_stream/vpcflow/agent/stream/aws-s3.yml.hbs
new file mode 100644
index 0000000000..ccf43bcddc
--- /dev/null
+++ b/test/packages/aws/data_stream/vpcflow/agent/stream/aws-s3.yml.hbs
@@ -0,0 +1,51 @@
+queue_url: {{queue_url}}
+{{#if credential_profile_name}}
+credential_profile_name: {{credential_profile_name}}
+{{/if}}
+{{#if shared_credential_file}}
+shared_credential_file: {{shared_credential_file}}
+{{/if}}
+{{#if visibility_timeout}}
+visibility_timeout: {{visibility_timeout}}
+{{/if}}
+{{#if api_timeout}}
+api_timeout: {{api_timeout}}
+{{/if}}
+{{#if max_number_of_messages}}
+max_number_of_messages: {{max_number_of_messages}}
+{{/if}}
+{{#if endpoint}}
+endpoint: {{endpoint}}
+{{/if}}
+{{#if access_key_id}}
+access_key_id: {{access_key_id}}
+{{/if}}
+{{#if secret_access_key}}
+secret_access_key: {{secret_access_key}}
+{{/if}}
+{{#if session_token}}
+session_token: {{session_token}}
+{{/if}}
+{{#if role_arn}}
+role_arn: {{role_arn}}
+{{/if}}
+{{#if fips_enabled}}
+fips_enabled: {{fips_enabled}}
+{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/vpcflow/agent/stream/s3.yml.hbs b/test/packages/aws/data_stream/vpcflow/agent/stream/s3.yml.hbs
deleted file mode 100644
index 8241ac6fcd..0000000000
--- a/test/packages/aws/data_stream/vpcflow/agent/stream/s3.yml.hbs
+++ /dev/null
@@ -1,139 +0,0 @@
-queue_url: {{queue_url}}
-{{#if credential_profile_name}}
-credential_profile_name: {{credential_profile_name}}
-{{/if}}
-{{#if shared_credential_file}}
-shared_credential_file: {{shared_credential_file}}
-{{/if}}
-{{#if visibility_timeout}}
-visibility_timeout: {{visibility_timeout}}
-{{/if}}
-{{#if api_timeout}}
-api_timeout: {{api_timeout}}
-{{/if}}
-{{#if endpoint}}
-endpoint: {{endpoint}}
-{{/if}}
-{{#if access_key_id}}
-access_key_id: {{access_key_id}}
-{{/if}}
-{{#if secret_access_key}}
-secret_access_key: {{secret_access_key}}
-{{/if}}
-{{#if session_token}}
-session_token: {{session_token}}
-{{/if}}
-{{#if role_arn}}
-role_arn: {{role_arn}}
-{{/if}}
-{{#if fips_enabled}}
-fips_enabled: {{fips_enabled}}
-{{/if}}
-processors:
- - drop_event:
- when.regexp.message: "^version"
- - drop_event:
- when.regexp.message: "^instance-id"
- - script:
- lang: javascript
- source: >
- function process(event) {
- var message = event.Get("message");
- var tokens = message.split(" ").length;
- event.Put("@metadata.message_token_count", tokens);
- }
- # Default vpc flow log format
- - dissect:
- when:
- equals:
- '@metadata.message_token_count': 14
- field: message
- target_prefix: aws.vpcflow
- tokenizer: '%{version} %{account_id} %{interface_id} %{srcaddr} %{dstaddr} %{srcport} %{dstport} %{protocol} %{packets} %{bytes} %{start} %{end} %{action} %{log_status}'
- # Custom flow log for traffic through a NAT gateway
- - dissect:
- when:
- equals:
- '@metadata.message_token_count': 6
- field: message
- target_prefix: aws.vpcflow
- tokenizer: '%{instance_id} %{interface_id} %{srcaddr} %{dstaddr} %{pkt_srcaddr} %{pkt_dstaddr}'
- # Custom flow log for traffic through a transit gateway
- - dissect:
- when:
- equals:
- '@metadata.message_token_count': 17
- field: message
- target_prefix: aws.vpcflow
- tokenizer: '%{version} %{interface_id} %{account_id} %{vpc_id} %{subnet_id} %{instance_id} %{srcaddr} %{dstaddr} %{srcport} %{dstport} %{protocol} %{tcp_flags} %{type} %{pkt_srcaddr} %{pkt_dstaddr} %{action} %{log_status}'
- # TCP Flag Sequence
- - dissect:
- when:
- equals:
- '@metadata.message_token_count': 21
- field: message
- target_prefix: aws.vpcflow
- tokenizer: '%{version} %{vpc_id} %{subnet_id} %{instance_id} %{interface_id} %{account_id} %{type} %{srcaddr} %{dstaddr} %{srcport} %{dstport} %{pkt_srcaddr} %{pkt_dstaddr} %{protocol} %{bytes} %{packets} %{start} %{end} %{action} %{tcp_flags} %{log_status}'
- - convert:
- ignore_missing: true
- fields:
- - {from: aws.vpcflow.srcaddr, to: source.address}
- - {from: aws.vpcflow.srcaddr, to: source.ip, type: ip}
- - {from: aws.vpcflow.srcport, to: source.port, type: long}
- - {from: aws.vpcflow.dstaddr, to: destination.address}
- - {from: aws.vpcflow.dstaddr, to: destination.ip, type: ip}
- - {from: aws.vpcflow.dstport, to: destination.port, type: long}
- - {from: aws.vpcflow.protocol, to: network.iana_number, type: string}
- - {from: aws.vpcflow.packets, to: source.packets, type: long}
- - {from: aws.vpcflow.bytes, to: source.bytes, type: long}
- - {from: aws.vpcflow.packets, to: network.packets, type: long}
- - {from: aws.vpcflow.bytes, to: network.bytes, type: long}
- - drop_fields:
- fields: ["aws.vpcflow.srcaddr", "aws.vpcflow.srcport", "aws.vpcflow.dstaddr", "aws.vpcflow.dstport", "aws.vpcflow.bytes", "aws.vpcflow.packets", "aws.vpcflow.protocol"]
- - community_id: ~
- # Use the aws.vpcflow.action value to set the event.outcome value to either "allow" or "deny".
- - add_fields:
- when.equals.aws.vpcflow.action: ACCEPT
- target: event
- fields: {outcome: allow}
- - add_fields:
- when.equals.aws.vpcflow.action: REJECT
- target: event
- fields: {outcome: deny}
- - add_fields:
- target: event
- fields: {type: flow}
- - add_fields:
- target: event
- fields: {category: network_traffic}
- # Add network.type: ipv4 or ipv6
- - if:
- contains.source.ip: "."
- then:
- - add_fields:
- target: network
- fields: {type: ipv4}
- - if:
- contains.source.ip: ":"
- then:
- - add_fields:
- target: network
- fields: {type: ipv6}
- # Add network.transport: based on IANA protocol number of the traffic
- # http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
- - if:
- equals.network.iana_number: "6"
- then:
- - add_fields:
- target: network
- fields: {transport: tcp}
- - if:
- equals.network.iana_number: "17"
- then:
- - add_fields:
- target: network
- fields: {transport: udp}
- - add_fields:
- target: ''
- fields:
- ecs.version: 1.5.0
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml b/test/packages/aws/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml
index 811ec69692..d4d98f0839 100644
--- a/test/packages/aws/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml
+++ b/test/packages/aws/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml
@@ -2,33 +2,75 @@
description: Pipeline for AWS VPC Flow Logs
processors:
+ - set:
+ field: event.ingested
+ value: '{{_ingest.timestamp}}'
+ - set:
+ field: ecs.version
+ value: '1.12.0'
+ - rename:
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - set:
+ field: event.type
+ value: flow
+ - set:
+ field: event.category
+ value: network_traffic
+ - drop:
+ if: 'ctx.event?.original.startsWith("version") || ctx.event?.original.startsWith("instance-id")'
+ - script:
+ lang: painless
+ if: ctx.event?.original != null
+ source: >-
+ ctx._temp_ = new HashMap();
+ ctx._temp_.message_token_count = ctx.event?.original.splitOnToken(" ").length;
+ - dissect:
+ field: event.original
+ pattern: '%{aws.vpcflow.version} %{aws.vpcflow.account_id} %{aws.vpcflow.interface_id} %{aws.vpcflow.srcaddr} %{aws.vpcflow.dstaddr} %{aws.vpcflow.srcport} %{aws.vpcflow.dstport} %{aws.vpcflow.protocol} %{aws.vpcflow.packets} %{aws.vpcflow.bytes} %{aws.vpcflow.start} %{aws.vpcflow.end} %{aws.vpcflow.action} %{aws.vpcflow.log_status}'
+ if: ctx?._temp_?.message_token_count == 14
+ - dissect:
+ field: event.original
+ pattern: '%{aws.vpcflow.instance_id} %{aws.vpcflow.interface_id} %{aws.vpcflow.srcaddr} %{aws.vpcflow.dstaddr} %{aws.vpcflow.pkt_srcaddr} %{aws.vpcflow.pkt_dstaddr}'
+ if: ctx?._temp_?.message_token_count == 6
+ - dissect:
+ field: event.original
+ pattern: '%{aws.vpcflow.version} %{aws.vpcflow.interface_id} %{aws.vpcflow.account_id} %{aws.vpcflow.vpc_id} %{aws.vpcflow.subnet_id} %{aws.vpcflow.instance_id} %{aws.vpcflow.srcaddr} %{aws.vpcflow.dstaddr} %{aws.vpcflow.srcport} %{aws.vpcflow.dstport} %{aws.vpcflow.protocol} %{aws.vpcflow.tcp_flags} %{aws.vpcflow.type} %{aws.vpcflow.pkt_srcaddr} %{aws.vpcflow.pkt_dstaddr} %{aws.vpcflow.action} %{aws.vpcflow.log_status}'
+ if: ctx?._temp_?.message_token_count == 17
+ - dissect:
+ field: event.original
+ pattern: '%{aws.vpcflow.version} %{aws.vpcflow.vpc_id} %{aws.vpcflow.subnet_id} %{aws.vpcflow.instance_id} %{aws.vpcflow.interface_id} %{aws.vpcflow.account_id} %{aws.vpcflow.type} %{aws.vpcflow.srcaddr} %{aws.vpcflow.dstaddr} %{aws.vpcflow.srcport} %{aws.vpcflow.dstport} %{aws.vpcflow.pkt_srcaddr} %{aws.vpcflow.pkt_dstaddr} %{aws.vpcflow.protocol} %{aws.vpcflow.bytes} %{aws.vpcflow.packets} %{aws.vpcflow.start} %{aws.vpcflow.end} %{aws.vpcflow.action} %{aws.vpcflow.tcp_flags} %{aws.vpcflow.log_status}'
+ if: ctx?._temp_?.message_token_count == 21
+
# Convert Unix epoch to timestamp
- date:
- field: "aws.vpcflow.end"
- target_field: "@timestamp"
+ field: aws.vpcflow.end
+ target_field: '@timestamp'
ignore_failure: true
formats:
- UNIX
- date:
- field: "aws.vpcflow.start"
- target_field: "event.start"
+ field: aws.vpcflow.start
+ target_field: event.start
ignore_failure: true
formats:
- UNIX
- date:
- field: "aws.vpcflow.end"
- target_field: "event.end"
+ field: aws.vpcflow.end
+ target_field: event.end
ignore_failure: true
formats:
- UNIX
- remove:
- field: ["aws.vpcflow.start", "aws.vpcflow.end"]
+ field:
+ - aws.vpcflow.start
+ - aws.vpcflow.end
ignore_missing: true
-
- script:
lang: painless
ignore_failure: true
- if: ctx?.aws != null
+ if: ctx.aws != null
source: >-
void handleMap(Map map) {
for (def x : map.values()) {
@@ -50,7 +92,81 @@ processors:
}
}
handleMap(ctx.aws);
-
+ - set:
+ field: event.outcome
+ value: allow
+ if: ctx.aws?.vpcflow?.action == "ACCEPT"
+ - set:
+ field: event.outcome
+ value: deny
+ if: ctx.aws?.vpcflow?.action == "REJECT"
+ - rename:
+ field: aws.vpcflow.srcaddr
+ target_field: source.address
+ ignore_missing: true
+ - set:
+ field: source.ip
+ copy_from: source.address
+ if: ctx.source?.address != null
+ - convert:
+ field: aws.vpcflow.srcport
+ target_field: source.port
+ type: integer
+ ignore_missing: true
+ - rename:
+ field: aws.vpcflow.dstaddr
+ target_field: destination.address
+ ignore_missing: true
+ - set:
+ field: destination.ip
+ copy_from: destination.address
+ if: ctx.destination?.address != null
+ - convert:
+ field: aws.vpcflow.dstport
+ target_field: destination.port
+ type: integer
+ ignore_missing: true
+ - rename:
+ field: aws.vpcflow.protocol
+ target_field: network.iana_number
+ ignore_missing: true
+ - convert:
+ field: aws.vpcflow.packets
+ target_field: source.packets
+ type: long
+ ignore_missing: true
+ - convert:
+ field: aws.vpcflow.bytes
+ target_field: source.bytes
+ type: long
+ ignore_missing: true
+ - set:
+ field: network.bytes
+ copy_from: source.bytes
+ if: ctx.source?.bytes != null
+ - set:
+ field: network.packets
+ copy_from: source.packets
+ if: ctx.source?.packets != null
+ - set:
+ field: network.type
+ value: ipv4
+ if: 'ctx.source?.ip != null && ctx.source?.ip.contains(".")'
+ - set:
+ field: network.type
+ value: ipv6
+ if: 'ctx.source?.ip != null && ctx.source?.ip.contains(":")'
+ - set:
+ field: network.transport
+ value: tcp
+ if: ctx.network?.iana_number == "6"
+ - set:
+ field: network.transport
+ value: udp
+ if: ctx.network?.iana_number == "17"
+ - community_id:
+ target_field: network.community_id
+ ignore_failure: true
# IP Geolocation Lookup
- geoip:
field: source.ip
@@ -60,7 +176,6 @@ processors:
field: destination.ip
target_field: destination.geo
ignore_missing: true
-
# IP Autonomous System (AS) Lookup
- geoip:
database_file: GeoLite2-ASN.mmdb
@@ -78,7 +193,6 @@ processors:
- asn
- organization_name
ignore_missing: true
-
- rename:
field: source.as.asn
target_field: source.as.number
@@ -95,36 +209,72 @@ processors:
field: destination.as.organization_name
target_field: destination.as.organization.name
ignore_missing: true
- - rename:
- field: message
- target_field: event.original
- ignore_missing: true
-
# Generate related.ip field
- append:
- if: ctx.source?.ip != null && ctx.destination?.ip != null
+ if: 'ctx.source?.ip != null && ctx.destination?.ip != null'
field: related.ip
value: ["{{source.ip}}", "{{destination.ip}}"]
-
- set:
field: cloud.provider
value: aws
-
- set:
- if: "ctx?.aws?.vpcflow?.account_id != null"
+ if: ctx.aws?.vpcflow?.account_id != null
field: cloud.account.id
- value: "{{aws.vpcflow.account_id}}"
-
+ value: '{{aws.vpcflow.account_id}}'
- set:
- if: "ctx?.aws?.vpcflow?.instance_id != null && ctx.aws.vpcflow.instance_id != '-'"
+ if: 'ctx?.aws?.vpcflow?.instance_id != null && ctx.aws.vpcflow.instance_id != "-"'
field: cloud.instance.id
- value: "{{aws.vpcflow.instance_id}}"
-
+ value: '{{aws.vpcflow.instance_id}}'
- set:
field: event.kind
value: event
+ - script:
+ lang: painless
+ ignore_failure: true
+ if: "ctx.aws?.vpcflow?.tcp_flags != null"
+ source: |
+ if (ctx.aws.vpcflow.tcp_flags_array == null) {
+ ArrayList al = new ArrayList();
+ ctx.aws.vpcflow.put("tcp_flags_array", al);
+ }
+ def flags = Integer.parseUnsignedInt(ctx.aws.vpcflow.tcp_flags);
+
+ if ((flags & 0x01) != 0) {
+ ctx.aws.vpcflow.tcp_flags_array.add('fin');
+ }
+ if ((flags & 0x02) != 0) {
+ ctx.aws.vpcflow.tcp_flags_array.add('syn');
+ }
+ if ((flags & 0x04) != 0) {
+ ctx.aws.vpcflow.tcp_flags_array.add('rst');
+ }
+ if ((flags & 0x08) != 0) {
+ ctx.aws.vpcflow.tcp_flags_array.add('psh');
+ }
+ if ((flags & 0x10) != 0) {
+ ctx.aws.vpcflow.tcp_flags_array.add('ack');
+ }
+ if ((flags & 0x20) != 0) {
+ ctx.aws.vpcflow.tcp_flags_array.add('urg');
+ }
+ - remove:
+ field:
+ - _temp_
+ - aws.vpcflow.srcaddr
+ - aws.vpcflow.srcport
+ - aws.vpcflow.dstaddr
+ - aws.vpcflow.dstport
+ - aws.vpcflow.bytes
+ - aws.vpcflow.packets
+ - aws.vpcflow.protocol
+ ignore_missing: true
+ - remove:
+ field: event.original
+ if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+ ignore_failure: true
+ ignore_missing: true
on_failure:
- set:
- field: "error.message"
- value: "{{ _ingest.on_failure_message }}"
+ field: 'error.message'
+ value: '{{ _ingest.on_failure_message }}'
diff --git a/test/packages/aws/data_stream/vpcflow/fields/base-fields.yml b/test/packages/aws/data_stream/vpcflow/fields/base-fields.yml
index 7c798f4534..8360b70d7e 100644
--- a/test/packages/aws/data_stream/vpcflow/fields/base-fields.yml
+++ b/test/packages/aws/data_stream/vpcflow/fields/base-fields.yml
@@ -10,3 +10,11 @@
- name: '@timestamp'
type: date
description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: aws
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: aws.vpcflow
diff --git a/test/packages/aws/data_stream/vpcflow/fields/ecs.yml b/test/packages/aws/data_stream/vpcflow/fields/ecs.yml
new file mode 100644
index 0000000000..6fbd292a09
--- /dev/null
+++ b/test/packages/aws/data_stream/vpcflow/fields/ecs.yml
@@ -0,0 +1,94 @@
+- name: cloud.account.id
+ external: ecs
+- name: cloud.instance.id
+ external: ecs
+- name: cloud.provider
+ external: ecs
+- name: destination.address
+ external: ecs
+- name: destination.as.number
+ external: ecs
+- name: destination.as.organization.name
+ external: ecs
+- name: destination.geo.city_name
+ external: ecs
+- name: destination.geo.continent_name
+ external: ecs
+- name: destination.geo.country_iso_code
+ external: ecs
+- name: destination.geo.country_name
+ external: ecs
+- name: destination.geo.location
+ external: ecs
+- name: destination.geo.region_iso_code
+ external: ecs
+- name: destination.geo.region_name
+ external: ecs
+- name: destination.ip
+ external: ecs
+- name: destination.port
+ external: ecs
+- name: ecs.version
+ external: ecs
+- name: error.message
+ external: ecs
+- name: event.category
+ external: ecs
+- name: event.end
+ external: ecs
+- name: event.kind
+ external: ecs
+- name: event.original
+ external: ecs
+- name: event.outcome
+ external: ecs
+- name: event.start
+ external: ecs
+- name: event.type
+ external: ecs
+- name: network.bytes
+ external: ecs
+- name: network.community_id
+ external: ecs
+- name: network.iana_number
+ external: ecs
+- name: network.packets
+ external: ecs
+- name: network.transport
+ external: ecs
+- name: network.type
+ external: ecs
+- name: related.ip
+ external: ecs
+- name: source.address
+ external: ecs
+- name: source.as.number
+ external: ecs
+- name: source.as.organization.name
+ external: ecs
+- name: source.as.organization.name
+ external: ecs
+- name: source.bytes
+ external: ecs
+- name: source.geo.city_name
+ external: ecs
+- name: source.geo.continent_name
+ external: ecs
+- name: source.geo.country_iso_code
+ external: ecs
+- name: source.geo.country_name
+ external: ecs
+- name: source.geo.location
+ external: ecs
+- name: source.geo.region_iso_code
+ external: ecs
+- name: source.geo.region_name
+ external: ecs
+- name: source.ip
+ external: ecs
+- name: source.packets
+ external: ecs
+- name: source.port
+ external: ecs
+- name: tags
+ external: ecs
diff --git a/test/packages/aws/data_stream/vpcflow/fields/fields.yml b/test/packages/aws/data_stream/vpcflow/fields/fields.yml
index 0ac3cfb533..eb86456985 100644
--- a/test/packages/aws/data_stream/vpcflow/fields/fields.yml
+++ b/test/packages/aws/data_stream/vpcflow/fields/fields.yml
@@ -45,130 +45,12 @@
type: keyword
description: |
The bitmask value for the following TCP flags: 2=SYN,18=SYN-ACK,1=FIN,4=RST
+ - name: tcp_flags_array
+ type: keyword
+ description: >
+ List of TCP flags: 'fin, syn, rst, psh, ack, urg'
+
- name: type
type: keyword
description: |
The type of traffic: IPv4, IPv6, or EFA.
-- name: event.start
- type: date
- description: event.start contains the date when the event started or when the activity was first observed.
-- name: event.end
- type: date
- description: event.end contains the date when the event ended or when the activity was last observed.
-- name: destination.geo.continent_name
- type: keyword
- description: Name of the continent.
-- name: destination.geo.country_iso_code
- type: keyword
- description: Country ISO code.
-- name: destination.geo.location
- type: geo_point
- description: Longitude and latitude.
-- name: destination.ip
- type: ip
- description: IP address of the destination.
-- name: destination.address
- type: keyword
- description: Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field.
-- name: destination.port
- type: long
- description: Port of the destination.
-- name: event.category
- type: keyword
- description: Event category (e.g. database)
-- name: event.outcome
- type: keyword
- description: This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
-- name: event.type
- type: keyword
- description: Event severity (e.g. info, error)
-- name: source.as.number
- type: long
- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-- name: source.as.organization.name
- type: keyword
- description: Organization name.
-- name: destination.as.number
- type: long
- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-- name: destination.as.organization.name
- type: keyword
- description: Organization name.
-- name: event.original
- type: keyword
- description: Raw text message of entire event. Used to demonstrate log integrity.
-- name: cloud.account.id
- type: keyword
- description: The cloud account or organization id used to identify different entities in a multi-tenant environment.
-- name: cloud.instance.id
- type: keyword
- description: Instance ID of the host machine.
-- name: cloud.provider
- type: keyword
- description: Name of the cloud provider.
-- name: related.ip
- type: ip
- description: All of the IPs seen on your event.
-- name: event.kind
- type: keyword
- description: Event kind (e.g. event, alert, metric, state, pipeline_error, signal)
-- name: cloud.account.id
- type: keyword
- description: The cloud account or organization id used to identify different entities in a multi-tenant environment.
-- name: network.bytes
- type: long
- description: Total bytes transferred in both directions.
-- name: network.community_id
- type: keyword
- description: A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows.
-- name: network.iana_number
- type: keyword
- description: IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
-- name: network.packets
- type: long
- description: Total packets transferred in both directions.
-- name: network.transport
- type: keyword
- description: Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
-- name: network.type
- type: keyword
- description: In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
-- name: source.address
- type: keyword
- description: Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field.
-- name: source.as.number
- type: long
- description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
-- name: source.as.organization.name
- type: keyword
- description: Organization name.
-- name: source.bytes
- type: long
- description: Bytes sent from the source to the destination.
-- name: source.geo.city_name
- type: keyword
- description: City name.
-- name: source.geo.continent_name
- type: keyword
- description: Name of the continent.
-- name: source.geo.country_iso_code
- type: keyword
- description: Country ISO code.
-- name: source.geo.location
- type: geo_point
- description: Longitude and latitude.
-- name: source.geo.region_iso_code
- type: keyword
- description: Region ISO code.
-- name: source.geo.region_name
- type: keyword
- description: Region name.
-- name: source.ip
- type: ip
- description: IP address of the source (IPv4 or IPv6).
-- name: source.packets
- type: long
- description: Packets sent from the source to the destination.
-- name: source.port
- type: long
- description: Port of the source.
diff --git a/test/packages/aws/data_stream/vpcflow/manifest.yml b/test/packages/aws/data_stream/vpcflow/manifest.yml
index a27c351a81..3812639fb8 100644
--- a/test/packages/aws/data_stream/vpcflow/manifest.yml
+++ b/test/packages/aws/data_stream/vpcflow/manifest.yml
@@ -1,12 +1,25 @@
title: AWS vpcflow logs
-release: beta
type: logs
streams:
- - input: s3
- template_path: s3.yml.hbs
+ - input: aws-s3
+ template_path: aws-s3.yml.hbs
title: AWS vpcflow logs
description: Collect AWS vpcflow logs using s3 input
vars:
+ - name: visibility_timeout
+ type: text
+ title: Visibility Timeout
+ multi: false
+ required: false
+ show_user: false
+ description: The duration that the received messages are hidden from subsequent retrieve requests after being retrieved by a ReceiveMessage request. The maximum is 12 hours.
+ - name: api_timeout
+ type: text
+ title: API Timeout
+ multi: false
+ required: false
+ show_user: false
+ description: The maximum duration of AWS API can take. The maximum is half of the visibility timeout value.
- name: queue_url
type: text
title: Queue URL
@@ -22,3 +35,36 @@ streams:
required: false
show_user: false
description: Enabling this option changes the service name from `s3` to `s3-fips` for connecting to the correct service endpoint.
+ - name: tags
+ type: text
+ title: Tags
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - aws-vpcflow
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+ - name: preserve_original_event
+ required: true
+ show_user: true
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field `event.original`
+ type: bool
+ multi: false
+ default: false
+ - name: max_number_of_messages
+ type: integer
+ title: Maximum Concurrent SQS Messages
+ description: The maximum number of SQS messages that can be inflight at any time.
+ default: 5
+ required: false
+ show_user: false
diff --git a/test/packages/aws/data_stream/vpcflow/sample_event.json b/test/packages/aws/data_stream/vpcflow/sample_event.json
new file mode 100644
index 0000000000..b84f7671cf
--- /dev/null
+++ b/test/packages/aws/data_stream/vpcflow/sample_event.json
@@ -0,0 +1,65 @@
+{
+ "data_stream": {
+ "namespace": "default",
+ "type": "logs",
+ "dataset": "aws.vpcflow"
+ },
+ "destination": {
+ "port": 22,
+ "address": "2001:db8:1234:a102:3304:8879:34cf:4071",
+ "ip": "2001:db8:1234:a102:3304:8879:34cf:4071"
+ },
+ "source": {
+ "address": "2001:db8:1234:a100:8d6e:3477:df66:f105",
+ "port": 34892,
+ "bytes": 8855,
+ "packets": 54,
+ "ip": "2001:db8:1234:a100:8d6e:3477:df66:f105"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "network": {
+ "community_id": "1:hXZclvxUJScaVf0xMIJR6yW6tBQ=",
+ "transport": "tcp",
+ "type": "ipv6",
+ "bytes": 8855,
+ "iana_number": "6",
+ "packets": 54
+ },
+ "cloud": {
+ "provider": "aws",
+ "account": {
+ "id": "123456789010"
+ }
+ },
+ "@timestamp": "2016-10-31T11:37:00.000Z",
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "related": {
+ "ip": [
+ "2001:db8:1234:a100:8d6e:3477:df66:f105",
+ "2001:db8:1234:a102:3304:8879:34cf:4071"
+ ]
+ },
+ "event": {
+ "ingested": "2021-09-28T19:10:43.075027100Z",
+ "original": "2 123456789010 eni-1235b8ca123456789 2001:db8:1234:a100:8d6e:3477:df66:f105 2001:db8:1234:a102:3304:8879:34cf:4071 34892 22 6 54 8855 1477913708 1477913820 ACCEPT OK",
+ "kind": "event",
+ "start": "2016-10-31T11:35:08.000Z",
+ "end": "2016-10-31T11:37:00.000Z",
+ "type": "flow",
+ "category": "network_traffic",
+ "outcome": "allow"
+ },
+ "aws": {
+ "vpcflow": {
+ "action": "ACCEPT",
+ "account_id": "123456789010",
+ "log_status": "OK",
+ "interface_id": "eni-1235b8ca123456789",
+ "version": "2"
+ }
+ }
+}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/vpn/agent/stream/stream.yml.hbs b/test/packages/aws/data_stream/vpn/agent/stream/stream.yml.hbs
index a22a1d98e0..49496da3ae 100644
--- a/test/packages/aws/data_stream/vpn/agent/stream/stream.yml.hbs
+++ b/test/packages/aws/data_stream/vpn/agent/stream/stream.yml.hbs
@@ -29,4 +29,7 @@ latency: {{latency}}
{{/if}}
{{#if tags_filter}}
tags_filter: {{tags_filter}}
+{{/if}}
+{{#if proxy_url }}
+proxy_url: {{proxy_url}}
{{/if}}
\ No newline at end of file
diff --git a/test/packages/aws/data_stream/vpn/fields/base-fields.yml b/test/packages/aws/data_stream/vpn/fields/base-fields.yml
index 7c798f4534..6e588484d6 100644
--- a/test/packages/aws/data_stream/vpn/fields/base-fields.yml
+++ b/test/packages/aws/data_stream/vpn/fields/base-fields.yml
@@ -10,3 +10,11 @@
- name: '@timestamp'
type: date
description: Event timestamp.
+- name: event.module
+ type: constant_keyword
+ description: Event module
+ value: aws
+- name: event.dataset
+ type: constant_keyword
+ description: Event dataset
+ value: aws.vpn
diff --git a/test/packages/aws/data_stream/vpn/fields/ecs.yml b/test/packages/aws/data_stream/vpn/fields/ecs.yml
index a02d7269c5..83e3f6f122 100644
--- a/test/packages/aws/data_stream/vpn/fields/ecs.yml
+++ b/test/packages/aws/data_stream/vpn/fields/ecs.yml
@@ -1,53 +1,24 @@
-- name: cloud
- title: Cloud
- group: 2
- type: group
- footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
- fields:
- - name: account.id
- level: extended
- type: keyword
- description: |-
- The cloud account or organization id used to identify different entities in a multi-tenant environment.
- Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
- ignore_above: 1024
- - name: account.name
- level: extended
- type: keyword
- description: |-
- The cloud account name or alias used to identify different entities in a multi-tenant environment.
- Examples: AWS account name, Google Cloud ORG display name.
- ignore_above: 1024
- - name: availability_zone
- level: extended
- type: keyword
- description: Availability zone in which this host is running.
- ignore_above: 1024
- - name: instance.id
- level: extended
- type: keyword
- description: Instance ID of the host machine.
- ignore_above: 1024
- - name: machine.type
- level: extended
- type: keyword
- description: Machine type of the host machine.
- ignore_above: 1024
- - name: provider
- level: extended
- type: keyword
- description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
- ignore_above: 1024
- - name: region
- level: extended
- type: keyword
- description: Region in which this host is running.
- ignore_above: 1024
-- name: ecs.version
- type: keyword
- description: ECS version this event conforms to.
- example: 1.0.0
- ignore_above: 1024
-- name: service.type
- type: keyword
- description: Service type
+- external: ecs
+ name: cloud
+- external: ecs
+ name: cloud.account.id
+- external: ecs
+ name: cloud.account.name
+- external: ecs
+ name: cloud.availability_zone
+- external: ecs
+ name: cloud.instance.id
+- external: ecs
+ name: cloud.machine.type
+- external: ecs
+ name: cloud.provider
+- external: ecs
+ name: cloud.region
+- external: ecs
+ name: ecs.version
+- external: ecs
+ name: error
+- external: ecs
+ name: error.message
+- external: ecs
+ name: service.type
diff --git a/test/packages/aws/data_stream/vpn/manifest.yml b/test/packages/aws/data_stream/vpn/manifest.yml
index 7daa957da1..aceda97431 100644
--- a/test/packages/aws/data_stream/vpn/manifest.yml
+++ b/test/packages/aws/data_stream/vpn/manifest.yml
@@ -1,5 +1,4 @@
title: AWS VPN metrics
-release: beta
type: metrics
streams:
- input: aws/metrics
diff --git a/test/packages/aws/data_stream/waf/_dev/test/pipeline/test-common-config.yml b/test/packages/aws/data_stream/waf/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 0000000000..5622947e4b
--- /dev/null
+++ b/test/packages/aws/data_stream/waf/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,5 @@
+dynamic_fields:
+ event.ingested: ".*"
+fields:
+ tags:
+ - preserve_original_event
diff --git a/test/packages/aws/data_stream/waf/_dev/test/pipeline/test-waf.log b/test/packages/aws/data_stream/waf/_dev/test/pipeline/test-waf.log
new file mode 100644
index 0000000000..774353168e
--- /dev/null
+++ b/test/packages/aws/data_stream/waf/_dev/test/pipeline/test-waf.log
@@ -0,0 +1,4 @@
+{"timestamp":1576280412771,"formatVersion":1,"webaclId":"arn:aws:wafv2:ap-southeast-2:EXAMPLE12345:regional/webacl/STMTest/1EXAMPLE-2ARN-3ARN-4ARN-123456EXAMPLE","terminatingRuleId":"STMTest_SQLi_XSS","terminatingRuleType":"REGULAR","action":"BLOCK","terminatingRuleMatchDetails":[{"conditionType":"SQL_INJECTION","location":"HEADER","matchedData":["10","AND","1"]}],"httpSourceName":"-","httpSourceId":"-","ruleGroupList":[],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"httpRequest":{"clientIp":"89.160.20.156","country":"AU","headers":[{"name":"Host","value":"localhost:1989"},{"name":"User-Agent","value":"curl/7.61.1"},{"name":"Accept","value":"*/*"},{"name":"x-stm-test","value":"10 AND 1=1"}],"uri":"/foo","args":"","httpVersion":"HTTP/1.1","httpMethod":"GET","requestId":"rid"},"labels":[{"name":"value"}]}
+{"timestamp":1592357192516,"formatVersion":1,"webaclId":"arn:aws:wafv2:us-east-1:123456789012:global/webacl/hello-world/5933d6d9-9dde-js82-v8aw-9ck28nv9","terminatingRuleId":"Default_Action","terminatingRuleType":"REGULAR","action":"ALLOW","terminatingRuleMatchDetails":[],"httpSourceName":"-","httpSourceId":"-","ruleGroupList":[],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[{"ruleId":"TestRule","action":"COUNT","ruleMatchDetails":[{"conditionType":"SQL_INJECTION","location":"HEADER","matchedData":["10","and","1"]}]}],"httpRequest":{"clientIp":"89.160.20.156","country":"US","headers":[{"name":"Host","value":"localhost:1989"},{"name":"User-Agent","value":"curl/7.61.1"},{"name":"Accept","value":"*/*"},{"name":"foo","value":"10 AND 1=1"}],"uri":"/foo","args":"","httpVersion":"HTTP/1.1","httpMethod":"GET","requestId":"rid"},"labels":[{"name":"value"}]}
+{"timestamp":1592361810888,"formatVersion":1,"webaclId":"arn:aws:wafv2:us-east-1:123456789012:global/webacl/hello-world/5933d6d9-9dde-js82-v8aw-9ck28nv9","terminatingRuleId":"RG-Reference","terminatingRuleType":"GROUP","action":"BLOCK","terminatingRuleMatchDetails":[{"conditionType":"XSS","location":"HEADER","matchedData":["<","frameset"]}],"httpSourceName":"-","httpSourceId":"-","ruleGroupList":[{"ruleGroupId":"arn:aws:wafv2:us-east-1:123456789012:global/rulegroup/hello-world/c05lb698-1f11-4m41-aef4-99a506d53f4b","terminatingRule":{"ruleId":"RuleA-XSS","action":"BLOCK","ruleMatchDetails":null},"nonTerminatingMatchingRules":[{"ruleId":"RuleB-SQLi","action":"COUNT","ruleMatchDetails":[{"conditionType":"SQL_INJECTION","location":"HEADER","matchedData":["10","and","1"]}]}],"excludedRules":null}],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"httpRequest":{"clientIp":"89.160.20.156","country":"US","headers":[{"name":"Host","value":"localhost:1989"},{"name":"User-Agent","value":"curl/7.61.1"},{"name":"Accept","value":"*/*"},{"name":"xssfoo","value":"