[elasticsearch] add static and pipeline tests

packages/elasticsearch/_dev/deploy/docker/scripts/generate-logs.sh

@@ -125,5 +125,5 @@ do
       }
   }'
 
-  sleep 5
+  sleep 10
 done

packages/elasticsearch/data_stream/audit/_dev/test/pipeline/test-audit-logs.log

@@ -0,0 +1,3 @@
+{"type":"audit", "timestamp":"2022-09-04T22:54:53,028+0000", "cluster.uuid":"sh0FdC0tRUGgzD6U7OsO3g", "node.id":"rsRsMdvhREeQqLkk3twtqA", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"elastic", "user.realm":"reserved", "user.roles":["superuser"], "origin.type":"rest", "origin.address":"172.19.0.3:48524", "request.id":"sdzMxhL5Rga_wTaN7_pfsw", "action":"indices:admin/create", "request.name":"CreateIndexRequest", "indices":["test_2"]}
+{"type":"audit", "timestamp":"2022-09-04T22:54:53,034+0000", "cluster.uuid":"sh0FdC0tRUGgzD6U7OsO3g", "node.id":"rsRsMdvhREeQqLkk3twtqA", "event.type":"rest", "event.action":"anonymous_access_denied", "origin.type":"rest", "origin.address":"172.19.0.3:48526", "url.path":"/test_3", "request.method":"PUT", "request.id":"kDWih8w0SC6mY7Q5ExEI2w", "opaque_id":"myApp1", "trace.id":"0af7651916cd43dd8448eb211c80319c"}
+{"type":"audit", "timestamp":"2022-09-04T22:54:53,040+0000", "cluster.uuid":"sh0FdC0tRUGgzD6U7OsO3g", "node.id":"rsRsMdvhREeQqLkk3twtqA", "event.type":"transport", "event.action":"access_granted", "authentication.type":"REALM", "user.name":"elastic", "user.realm":"reserved", "user.roles":["superuser"], "origin.type":"rest", "origin.address":"172.19.0.3:48528", "request.id":"fTP-0rxJQyyZUNGIs4Hpdg", "action":"indices:admin/create", "request.name":"CreateIndexRequest", "indices":["testindex2"], "opaque_id":"myAppId", "trace.id":"0af7651916cd43dd8448eb211c80319c"}

packages/elasticsearch/data_stream/audit/_dev/test/pipeline/test-audit-logs.log-expected.json

@@ -0,0 +1,201 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2022-09-04T22:54:53.028Z",
+            "elasticsearch": {
+                "audit": {
+                    "action": "indices:admin/create",
+                    "authentication.type": "REALM",
+                    "cluster": {},
+                    "event": {},
+                    "indices": [
+                        "test_2"
+                    ],
+                    "layer": "transport",
+                    "origin": {},
+                    "origin.type": "rest",
+                    "request": {
+                        "id": "sdzMxhL5Rga_wTaN7_pfsw"
+                    },
+                    "request.name": "CreateIndexRequest",
+                    "user": {},
+                    "user.realm": "reserved",
+                    "user.roles": [
+                        "superuser"
+                    ]
+                },
+                "cluster": {
+                    "uuid": "sh0FdC0tRUGgzD6U7OsO3g"
+                },
+                "node": {
+                    "id": "rsRsMdvhREeQqLkk3twtqA"
+                }
+            },
+            "event": {
+                "action": "access_granted",
+                "category": "database",
+                "ingested": "2022-09-04T23:00:22.485831147Z",
+                "kind": "event",
+                "outcome": "success"
+            },
+            "host": {
+                "id": "rsRsMdvhREeQqLkk3twtqA"
+            },
+            "http": {
+                "request": {
+                    "id": "sdzMxhL5Rga_wTaN7_pfsw"
+                }
+            },
+            "log": {
+                "level": "info"
+            },
+            "message": "{\"type\":\"audit\", \"timestamp\":\"2022-09-04T22:54:53,028+0000\", \"cluster.uuid\":\"sh0FdC0tRUGgzD6U7OsO3g\", \"node.id\":\"rsRsMdvhREeQqLkk3twtqA\", \"event.type\":\"transport\", \"event.action\":\"access_granted\", \"authentication.type\":\"REALM\", \"user.name\":\"elastic\", \"user.realm\":\"reserved\", \"user.roles\":[\"superuser\"], \"origin.type\":\"rest\", \"origin.address\":\"172.19.0.3:48524\", \"request.id\":\"sdzMxhL5Rga_wTaN7_pfsw\", \"action\":\"indices:admin/create\", \"request.name\":\"CreateIndexRequest\", \"indices\":[\"test_2\"]}",
+            "related": {
+                "user": [
+                    "elastic"
+                ]
+            },
+            "service": {
+                "type": "elasticsearch"
+            },
+            "source": {
+                "address": "172.19.0.3:48524",
+                "ip": "172.19.0.3",
+                "port": 48524
+            },
+            "user": {
+                "name": "elastic"
+            }
+        },
+        {
+            "@timestamp": "2022-09-04T22:54:53.034Z",
+            "elasticsearch": {
+                "audit": {
+                    "cluster": {},
+                    "event": {},
+                    "layer": "rest",
+                    "opaque_id": "myApp1",
+                    "origin": {},
+                    "origin.type": "rest",
+                    "request": {
+                        "id": "kDWih8w0SC6mY7Q5ExEI2w"
+                    },
+                    "trace": {},
+                    "url": {}
+                },
+                "cluster": {
+                    "uuid": "sh0FdC0tRUGgzD6U7OsO3g"
+                },
+                "node": {
+                    "id": "rsRsMdvhREeQqLkk3twtqA"
+                }
+            },
+            "event": {
+                "action": "anonymous_access_denied",
+                "category": "database",
+                "ingested": "2022-09-04T23:00:22.485849152Z",
+                "kind": "event",
+                "outcome": "failure"
+            },
+            "host": {
+                "id": "rsRsMdvhREeQqLkk3twtqA"
+            },
+            "http": {
+                "request": {
+                    "id": "kDWih8w0SC6mY7Q5ExEI2w",
+                    "method": "PUT"
+                }
+            },
+            "log": {
+                "level": "info"
+            },
+            "message": "{\"type\":\"audit\", \"timestamp\":\"2022-09-04T22:54:53,034+0000\", \"cluster.uuid\":\"sh0FdC0tRUGgzD6U7OsO3g\", \"node.id\":\"rsRsMdvhREeQqLkk3twtqA\", \"event.type\":\"rest\", \"event.action\":\"anonymous_access_denied\", \"origin.type\":\"rest\", \"origin.address\":\"172.19.0.3:48526\", \"url.path\":\"/test_3\", \"request.method\":\"PUT\", \"request.id\":\"kDWih8w0SC6mY7Q5ExEI2w\", \"opaque_id\":\"myApp1\", \"trace.id\":\"0af7651916cd43dd8448eb211c80319c\"}",
+            "service": {
+                "type": "elasticsearch"
+            },
+            "source": {
+                "address": "172.19.0.3:48526",
+                "ip": "172.19.0.3",
+                "port": 48526
+            },
+            "trace": {
+                "id": "0af7651916cd43dd8448eb211c80319c"
+            },
+            "url": {
+                "original": "/test_3"
+            }
+        },
+        {
+            "@timestamp": "2022-09-04T22:54:53.040Z",
+            "elasticsearch": {
+                "audit": {
+                    "action": "indices:admin/create",
+                    "authentication.type": "REALM",
+                    "cluster": {},
+                    "event": {},
+                    "indices": [
+                        "testindex2"
+                    ],
+                    "layer": "transport",
+                    "opaque_id": "myAppId",
+                    "origin": {},
+                    "origin.type": "rest",
+                    "request": {
+                        "id": "fTP-0rxJQyyZUNGIs4Hpdg"
+                    },
+                    "request.name": "CreateIndexRequest",
+                    "trace": {},
+                    "user": {},
+                    "user.realm": "reserved",
+                    "user.roles": [
+                        "superuser"
+                    ]
+                },
+                "cluster": {
+                    "uuid": "sh0FdC0tRUGgzD6U7OsO3g"
+                },
+                "node": {
+                    "id": "rsRsMdvhREeQqLkk3twtqA"
+                }
+            },
+            "event": {
+                "action": "access_granted",
+                "category": "database",
+                "ingested": "2022-09-04T23:00:22.485851956Z",
+                "kind": "event",
+                "outcome": "success"
+            },
+            "host": {
+                "id": "rsRsMdvhREeQqLkk3twtqA"
+            },
+            "http": {
+                "request": {
+                    "id": "fTP-0rxJQyyZUNGIs4Hpdg"
+                }
+            },
+            "log": {
+                "level": "info"
+            },
+            "message": "{\"type\":\"audit\", \"timestamp\":\"2022-09-04T22:54:53,040+0000\", \"cluster.uuid\":\"sh0FdC0tRUGgzD6U7OsO3g\", \"node.id\":\"rsRsMdvhREeQqLkk3twtqA\", \"event.type\":\"transport\", \"event.action\":\"access_granted\", \"authentication.type\":\"REALM\", \"user.name\":\"elastic\", \"user.realm\":\"reserved\", \"user.roles\":[\"superuser\"], \"origin.type\":\"rest\", \"origin.address\":\"172.19.0.3:48528\", \"request.id\":\"fTP-0rxJQyyZUNGIs4Hpdg\", \"action\":\"indices:admin/create\", \"request.name\":\"CreateIndexRequest\", \"indices\":[\"testindex2\"], \"opaque_id\":\"myAppId\", \"trace.id\":\"0af7651916cd43dd8448eb211c80319c\"}",
+            "related": {
+                "user": [
+                    "elastic"
+                ]
+            },
+            "service": {
+                "type": "elasticsearch"
+            },
+            "source": {
+                "address": "172.19.0.3:48528",
+                "ip": "172.19.0.3",
+                "port": 48528
+            },
+            "trace": {
+                "id": "0af7651916cd43dd8448eb211c80319c"
+            },
+            "user": {
+                "name": "elastic"
+            }
+        }
+    ]
+}

packages/elasticsearch/data_stream/audit/_dev/test/pipeline/test-common-config.yml

@@ -0,0 +1,2 @@
+dynamic_fields:
+  event.ingested: ".*"

packages/elasticsearch/data_stream/audit/elasticsearch/ingest_pipeline/default.yml

@@ -7,6 +7,7 @@ processors:
   - set:
       copy_from: "@timestamp"
       field: event.created
+      ignore_empty_value: true
   - grok:
       field: message
       patterns:
@@ -17,7 +18,7 @@ processors:
       if: ctx.first_char != '{'
   - pipeline:
       if: ctx.first_char == '{'
-      name: '{< IngestPipeline "pipeline-json" >}'
+      name: '{{ IngestPipeline "pipeline-json" }}'
   - set:
       field: event.kind
       value: event

packages/elasticsearch/data_stream/audit/fields/ecs.yml

@@ -1,3 +1,5 @@
+- external: ecs
+  name: ecs.version
 - external: ecs
   name: http
 - external: ecs
@@ -14,3 +16,21 @@
   name: user
 - external: ecs
   name: user.name
+- external: ecs
+  name: http.request.id
+- external: ecs
+  name: http.request.method
+- external: ecs
+  name: log.file.path
+- external: ecs
+  name: log.level
+- external: ecs
+  name: service.type
+- external: ecs
+  name: source.address
+- external: ecs
+  name: source.port
+- external: ecs
+  name: trace.id
+- external: ecs
+  name: message

packages/elasticsearch/data_stream/audit/fields/fields.yml

@@ -1,6 +1,10 @@
 - name: elasticsearch.audit
   type: group
   fields:
+    - name: authentication.type
+      type: keyword
+    - name: opaque_id
+      type: keyword
     - name: layer
       type: keyword
       description: 'The layer from which this event originated: rest, transport or ip_filter'

packages/elasticsearch/data_stream/audit/fields/package-fields.yml

@@ -1,3 +1,9 @@
+- name: input.type
+  type: keyword
+- name: log.offset
+  type: long
+- name: related.user
+  type: keyword
 - name: elasticsearch
   type: group
   fields:

packages/elasticsearch/data_stream/audit/sample_event.json

@@ -0,0 +1,113 @@
+{
+    "@timestamp": "2022-09-01T19:20:17.967Z",
+    "agent": {
+        "ephemeral_id": "ec83bfa3-8e61-430e-91ca-dc784bfa56c0",
+        "id": "97025ce1-28a3-4aeb-926b-ed68301fc4d2",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.5.0"
+    },
+    "data_stream": {
+        "dataset": "elasticsearch.audit",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "ecs": {
+        "version": "1.10.0"
+    },
+    "elastic_agent": {
+        "id": "97025ce1-28a3-4aeb-926b-ed68301fc4d2",
+        "snapshot": true,
+        "version": "8.5.0"
+    },
+    "elasticsearch": {
+        "audit": {
+            "action": "cluster:monitor/main",
+            "authentication.type": "REALM",
+            "cluster": {},
+            "event": {},
+            "layer": "transport",
+            "origin": {},
+            "origin.type": "rest",
+            "request": {
+                "id": "YCHBXylbRnSC3Vc8-f3sIA"
+            },
+            "request.name": "MainRequest",
+            "user": {},
+            "user.realm": "reserved",
+            "user.roles": [
+                "superuser"
+            ]
+        },
+        "cluster": {
+            "uuid": "wkVNYOctQ8mbbp1EkrFjKw"
+        },
+        "node": {
+            "id": "VdwTr-luTomz8dDpOp2OJQ"
+        }
+    },
+    "event": {
+        "action": "access_granted",
+        "agent_id_status": "verified",
+        "category": "database",
+        "created": "2022-09-01T19:20:39.899Z",
+        "dataset": "elasticsearch.audit",
+        "ingested": "2022-09-01T19:20:43Z",
+        "kind": "event",
+        "outcome": "success"
+    },
+    "host": {
+        "architecture": "x86_64",
+        "containerized": true,
+        "hostname": "docker-fleet-agent",
+        "id": "VdwTr-luTomz8dDpOp2OJQ",
+        "ip": [
+            "172.21.0.7"
+        ],
+        "mac": [
+            "02:42:ac:15:00:07"
+        ],
+        "name": "docker-fleet-agent",
+        "os": {
+            "codename": "focal",
+            "family": "debian",
+            "kernel": "5.10.47-linuxkit",
+            "name": "Ubuntu",
+            "platform": "ubuntu",
+            "type": "linux",
+            "version": "20.04.4 LTS (Focal Fossa)"
+        }
+    },
+    "http": {
+        "request": {
+            "id": "YCHBXylbRnSC3Vc8-f3sIA"
+        }
+    },
+    "input": {
+        "type": "log"
+    },
+    "log": {
+        "file": {
+            "path": "/tmp/service_logs/elasticsearch_audit.json"
+        },
+        "level": "info",
+        "offset": 0
+    },
+    "message": "{\"type\":\"audit\", \"timestamp\":\"2022-09-01T19:20:17,967+0000\", \"cluster.uuid\":\"wkVNYOctQ8mbbp1EkrFjKw\", \"node.id\":\"VdwTr-luTomz8dDpOp2OJQ\", \"event.type\":\"transport\", \"event.action\":\"access_granted\", \"authentication.type\":\"REALM\", \"user.name\":\"elastic\", \"user.realm\":\"reserved\", \"user.roles\":[\"superuser\"], \"origin.type\":\"rest\", \"origin.address\":\"127.0.0.1:53716\", \"request.id\":\"YCHBXylbRnSC3Vc8-f3sIA\", \"action\":\"cluster:monitor/main\", \"request.name\":\"MainRequest\"}",
+    "related": {
+        "user": [
+            "elastic"
+        ]
+    },
+    "service": {
+        "type": "elasticsearch"
+    },
+    "source": {
+        "address": "127.0.0.1:53716",
+        "ip": "127.0.0.1",
+        "port": 53716
+    },
+    "user": {
+        "name": "elastic"
+    }
+}