Parse more fields from elasticsearch audit log

[ycombinator]

Follow up to #10352 per #10352 (comment):

While working on this PR I realized that we don't have sample lines for the structured elasticsearch audit log containing a request body (which is supposed to be parsed into the http.request.body.content field). I'm working with @albertzaharovits to get such a sample and will incorporate it into follow up PRs (for master and 6.x).

Accordingly, this PR adds sample lines to the structured and unstructured log file test fixtures for the elasticsearch/audit fileset and teaches the fileset to parse any new fields encountered in these sample lines.

[elasticmachine]

Pinging @elastic/stack-monitoring

[ycombinator]

jenkins, test this

[ruflin]

Breaking change or was never release?

[ycombinator]

I think this qualifies as a breaking change. Previously we thought that the value of realm=[...] was the authenticated user's realm (es.audit.user.realm) but it turns out to be the realm that was used to test against before the user was authenticated or not (es.audit.realm).

The JSON audit logs contain both fields, but the plaintext audit logs only contain the latter one (es.audit.realm). Hence this change.

From a ES mapping perspective, we're introducing a new field here, es.audit.realm so in that sense it's not a breaking change.

[webmat]

LGTM overall, except for message.

Since this is a structured log, without another message field in it, it can be tricky to have a good message field as a result. The current value could at least be stripped out of the timestamp. The rest is important for context (if you think about looking at this log with the log viewer).

So ideally that's the one change I would request here. Although not the end of the world if you don't have time. Getting good message fields across the board will take time.

[webmat]

As discussed, never mind about message here ;-)