Drop not audit logs in elasticsearch/audit fileset ingest pipeline

[tetianakravchenko]

Signed-off-by: Tetiana Kravchenko tetiana.kravchenko@elastic.co

What does this PR do?

drop log message in elasticsearch/audit ingest pipeline if it is not an audit log.

in ingest pipelines there are defined drop as a first step - for server, slowlog, and deprecation

there is no drop defined for audit logs - https://github.com/elastic/beats/blob/master/filebeat/module/elasticsearch/audit/ingest/pipeline-json.yml

as a result there might be logs duplications - as described in #16540
note: it is not related to the kubernetes itself, in case audit and other log will be written to the same file - there will be the same problem.

Why is it important?

Avoid logs duplication in different filesets.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

Related issues

• Closes [Filebeat] Elasticsearch Module w/ Kubernetes Autodiscover Causes Logs in Incorrect Fieldsets #16540

Use cases

Screenshots

Before adjustments:

After:

Logs

[mergify]

This pull request does not have a backport label. Could you fix it @tetianakravchenko? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 7./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

[elasticmachine]

Pinging @elastic/integrations (Team:Integrations)

[tetianakravchenko]

it would be much easier to use ctx.elasticsearch.audit.type != 'audit', but as I see this field was introduced only in version 7.3 - elastic/elasticsearch#42887 (docker - https://github.com/elastic/elasticsearch/blob/7.3/distribution/docker/docker-build-context/src/docker/config/log4j2.properties and in core - https://github.com/elastic/elasticsearch/blob/7.3/x-pack/plugin/core/src/main/config/log4j2.properties#L6), in version 7.1 it was not yet available https://github.com/elastic/elasticsearch/blob/7.1/x-pack/plugin/core/src/main/config/log4j2.properties

would it maybe be file to drop support for < 7.3 ?

from the doc it looks like event.type should be a good filter for audit logs, or am I missing smth?

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-02-07T12:35:19.133+0000

• Duration: 40 min 47 sec

Test stats 🧪

Test	Results
Failed	0
Passed	980
Skipped	192
Total	1172

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[elasticmachine]

Pinging @elastic/stack-monitoring (Stack monitoring)

[matschaffer]

Makes some sense to me. Thinking it might be good to have @pgomulka review this, especially since he recently helped pull log samples for ES 8.0

[pgomulka]

I left few questions

[pgomulka]

LGTM

[tetianakravchenko]

/test

[tetianakravchenko]

/test