Update the HTTP field set with ECS definitions as of beta 2

[webmat]

Caveat

• We cannot alias the Packetbeat .body fields for this migration. This is a situation similar to Filebeat's source field.
• http.request.method is not lowercased in this PR. This affects many Fb modules, Packetbeat, etc. I think it should be implemented via an index tokenizer, not by modifying _source

TODO

• Confirm the move of http bodies to ...body.content is complete
• Update documentation (see Andrew's comment)
• Changelog
• Delete x-pack/auditbeat/include/fields.go which should have been deleted in Update Auditbeat magefile.go #9724.

[ruflin]

Looks like this breaks some packetbeat tests?

[webmat]

@ruflin Yeah that's possible. I had problems running the test suite locally, so I decided to ask Jenkins and Travis for help. Hence the WIP / "in progress" ;-)

[webmat]

Error in question:

======================================================================
ERROR: Check that the http body is exported only for some http messages that have the
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/travis/gopath/src/github.com/elastic/beats/packetbeat/tests/system/test_0063_http_body.py", line 49, in test_include_body_for_both_request_response
    objs = self.read_output()
  File "/home/travis/gopath/src/github.com/elastic/beats/packetbeat/tests/system/packetbeat.py", line 122, in read_output
    self.all_fields_are_expected(jsons, self.expected_fields)
  File "/home/travis/gopath/src/github.com/elastic/beats/packetbeat/tests/system/../../../libbeat/tests/system/beat/beat.py", line 471, in all_fields_are_expected
    .format(key))
Exception: Unexpected key 'http.response.body' found

[webmat]

@andrewkroh ECS 1 Beta 2 introduced the http field set with the bodies nested a bit deeper: http.*.body.content instead of http.*.body. I've made the change in Packetbeat, and the tests are now passing. I'd like it if you could look at this, to make sure I haven't forgotten anything.

[andrewkroh]

That looks like everything w.r.t to the Packetbeat code. I'm really hoping the test coverage for http is good in Packetbeat 🤞

I think there are some mentions in the documentation that also need updated. Like here.

[webmat]

I've modified the documentation and added changelog entries in two places (Pb/breaking and All beats/Added).

I'd like to merge this as is. There's a few caveats listed in the body of this PR. One for awareness / discussion (can't alias Packetbeat's body changes), and one is for follow-up work.

[webmat]

jenkins, test this

[ruflin]

Probably better user here result.Put("body.content", string(m.body) so it creates the correct object.

[webmat]

Done. Although the rest of this file use the square bracket notation to set fields. I'm not adjusting the rest of this file.

[webmat]

@ruflin One last look needed. My understanding is that these metricbeat failures are unrelated, correct?

https://beats-ci.elastic.co/job/elastic+beats+pull-request+multijob-linux/2877/testReport/

Once I merge this PR, the rebase conflicts that leave x-pack/auditbeat/include/fields.go broken will be a thing of the past.

[webmat]

Ok just confirmed metricbeat failure is unrelated. Just got fixed by #9749

[ruflin]

@webmat Nit: Could you adjust the title of the PR so if people come back to this PR it does not say WIP and it's merged ;-)

[ruflin]

@webmat Should this also show up in the ecs migration yml file?

[webmat]

@ruflin Yes, good point about ecs-migration. I've opened #9878