Merge branch 'main' into 16343-aws-set-host

alexreal1314 · alexreal1314 · commit a71f099cc4e0 · 2026-03-16T09:30:37.000+02:00
diff --git a/packages/aws/changelog.yml b/packages/aws/changelog.yml
@@ -4,6 +4,16 @@
     - description: Set host.id alongside host.target.entity.id in CloudTrail pipeline for entity store host entity resolution.
       type: enhancement
       link: https://github.com/elastic/integrations/pull/17827
+- version: "6.3.2"
+  changes:
+    - description: Fix s3access ingest pipeline to handle host headers with ports and Source region field parsing.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/17748
+- version: "6.3.1"
+  changes:
+    - description: Fix CloudTrail pipeline errors causing transient json and _conf fields to leak into indexed documents by cleaning them up in the on_failure handler, preventing dynamic mapping conflicts.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/17806
 - version: "6.3.0"
   changes:
     - description: Removed ECS field definitions from CDR transform destinations, now covered by ecs@mappings component template. Renamed overridden ECS fields files to ecs-overridden.yml for awsconfig and awsinspector transforms.
diff --git a/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml
@@ -2107,3 +2107,8 @@ on_failure:
         Processor '{{{ _ingest.on_failure_processor_type }}}'
         {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
         {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}'
+  - remove:
+      field:
+        - json
+        - _conf
+      ignore_missing: true
diff --git a/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log b/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log
@@ -9,4 +9,5 @@
 67797214d75628047d9c76b18a78cded1a4b069b71f2a9d5a53649c38da8770b flow-log-test [14/Jul/2021:18:57:31 +0000] - svc:delivery.logs.amazonaws.com MVGXZXEVN3IG9S24 REST.PUT.OBJECT AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-_20210713T1855Z_f12aa632.log.gz "PUT /AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-0e7c13bf00cf15bfe_20210713T1855Z_f12aa632.log.gz HTTP/1.1" - - - 773 103 13 "-" "-" - 02SxwfXpO5UysN0GsKGa3uGDQ6E/W7+Hwo/luRH8p1VEexULoe66RCM+nja0dEq2JqLrtgjocvVRRkVt4= SigV4 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader flow-log-test.s3.us-gov-west-1.amazonaws.com TLSv1.2 arn:aws:s3:us-west-1:123456789012:accesspoint/example-AP -
 b854390a51155554b82ce2759564a1135bce83133d004f4d2001f157e13985d7 flow-log-test [25/Mar/2025:19:28:02 +0000] - AmazonS3 366DB3C4B325AB11 S3.EXPIRE.OBJECT 0/chum/_vars/logtests/PlannerModule/5f6ea3b7da96ab304a77225d5b2b2a55e54b74e4ddfdf14b9b1d853d77515b88_9febba22f08b11ef8cf6020058a9efab/2024/12/30/164700/kitt_189/_spcu_sride__state_svx__feature__flags.sst "-" - - - 317 - - "-" "-" qsEq9bDa2VyxyZ4cz0c7oBnF67VYTTij DMlPb9al4CvVBck150CgpEIIYgtSI3HC/atetNVYwPtHZffW6jfpg+BrffhbT9/B - - - - - - -
 b854390a51155554b82ce2759564a1135bce83133d004f4d2001f157e13985d7 flow-log-test [25/Mar/2025:19:28:02 +0000] - AmazonS3 366DB3C4B325AB11 S3.EXPIRE.OBJECT 0/chum/_vars/logtests/PlannerModule/5f6ea3b7da96ab304a77225d5b2b2a55e54b74e4ddfdf14b9b1d853d77515b88_9febba22f08b11ef8cf6020058a9efab/2024/12/30/164700/kitt_189/_spcu_sride__state_svx__feature__flags.sst "-" - - - 317 - - "-" "-" qsEq9bDa2VyxyZ4cz0c7oBnF67VYTTij DMlPb9al4CvVBck150CgpEIIYgtSI3HC/atetNVYwPtHZffW6jfpg+BrffhbT9/B - - - - - - Yes
-b854390a51155554b82ce2759564a1135bce83133d004f4d2001f157e13985d7 flow-log-test [25/Mar/2025:19:28:02 +0000] - AmazonS3 366DB3C4B325AB11 S3.PUT.OBJECT test/special(chars*'!%)/75*75/log.txt "-" - - - 317 - - "-" "-" qsEq9bDa2VyxyZ4cz0c7oBnF67VYTTij DMlPb9al4CvVBck150CgpEIIYgtSI3HC/atetNVYwPtHZffW6jfpg+BrffhbT9/B - - - - - - Yes
+b854390a51155554b82ce2759564a1135bce83133d004f4d2001f157e13985d7 flow-log-test [25/Mar/2025:19:28:02 +0000] - AmazonS3 366DB3C4B325AB11 S3.PUT.OBJECT test/special(chars*'!%)/75*75/log.txt "-" - - - 317 - - "-" "-" qsEq9bDa2VyxyZ4cz0c7oBnF67VYTTij DMlPb9al4CvVBck150CgpEIIYgtSI3HC/atetNVYwPtHZffW6jfpg+BrffhbT9/B - - - - - - Yes
+28bdbd9102b76c3da07c44e094b16b382f90f94be71626f4d9589b1309d2d7ef flow-log-test [09/Mar/2026:18:02:43 +0000] 89.160.20.156 - 366DB3C4B325AB11 REST.GET.BUCKET - "GET / HTTP/1.1" 403 AccessDenied 243 - 13 - "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/143.0.7499.4 Safari/537.36" - QdHzj6QLWVMoGDnJfussGKPweg8C0I2WgSv4z3pyYQdGPwWM4jl/0MXIVyrDVaWbPTC+kQDuxEQ= - - - test.s3.us-east-1.amazonaws.com:80 - - us-east-1
diff --git a/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log-expected.json b/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log-expected.json
@@ -1055,6 +1055,115 @@
             "tags": [
                 "preserve_original_event"
             ]
+        },
+        {
+            "@timestamp": "2026-03-09T18:02:43.000Z",
+            "aws": {
+                "s3access": {
+                    "bucket": "flow-log-test",
+                    "bucket_owner": "28bdbd9102b76c3da07c44e094b16b382f90f94be71626f4d9589b1309d2d7ef",
+                    "bytes_sent": 243,
+                    "error_code": "AccessDenied",
+                    "host_header": "test.s3.us-east-1.amazonaws.com:80",
+                    "host_id": "QdHzj6QLWVMoGDnJfussGKPweg8C0I2WgSv4z3pyYQdGPwWM4jl/0MXIVyrDVaWbPTC+kQDuxEQ=",
+                    "http_status": 403,
+                    "operation": "REST.GET.BUCKET",
+                    "remote_ip": "89.160.20.156",
+                    "request_id": "366DB3C4B325AB11",
+                    "request_uri": "GET / HTTP/1.1",
+                    "source_region": "us-east-1",
+                    "total_time": 13,
+                    "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/143.0.7499.4 Safari/537.36"
+                }
+            },
+            "client": {
+                "address": "89.160.20.156",
+                "geo": {
+                    "city_name": "Linköping",
+                    "continent_name": "Europe",
+                    "country_iso_code": "SE",
+                    "country_name": "Sweden",
+                    "location": {
+                        "lat": 58.4167,
+                        "lon": 15.6167
+                    },
+                    "region_iso_code": "SE-E",
+                    "region_name": "Östergötland County"
+                },
+                "ip": "89.160.20.156"
+            },
+            "cloud": {
+                "provider": "aws",
+                "region": "us-east-1"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "REST.GET.BUCKET",
+                "category": [
+                    "web"
+                ],
+                "code": "AccessDenied",
+                "duration": 13000000,
+                "id": "366DB3C4B325AB11",
+                "kind": "event",
+                "original": "28bdbd9102b76c3da07c44e094b16b382f90f94be71626f4d9589b1309d2d7ef flow-log-test [09/Mar/2026:18:02:43 +0000] 89.160.20.156 - 366DB3C4B325AB11 REST.GET.BUCKET - \"GET / HTTP/1.1\" 403 AccessDenied 243 - 13 - \"-\" \"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/143.0.7499.4 Safari/537.36\" - QdHzj6QLWVMoGDnJfussGKPweg8C0I2WgSv4z3pyYQdGPwWM4jl/0MXIVyrDVaWbPTC+kQDuxEQ= - - - test.s3.us-east-1.amazonaws.com:80 - - us-east-1",
+                "outcome": "failure",
+                "type": [
+                    "access"
+                ]
+            },
+            "geo": {
+                "city_name": "Linköping",
+                "continent_name": "Europe",
+                "country_iso_code": "SE",
+                "country_name": "Sweden",
+                "location": {
+                    "lat": 58.4167,
+                    "lon": 15.6167
+                },
+                "region_iso_code": "SE-E",
+                "region_name": "Östergötland County"
+            },
+            "http": {
+                "request": {
+                    "method": "GET"
+                },
+                "response": {
+                    "body": {
+                        "bytes": 243
+                    },
+                    "status_code": 403
+                },
+                "version": "1.1"
+            },
+            "related": {
+                "ip": [
+                    "89.160.20.156"
+                ],
+                "user": [
+                    "28bdbd9102b76c3da07c44e094b16b382f90f94be71626f4d9589b1309d2d7ef"
+                ]
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "url": {
+                "original": "/",
+                "path": "/"
+            },
+            "user_agent": {
+                "device": {
+                    "name": "Other"
+                },
+                "name": "HeadlessChrome",
+                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/143.0.7499.4 Safari/537.36",
+                "os": {
+                    "name": "Linux"
+                },
+                "version": "143.0.7499"
+            }
         }
     ]
 }
diff --git a/packages/aws/data_stream/s3access/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/s3access/elasticsearch/ingest_pipeline/default.yml
@@ -1,5 +1,5 @@
 ---
-description: "Pipeline for s3 server access logs"
+description: "Pipeline for S3 server access logs"
 
 processors:
   - set:
@@ -33,14 +33,16 @@ processors:
           (?:-|%{NUMBER:aws.s3access.object_size:long}) (?:-|%{NUMBER:aws.s3access.total_time:long}) (?:-|%{NUMBER:aws.s3access.turn_around_time:long})
           (?:-|\"-\"|\"%{DATA:aws.s3access.referrer}\") (?:-|\"(-|%{DATA:aws.s3access.user_agent})\") (?:-|%{S3KEY:aws.s3access.version_id})
           (?:-|%{S3ID:aws.s3access.host_id}) (?:-|%{S3VERSION:aws.s3access.signature_version}) (?:-|%{S3KEY:aws.s3access.cipher_suite})
-          (?:-|%{WORD:aws.s3access.authentication_type}) (?:-|%{S3ID:aws.s3access.host_header}) (?:-|%{S3VERSION:aws.s3access.tls_version})(?: (?:-|%{S3REQUESTER:aws.s3access.access_point_arn}))?(?: (?:-|%{WORD:aws.s3access.aclrequired}))?
+          (?:-|%{WORD:aws.s3access.authentication_type}) (?:-|%{S3ID:aws.s3access.host_header}) (?:-|%{S3VERSION:aws.s3access.tls_version})(?: (?:-|%{S3REQUESTER:aws.s3access.access_point_arn}))?(?: (?:-|%{S3ACLREQUIRED:aws.s3access.aclrequired}))?(?: (?:-|%{S3REGION:aws.s3access.source_region}))?(?: %{S3REGION:aws.s3access.source_region})?
       pattern_definitions:
         S3REQUESTER: "[a-zA-Z0-9\\/_\\.\\-%:@]+"
         S3REQUESTID: "[a-zA-Z0-9]+"
         S3OPERATION: "%{WORD}.%{WORD}.%{WORD}"
         S3KEY: "[a-zA-Z0-9\\/\\_\\!\\-\\.\\*\\'\\(\\)\\%\\+]+"
-        S3ID: "[a-zA-Z0-9\\/_\\.\\-%+=]+"
+        S3ID: "[a-zA-Z0-9\\/_\\.\\-%+=:]+"
         S3VERSION: "[a-zA-Z0-9.]+"
+        S3ACLREQUIRED: "(-|Yes)"
+        S3REGION: "[a-zA-Z][a-zA-Z0-9-]*"
   - grok:
       field: aws.s3access.host_header
       ignore_missing: true
@@ -187,6 +189,10 @@ processors:
       field: aws.s3access.aclrequired
       value: '{{aws.s3access.aclrequired}}'
       ignore_empty_value: true
+  - set:
+      field: aws.s3access.source_region
+      value: '{{aws.s3access.source_region}}'
+      ignore_empty_value: true
   - set:
       field: cloud.provider
       value: aws
diff --git a/packages/aws/data_stream/s3access/fields/fields.yml b/packages/aws/data_stream/s3access/fields/fields.yml
@@ -97,6 +97,10 @@
       type: keyword
       description: |
         Whether the ACL was required for the request.
+    - name: source_region
+      type: keyword
+      description: |
+        The AWS Region from which the request originated.
     - name: access_point_arn
       type: keyword
       description: |
diff --git a/packages/aws/docs/s3.md b/packages/aws/docs/s3.md
@@ -82,6 +82,7 @@ Refer to the following [document](https://www.elastic.co/guide/en/ecs/current/ec
 | aws.s3access.request_uri | The Request-URI part of the HTTP request message. | keyword |
 | aws.s3access.requester | The canonical user ID of the requester, or a - for unauthenticated requests. | keyword |
 | aws.s3access.signature_version | The signature version, SigV2 or SigV4, that was used to authenticate the request or a - for unauthenticated requests. | keyword |
+| aws.s3access.source_region | The AWS Region from which the request originated. | keyword |
 | aws.s3access.tls_version | The Transport Layer Security (TLS) version negotiated by the client. | keyword |
 | aws.s3access.total_time | The total amount of time in milliseconds the request was in flight from the server's perspective. | long |
 | aws.s3access.turn_around_time | The total amount of time in milliseconds that Amazon S3 spent processing your request. | long |
diff --git a/packages/gitlab/changelog.yml b/packages/gitlab/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.5.0"
+  changes:
+    - description: Add explicit template_path to data streams using filestream input.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/17752
 - version: "2.4.0"
   changes:
     - description: Remove the `forwarded` tag from filestream input by default.
diff --git a/packages/gitlab/data_stream/audit/manifest.yml b/packages/gitlab/data_stream/audit/manifest.yml
@@ -2,6 +2,7 @@ title: "Audit"
 type: logs
 streams:
   - input: filestream
+    template_path: filestream.yml.hbs
     title: GitLab Audit Logs
     description: Gitlab Audit Logs
     vars:
diff --git a/packages/gitlab/data_stream/auth/manifest.yml b/packages/gitlab/data_stream/auth/manifest.yml
@@ -2,6 +2,7 @@ title: "Auth"
 type: logs
 streams:
   - input: filestream
+    template_path: filestream.yml.hbs
     title: GitLab Auth Logs
     description: GitLab Auth Logs
     vars:
diff --git a/packages/gitlab/manifest.yml b/packages/gitlab/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.1.3
 name: gitlab
 title: GitLab
-version: "2.4.0"
+version: "2.5.0"
 description: Collect logs from GitLab with Elastic Agent.
 type: integration
 categories:
diff --git a/packages/microsoft_exchange_server/changelog.yml b/packages/microsoft_exchange_server/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.5.0"
+  changes:
+    - description: Add explicit template_path to data streams using filestream input.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/17752
 - version: "1.4.1"
   changes:
     - description: Fix the input templates to correctly include custom processors.
diff --git a/packages/microsoft_exchange_server/data_stream/httpproxy/manifest.yml b/packages/microsoft_exchange_server/data_stream/httpproxy/manifest.yml
@@ -2,6 +2,7 @@ title: "Exchange HTTPProxy"
 type: logs
 streams:
   - input: filestream
+    template_path: filestream.yml.hbs
     title: Exchange HTTPProxy Logs
     description: Collects HTTPProxy Logs
     vars:
diff --git a/packages/microsoft_exchange_server/data_stream/imap4_pop3/manifest.yml b/packages/microsoft_exchange_server/data_stream/imap4_pop3/manifest.yml
@@ -2,6 +2,7 @@ title: "Exchange Server IMAP4 POP3"
 type: logs
 streams:
   - input: filestream
+    template_path: filestream.yml.hbs
     title: Exchange Server IMAP4 POP3 Logs
     description: Collect Exchange Server IMAP4 POP3 logs
     vars:
diff --git a/packages/microsoft_exchange_server/data_stream/messagetracking/manifest.yml b/packages/microsoft_exchange_server/data_stream/messagetracking/manifest.yml
@@ -2,6 +2,7 @@ title: "Exchange Messagetracking"
 type: logs
 streams:
   - input: filestream
+    template_path: filestream.yml.hbs
     title: Exchange Messagetracking Logs
     description: Collect Exchange Messagetracking logs
     vars:
diff --git a/packages/microsoft_exchange_server/data_stream/smtp/manifest.yml b/packages/microsoft_exchange_server/data_stream/smtp/manifest.yml
@@ -2,6 +2,7 @@ title: "Exchange SMTP"
 type: logs
 streams:
   - input: filestream
+    template_path: filestream.yml.hbs
     title: Exchange SMTP logs
     description: Collect Exchange SMTP logs
     vars:
diff --git a/packages/microsoft_exchange_server/manifest.yml b/packages/microsoft_exchange_server/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.0.3
 name: microsoft_exchange_server
 title: "Microsoft Exchange Server"
-version: "1.4.1"
+version: "1.5.0"
 source:
   license: "Elastic-2.0"
 description: Collect logs from Microsoft Exchange Server with Elastic Agent.
