adding grok for awss3 access

gizas · gizas · commit c853b079a4d1 · 2025-04-09T18:29:14.000+03:00
Signed-off-by: Andreas Gkizas &lt;andreas.gkizas@elastic.co&gt;
diff --git a/packages/aws/changelog.yml b/packages/aws/changelog.yml
@@ -1,9 +1,9 @@
 # newer versions go on top
 - version: "2.45.2"
   changes:
-    - description: Fix grok pattern for AWS S3 access 
-      type: bugfix
-      link: https://github.com/elastic/integrations/pull/13350
+    - description: Update grok pattern for AWS S3 access ingest pipeline
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13486
 - version: "2.45.1"
   changes:
     - description: Fix handling of SQS worker count configuration.
diff --git a/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log-expected.json b/packages/aws/data_stream/s3access/_dev/test/pipeline/test-s3-server-access.log-expected.json
@@ -753,6 +753,85 @@
                 "original": "/AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-0e7c13bf00cf15bfe_20210713T1855Z_f12aa632.log.gz",
                 "path": "/AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-0e7c13bf00cf15bfe_20210713T1855Z_f12aa632.log.gz"
             }
+        },
+        {
+            "@timestamp": "2021-07-14T18:57:31.000Z",
+            "aws": {
+                "s3access": {
+                    "aclrequired": "Yes",
+                    "authentication_type": "AuthHeader",
+                    "bucket": "flow-log-test",
+                    "bucket_owner": "67797214d75628047d9c76b18a78cded1a4b069b71f2a9d5a53649c38da8770b",
+                    "cipher_suite": "ECDHE-RSA-AES128-GCM-SHA256",
+                    "host_header": "flow-log-test.s3.us-gov-west-1.amazonaws.com",
+                    "host_id": "02SxwfXpO5UysN0GsKGa3uGDQ6E/W7+Hwo/luRH8p1VEexULoe66RCM+nja0dEq2JqLrtgjocvVRRkVt4=",
+                    "http_status": 200,
+                    "key": "AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-_20210713T1855Z_f12aa632.log.gz",
+                    "object_size": 773,
+                    "operation": "REST.PUT.OBJECT",
+                    "point_arn": "arn:aws:s3:us-west-1:123456789012:accesspoint/example-AP",
+                    "request_id": "MVGXZXEVN3IG9S24",
+                    "request_uri": "PUT /AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-0e7c13bf00cf15bfe_20210713T1855Z_f12aa632.log.gz HTTP/1.1",
+                    "requester": "svc:delivery.logs.amazonaws.com",
+                    "signature_version": "SigV4",
+                    "tls_version": "TLSv1.2",
+                    "total_time": 103,
+                    "turn_around_time": 13
+                }
+            },
+            "client": {
+                "user": {
+                    "id": "svc:delivery.logs.amazonaws.com"
+                }
+            },
+            "cloud": {
+                "provider": "aws",
+                "region": "us-gov-west-1"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "REST.PUT.OBJECT",
+                "category": [
+                    "web"
+                ],
+                "duration": 103000000,
+                "id": "MVGXZXEVN3IG9S24",
+                "kind": "event",
+                "original": "67797214d75628047d9c76b18a78cded1a4b069b71f2a9d5a53649c38da8770b flow-log-test [14/Jul/2021:18:57:31 +0000] - svc:delivery.logs.amazonaws.com MVGXZXEVN3IG9S24 REST.PUT.OBJECT AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-_20210713T1855Z_f12aa632.log.gz \"PUT /AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-0e7c13bf00cf15bfe_20210713T1855Z_f12aa632.log.gz HTTP/1.1\" 200 - - 773 103 13 \"-\" \"-\" - 02SxwfXpO5UysN0GsKGa3uGDQ6E/W7+Hwo/luRH8p1VEexULoe66RCM+nja0dEq2JqLrtgjocvVRRkVt4= SigV4 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader flow-log-test.s3.us-gov-west-1.amazonaws.com TLSv1.2 arn:aws:s3:us-west-1:123456789012:accesspoint/example-AP Yes",
+                "outcome": "success",
+                "type": [
+                    "access"
+                ]
+            },
+            "http": {
+                "request": {
+                    "method": "PUT"
+                },
+                "response": {
+                    "status_code": 200
+                },
+                "version": "1.1"
+            },
+            "related": {
+                "user": [
+                    "67797214d75628047d9c76b18a78cded1a4b069b71f2a9d5a53649c38da8770b"
+                ]
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "tls": {
+                "cipher": "ECDHE-RSA-AES128-GCM-SHA256",
+                "version": "1.2",
+                "version_protocol": "tls"
+            },
+            "url": {
+                "extension": "gz",
+                "original": "/AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-0e7c13bf00cf15bfe_20210713T1855Z_f12aa632.log.gz",
+                "path": "/AWSLogs/000000000000/vpcflowlogs/us-gov-east-1/2021/07/13/000000000000_vpcflowlogs_us-gov-east-1_fl-0e7c13bf00cf15bfe_20210713T1855Z_f12aa632.log.gz"
+            }
         }
     ]
 }
