[AWS][Cloudfront Logs] - Implemented GROK processor based ipv6/v4 parsing in AWS Cloudfront Logs data stream

[ShourieG]

Type of change

Please label this PR with one of the following labels, depending on the scope of your change:

• Bug
• enhancement

Proposed commit message

• WHAT: Implemented GROK processor based ipv6/v4 parsing. Cleaned up formatting issues across all data streams via elastic-package format.

• WHY: The regex pattern used for the ipv6 was overtly complex and caused errors in Elasticsearch. The cleanup was a byproduct of running elastic-package format.

• HOW: A new helper pipeline was added containing this new grok processor and helper scripts which are invoked in a foreach processor from the parent pipeline. This approach had to be taken because with existing limitations of one sub processor per foreach and grok being unable to append to existing lists/arrays.

The Elasticsearch error produced is as follows:-

Processor 'conditional' failed with message '[scripting] Regular expression considered too many characters, pattern: [((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(250-5){3})){3})/)|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(250-5){3})){3})/)|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(250-5){3}))){3}))/)|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(250-5){3}))){3}))/)|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(250-5){3}))){3}))/)|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(250-5){3}))){3}))/)|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(.(250-5){3}))){3}))/)|:)))(%.+)??$], limit factor: [6], char limit: [114], count: [115], wrapped: [2a06:98c0:3600::103], this limit can be changed by changed by the [script.painless.regex.limit-factor] setting'

NOTE

The latest commit - elastic-packge build cleaned up a lot of formatting issues, hence there are added changes across many data streams. I think these are good in the long run hence kept them in.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• [ ]

How to test this PR locally

Related issues

• Closes https://github.com/elastic/enhancements/issues/23228
• Relates https://github.com/elastic/enhancements/issues/23228

Screenshots

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[kcreddy]

There are several IPV6 addresses that are failing with current change, but are successfully matched by previous regex.
Examples:

1::
1:2:3:4:5:6:7::
1::7:8
1:2:3:4:5::7:8
1::6:7:8
1:2:3:4::6:7:8
1::5:6:7:8
1:2:3::5:6:7:8
1::4:5:6:7:8
1:2::4:5:6:7:8
1::3:4:5:6:7:8
::2:3:4:5:6:7:8

Examples taken from here

[kcreddy]

@ShourieG , would be it possible to replace the script processor with foreach and grok with on_failure to use the default IPV6 pattern provided by the logstash?

[ShourieG]

would be it possible to replace the script processor with foreach and grok with on_failure to use the default IPV6 pattern provided by the logstash?

@kcreddy, should we try it for both ipv4/v6 or only ipv6 and leave ipv4 as it is currently ?

[kcreddy]

@kcreddy, should we try it for both ipv4/v6 or only ipv6 and leave ipv4 as it is currently ?

Makes sense to try for both and use default IPV4 and IPV6 pattern provided. Example in use. It also helps to keep the pattern in sync in case of any future changes to it at source.

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[ShourieG]

@kcreddy, have updated the logic with a relevant GROK processor but still some scripts were required for cleanup and handling the localhost edge-case scenario. There are some removals in the ip section based on the GROK patterns.

[kcreddy]

We could have the same conditional thats used in original script processor.
if: ctx._tmp?.x_forwarded_for != null && ctx._tmp.x_forwarded_for != '-'

[kcreddy]

Just a nit, LGTM 👍🏼

Could you also add the exact error to the PR.

[kcreddy]

Could possibly take the array-existence check to the base pipeline so that it is not run for every entry.
Or could also change script to append with allow_duplicates: false to be cleaner.
Same for invalid IPs.

[efd6]

Suggested commit message body.

The regex pattern used for the ipv6 was overly complex and caused errors in
Elasticsearch. This change simplifies and fixes the grok-based IPv4/IPv4
parsing by adding a new helper pipeline invoked iteratively over ip fields
via a foreach. Also add a painless script to handle 'localhost' literal
addresses.

Also run elastic-package format.

I think that probably the format should have been in a separate PR.

[efd6]

Suggested change

	description: handle 'localhost' edge case scenario, currently not handled via grok
	description: Handle 'localhost' edge case, currently not handled via grok.

[agithomas]

LGTM!

Just a suggestion: Can we consider adding a sample or samples to the pipeline test to capture the pattern observed in the reported issue, handling of localhost etc?

[agithomas]

Approved with comments.

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: f7ae0bba7e9943fce9761be3524dc0973cdab818

History

• 💚 Build #18634 succeeded 3328d815eb6cfa58549b89b82a7206ec3069a8c9
• 💚 Build #18613 succeeded 7d36c97b9d1ab3f47b32270cd23ad378217191fd
• 💔 Build #18609 failed dd3e19759c44a5c9a45f17e9bf500af71c44bb78
• 💚 Build #18603 succeeded 3cf60a7f3d4bb50b415a91fe50e1b98bbb8d6df1

cc @ShourieG

[elastic-sonarqube]

Quality Gate failed

Failed conditions
74.6% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube

[ShourieG]

LGTM!

Just a suggestion: Can we consider adding a sample or samples to the pipeline test to capture the pattern observed in the reported issue, handling of localhost etc?

Current tests already contain the localhost pattern @agithomas. The reported issue on the other hand was reporting errors with the existing regex pattern when compiling in elasticsearch.

[elastic-vault-github-plugin-prod]

Package aws - 2.32.0 containing this change is available at https://epr.elastic.co/package/aws/2.32.0/