[Custom AWS Logs] Add multiline support for aws-s3 input

[kaiyan-sheng]

What does this PR do?

This PR is to add multiline support for custom AWS logs integration. Here is what the policy looks like after the multiline parser is added:

    streams:
      - id: aws-s3-aws_logs.generic-4cc5036f-5f6b-4040-8e4c-ca2720f1481e
        data_stream:
          dataset: aws_logs.generic
        bucket_arn: test_arn
        number_of_workers: 1
        bucket_list_interval: 120s
        max_bytes: 10MiB
        max_number_of_messages: 5
        sqs.max_receive_count: 5
        sqs.wait_time: 20s
        file_selectors: null
        access_key_id: aa
        secret_access_key: bb
        tags:
          - forwarded
        publisher_pipeline.disable_host: true
        parsers:
          - multiline:
              pattern: ^<Event
              negate: true
              match: after

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

Step1: create a s3 bucket and upload a file with multiline log sample. For example what I'm using is:

kaiyansheng ~/Documents  $ cat test_multiline.log 
<Event><Data>
	A
	B
	C</Data></Event>
<Event><Data>
	D
	E
	F</Data</Event>

Step2: setup agent and agent policy to use custom AWS logs integration with the proper authentication for AWS and S3 bucket ARN. The agent policy looks like this:

inputs:
  - id: aws-s3-aws_logs-a6d98725-c4ee-4292-acb7-558e747ac909
    name: aws_logs-1
    revision: 1
    type: aws-s3
    use_output: default
    meta:
      package:
        name: aws_logs
        version: 0.4.0
    data_stream:
      namespace: default
    package_policy_id: a6d98725-c4ee-4292-acb7-558e747ac909
    streams:
      - id: aws-s3-aws_logs.generic-a6d98725-c4ee-4292-acb7-558e747ac909
        data_stream:
          dataset: aws_logs.generic
        bucket_arn: 'arn:aws:s3:::test-cloudfront-ks'
        number_of_workers: 1
        bucket_list_interval: 120s
        max_bytes: 10MiB
        max_number_of_messages: 5
        sqs.max_receive_count: 5
        sqs.wait_time: 20s
        file_selectors: null
        access_key_id: foo
        secret_access_key: boo
        tags:
          - preserve_original_event
          - forwarded
        publisher_pipeline.disable_host: true
        parsers:
          - multiline:
              pattern: ^<Event
              negate: true
              match: after

Step3: Once the agent starts running, you should see the test_multiline.log get read and stored into Elasticsearch:

Screenshots

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-05-05T17:13:17.639+0000

• Duration: 14 min 33 sec

Test stats 🧪

Test	Results
Failed	0
Passed	2
Skipped	0
Total	2

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (0/0)	💚
Files	100.0% (0/0)	💚
Classes	100.0% (0/0)	💚
Methods	66.667% (2/3)	👎 -29.487
Lines	100.0% (0/0)	💚
Conditionals	100.0% (0/0)	💚

[tdancheva]

Hey, looks good to me, works as expected!

P.S. Just a sidenote related to the parsers, I noticed they are still in beta for a long time now and after being used in many places. After a short chat with @kaiyan-sheng, she explained it was due to pending security checks at the time and that we should open an issue to call on GA. Putting it here as a reminder to do so.

[kaiyan-sheng]

Thanks @tdancheva ! @elastic/security-external-integrations Do you guys have a timeline on making the parser GA in Beats?

[elasticmachine]

Package aws_logs - 0.4.0 containing this change is available at https://epr.elastic.co/search?package=aws_logs