[Filebeat] Add URI Parts Processor to multiple modules

[legoguy1000]

What does this PR do?

Updates Ingest Pipelines for the below modules:

Apache, Nginx, IIS, Traefik, S3Access, Cisco, F5, Fortinet, Google Workspace, Imperva, Microsoft, Netscout, O365, Sophos, Squid, Suricata, Zeek, Zia, Zoom, ZScaler

With the below changes

• Add uri_parts processor to parse URIs (includes URL decoding) to add url.path, url.extension, url.query....
• URL Decodes http.request.referrer (when applicable) to make them human readable

Why is it important?

Parses URLs to break up the URL into the different parts and URL decodes them.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

How to test this PR locally

cd beats/filebeat
GENERATE=true TESTING_FILEBEAT_MODULES=apache,nginx,iis,traefik mage -v pythonIntegTest
cd beats/x-pack/filebeat
GENERATE=true TESTING_FILEBEAT_MODULES=s3access,cisco,f5,fortinet,google_workspace,imperva,microsoft,netscout,o365,sophos,squid,suricata,zeek,zia,zoom,zscaler mage -v pythonIntegTest

Related issues

• Closes Default nginx pipelines should decode url.original field #19088

Use cases

Screenshots

Logs

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Build Cause: andrewstucki commented: jenkins run tests

• Start Time: 2021-04-27T16:37:55.516+0000

• Duration: 140 min 57 sec

• Commit: b01d893

Test stats 🧪

Test	Results
Failed	0
Passed	13707
Skipped	2285
Total	15992

Trends 🧪

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test	Results
Failed	0
Passed	13707
Skipped	2285
Total	15992

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[legoguy1000]

@andrewstucki This should be ready review and CI tests

[andrewstucki]

jenkins run tests

[andrewstucki]

@legoguy1000 so it looks to me like the new log entries that were generated for the nginx module are missing user_agent.device.type which was added recently to Elasticsearch in elastic/elasticsearch#69322 -- can you make sure your development Elasticsearch instance is up-to-date with the latest snapshot before regeneration? I believe you should be able to grab the latest docker container with:

docker pull docker.elastic.co/elasticsearch/elasticsearch:8.0.0-SNAPSHOT

and then run it with:

docker run -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" -e "logger.org.elasticsearch.transport=trace" docker.elastic.co/elasticsearch/elasticsearch:8.0.0-SNAPSHOT

prior to re-running the regeneration for nginx.

[legoguy1000]

@legoguy1000 so it looks to me like the new log entries that were generated for the nginx module are missing user_agent.device.type which was added recently to Elasticsearch in elastic/elasticsearch#69322 -- can you make sure your development Elasticsearch instance is up-to-date with the latest snapshot before regeneration? I believe you should be able to grab the latest docker container with:

docker pull docker.elastic.co/elasticsearch/elasticsearch:8.0.0-SNAPSHOT

and then run it with:

docker run -p 9200:9200 -p 9300:9300 -e "discovery.type=single-node" -e "logger.org.elasticsearch.transport=trace" docker.elastic.co/elasticsearch/elasticsearch:8.0.0-SNAPSHOT

prior to re-running the regeneration for nginx.

Not a problem

[andrewstucki]

Question about the backslash behavior. Not entirely sure if this is behavior based off of a combination of using urldecode + uri_parts and ordering or if this is just some strange behavior/potentially a bug in the processor itself. I'll try and check this out locally and play around with it to see what's going on.

[legoguy1000]

Ran the pipelines to update the user_agent.device.type taking a look at the extra escapes.

[legoguy1000]

@andrewstucki @andrewkroh If you guys are good, can u run the pipeline?

[andrewstucki]

jenkins run tests

[andrewstucki]

So, based off of #19088 (comment) I want to see if @ebeahan can chime in about whether the best course is to keep the url.original field in url-encoded form or if it should be decoded.

[andrewstucki]

jenkins run tests

[andrewstucki]

@legoguy1000 In general, this looks fine to me, I'll try and get it merged assuming that the tests pass

[legoguy1000]

@legoguy1000 In general, this looks fine to me, I'll try and get it merged assuming that the tests pass

I suspect its going to fail since they made the changes to the geo IP database, i'm re-generating the data now. I'll hold off pushing to see if it passes.

[legoguy1000]

@andrewstucki I update the generated data files to account for the changes in the pipeline. If you rerun the tests, we should be good.

[andrewstucki]

jenkins run tests

[legoguy1000]

@andrewstucki all passed

[andrewstucki]

@legoguy1000 thanks for the additions, I'll backport this for the 7.14 release

[legoguy1000]

@legoguy1000 thanks for the additions, I'll backport this for the 7.14 release

Ya, that was definitely a long one. Definitely good conversations with the ECS team clarifying the fields.

[andrewstucki]

@legoguy1000 backport opened at #25353