chore: otel to ecf convertor pipeline

Signed-off-by: Kavindu Dodanduwa <[email protected]>

# Conflicts:
#	packages/aws/changelog.yml
#	packages/aws/manifest.yml

Author: Kavindu-Dodan

packages/aws/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "4.4.0"
+  changes:
+    - description: Add VPC flow log compatibility for OTel shim pipeline.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/99999
 - version: "4.3.0"
   changes:
     - description: Improve documentation to align with new guidelines.

packages/aws/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml

@@ -25,50 +25,51 @@ processors:
       field: event.category
       value: [network]
   - drop:
-      if: 'ctx.event?.original.startsWith("version") || ctx.event?.original.startsWith("instance-id")'
+      if: ctx?.event?.source != 'otel' && (ctx.event?.original?.startsWith("version") || ctx.event?.original?.startsWith("instance-id"))
   - dissect:
       field: event.original
       pattern: '{"message":"%{event.original}"}'
+      if: ctx?.event?.source != 'otel'
       ignore_failure: true
   - script:
       lang: painless
-      if: ctx.event?.original != null
+      if: ctx.event?.original != null && ctx?.event?.source != 'otel'
       source: >-
         ctx._temp_ = new HashMap();
         ctx._temp_.message_token_count = ctx.event?.original.splitOnToken(" ").length;
   - dissect:
       field: event.original
       pattern: '%{aws.vpcflow.version} %{aws.vpcflow.account_id} %{aws.vpcflow.interface_id} %{aws.vpcflow.srcaddr} %{aws.vpcflow.dstaddr} %{aws.vpcflow.srcport} %{aws.vpcflow.dstport} %{aws.vpcflow.protocol} %{aws.vpcflow.packets} %{aws.vpcflow.bytes} %{aws.vpcflow.start} %{aws.vpcflow.end} %{aws.vpcflow.action} %{aws.vpcflow.log_status}'
-      if: ctx?._temp_?.message_token_count == 14
+      if: ctx?._temp_?.message_token_count == 14 && ctx?.event?.source != 'otel'
   - dissect:
       field: event.original
       pattern: '%{aws.vpcflow.instance_id} %{aws.vpcflow.interface_id} %{aws.vpcflow.srcaddr} %{aws.vpcflow.dstaddr} %{aws.vpcflow.pkt_srcaddr} %{aws.vpcflow.pkt_dstaddr}'
-      if: ctx?._temp_?.message_token_count == 6
+      if: ctx?._temp_?.message_token_count == 6 && ctx?.event?.source != 'otel'
   - dissect:
       field: event.original
       pattern: '%{aws.vpcflow.version} %{aws.vpcflow.interface_id} %{aws.vpcflow.account_id} %{aws.vpcflow.vpc_id} %{aws.vpcflow.subnet_id} %{aws.vpcflow.instance_id} %{aws.vpcflow.srcaddr} %{aws.vpcflow.dstaddr} %{aws.vpcflow.srcport} %{aws.vpcflow.dstport} %{aws.vpcflow.protocol} %{aws.vpcflow.tcp_flags} %{aws.vpcflow.type} %{aws.vpcflow.pkt_srcaddr} %{aws.vpcflow.pkt_dstaddr} %{aws.vpcflow.action} %{aws.vpcflow.log_status}'
-      if: ctx?._temp_?.message_token_count == 17
+      if: ctx?._temp_?.message_token_count == 17 && ctx?.event?.source != 'otel'
   - dissect:
       field: event.original
       pattern: '%{aws.vpcflow.version} %{aws.vpcflow.vpc_id} %{aws.vpcflow.subnet_id} %{aws.vpcflow.instance_id} %{aws.vpcflow.interface_id} %{aws.vpcflow.account_id} %{aws.vpcflow.type} %{aws.vpcflow.srcaddr} %{aws.vpcflow.dstaddr} %{aws.vpcflow.srcport} %{aws.vpcflow.dstport} %{aws.vpcflow.pkt_srcaddr} %{aws.vpcflow.pkt_dstaddr} %{aws.vpcflow.protocol} %{aws.vpcflow.bytes} %{aws.vpcflow.packets} %{aws.vpcflow.start} %{aws.vpcflow.end} %{aws.vpcflow.action} %{aws.vpcflow.tcp_flags} %{aws.vpcflow.log_status}'
-      if: ctx?._temp_?.message_token_count == 21
+      if: ctx?._temp_?.message_token_count == 21 && ctx?.event?.source != 'otel'
   - dissect:
       field: event.original
       pattern: '%{aws.vpcflow.version} %{aws.vpcflow.account_id} %{aws.vpcflow.interface_id} %{aws.vpcflow.srcaddr} %{aws.vpcflow.dstaddr} %{aws.vpcflow.srcport} %{aws.vpcflow.dstport} %{aws.vpcflow.protocol} %{aws.vpcflow.packets} %{aws.vpcflow.bytes} %{aws.vpcflow.start} %{aws.vpcflow.end} %{aws.vpcflow.action} %{aws.vpcflow.log_status} %{aws.vpcflow.vpc_id} %{aws.vpcflow.subnet_id} %{aws.vpcflow.instance_id} %{aws.vpcflow.tcp_flags} %{aws.vpcflow.type} %{aws.vpcflow.pkt_srcaddr} %{aws.vpcflow.pkt_dstaddr} %{cloud.region} %{cloud.availability_zone} %{aws.vpcflow.sublocation.type} %{aws.vpcflow.sublocation.id} %{aws.vpcflow.pkt_src_service} %{aws.vpcflow.pkt_dst_service} %{network.direction} %{aws.vpcflow.traffic_path}'
-      if: ctx?._temp_?.message_token_count == 29
+      if: ctx?._temp_?.message_token_count == 29 && ctx?.event?.source != 'otel'
   - dissect:
       field: event.original
       description: default format for transit gateway vpc flow logs, covering versions v2 through v6.
       pattern: '%{aws.vpcflow.version} %{aws.vpcflow.resource_type} %{aws.vpcflow.account_id} %{aws.vpcflow.tgw_id} %{aws.vpcflow.tgw_attachment_id} %{aws.vpcflow.tgw_src_vpc_account_id} %{aws.vpcflow.tgw_dst_vpc_account_id} %{aws.vpcflow.tgw_src_vpc_id} %{aws.vpcflow.tgw_dst_vpc_id} %{aws.vpcflow.tgw_src_subnet_id} %{aws.vpcflow.tgw_dst_subnet_id} %{aws.vpcflow.tgw_src_eni} %{aws.vpcflow.tgw_dst_eni} %{aws.vpcflow.tgw_src_az_id} %{aws.vpcflow.tgw_dst_az_id} %{aws.vpcflow.tgw_pair_attachment_id} %{aws.vpcflow.srcaddr} %{aws.vpcflow.dstaddr} %{aws.vpcflow.srcport} %{aws.vpcflow.dstport} %{aws.vpcflow.protocol} %{aws.vpcflow.packets} %{aws.vpcflow.bytes} %{aws.vpcflow.start} %{aws.vpcflow.end} %{aws.vpcflow.log_status} %{aws.vpcflow.type} %{aws.vpcflow.packets_lost_no_route} %{aws.vpcflow.packets_lost_blackhole} %{aws.vpcflow.packets_lost_mtu_exceeded} %{aws.vpcflow.packets_lost_ttl_expired} %{aws.vpcflow.tcp_flags} %{cloud.region} %{network.direction} %{aws.vpcflow.pkt_src_service} %{aws.vpcflow.pkt_dst_service}'
-      if: ctx?._temp_?.message_token_count == 36
+      if: ctx?._temp_?.message_token_count == 36 && ctx?.event?.source != 'otel'
   - dissect:
       field: event.original
       pattern: '%{aws.vpcflow.version} %{aws.vpcflow.account_id} %{aws.vpcflow.interface_id} %{aws.vpcflow.srcaddr} %{aws.vpcflow.dstaddr} %{aws.vpcflow.srcport} %{aws.vpcflow.dstport} %{aws.vpcflow.protocol} %{aws.vpcflow.packets} %{aws.vpcflow.bytes} %{aws.vpcflow.start} %{aws.vpcflow.end} %{aws.vpcflow.action} %{aws.vpcflow.log_status} %{aws.vpcflow.vpc_id} %{aws.vpcflow.subnet_id} %{aws.vpcflow.instance_id} %{aws.vpcflow.tcp_flags} %{aws.vpcflow.type} %{aws.vpcflow.pkt_srcaddr} %{aws.vpcflow.pkt_dstaddr} %{cloud.region} %{cloud.availability_zone} %{aws.vpcflow.sublocation.type} %{aws.vpcflow.sublocation.id} %{aws.vpcflow.pkt_src_service} %{aws.vpcflow.pkt_dst_service} %{network.direction} %{aws.vpcflow.traffic_path} %{aws.vpcflow.ecs_cluster_arn} %{aws.vpcflow.ecs_cluster_name} %{aws.vpcflow.ecs_container_instance_arn} %{aws.vpcflow.ecs_container_instance_id} %{aws.vpcflow.ecs_container_id} %{aws.vpcflow.ecs_second_container_id} %{aws.vpcflow.ecs_service_name} %{aws.vpcflow.ecs_task_definition_arn} %{aws.vpcflow.ecs_task_arn} %{aws.vpcflow.ecs_task_id}'
-      if: ctx?._temp_?.message_token_count == 39
+      if: ctx?._temp_?.message_token_count == 39 && ctx?.event?.source != 'otel'
   - dissect:
       field: event.original
       pattern: '%{aws.vpcflow.version} %{aws.vpcflow.account_id} %{aws.vpcflow.interface_id} %{aws.vpcflow.srcaddr} %{aws.vpcflow.dstaddr} %{aws.vpcflow.srcport} %{aws.vpcflow.dstport} %{aws.vpcflow.protocol} %{aws.vpcflow.packets} %{aws.vpcflow.bytes} %{aws.vpcflow.start} %{aws.vpcflow.end} %{aws.vpcflow.action} %{aws.vpcflow.log_status} %{aws.vpcflow.vpc_id} %{aws.vpcflow.subnet_id} %{aws.vpcflow.instance_id} %{aws.vpcflow.tcp_flags} %{aws.vpcflow.type} %{aws.vpcflow.pkt_srcaddr} %{aws.vpcflow.pkt_dstaddr} %{cloud.region} %{cloud.availability_zone} %{aws.vpcflow.sublocation.type} %{aws.vpcflow.sublocation.id} %{aws.vpcflow.pkt_src_service} %{aws.vpcflow.pkt_dst_service} %{network.direction} %{aws.vpcflow.traffic_path} %{aws.vpcflow.ecs_cluster_arn} %{aws.vpcflow.ecs_cluster_name} %{aws.vpcflow.ecs_container_instance_arn} %{aws.vpcflow.ecs_container_instance_id} %{aws.vpcflow.ecs_container_id} %{aws.vpcflow.ecs_second_container_id} %{aws.vpcflow.ecs_service_name} %{aws.vpcflow.ecs_task_definition_arn} %{aws.vpcflow.ecs_task_arn} %{aws.vpcflow.ecs_task_id} %{aws.vpcflow.reject_reason}'
-      if: ctx?._temp_?.message_token_count == 40
+      if: ctx?._temp_?.message_token_count == 40 && ctx?.event?.source != 'otel'
 
   # Convert Unix epoch to timestamp
   - date:
@@ -77,18 +78,21 @@ processors:
       ignore_failure: true
       formats:
         - UNIX
+      if: ctx?.event?.source != 'otel'
   - date:
       field: aws.vpcflow.start
       target_field: event.start
       ignore_failure: true
       formats:
         - UNIX
+      if: ctx?.event?.source != 'otel'
   - date:
       field: aws.vpcflow.end
       target_field: event.end
       ignore_failure: true
       formats:
         - UNIX
+      if: ctx?.event?.source != 'otel'
   - remove:
       field:
         - aws.vpcflow.start

packages/aws/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.3.2
 name: aws
 title: AWS
-version: "4.3.0"
+version: 4.4.0
 description: Collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.
 type: integration
 categories:

packages/otel_shim/_dev/build/build.yml

@@ -0,0 +1,4 @@
+dependencies:
+  ecs:
+    reference: [email protected]
+    import_mappings: true

packages/otel_shim/_dev/build/docs/README.md

@@ -0,0 +1,15 @@
+# OTel shims pipelines
+
+TODO
+
+## Data streams
+
+TODO
+## Requirements
+
+You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it.
+You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware.
+
+## Setup
+
+TODO

packages/otel_shim/changelog.yml

@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.1.1"
+  changes:
+    - description: Initial draft of the package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1 # FIXME Replace with the real PR link

packages/otel_shim/data_stream/aws_vpcflow/elasticsearch/ingest_pipeline/default.yml

@@ -0,0 +1,69 @@
+---
+description: Pipeline for processing sample logs
+processors:
+  - dot_expander:
+      field: "*"
+      path: attributes
+  - dot_expander:
+      field: "*"
+      path: resource.attributes
+  - set:
+      field: aws.vpcflow.version
+      copy_from: attributes.aws.vpc.flow.log.version
+  - set:
+      field: aws.vpcflow.account_id
+      copy_from: resource.attributes.cloud.account.id
+  - set:
+      field: aws.vpcflow.interface_id
+      copy_from: attributes.network.interface.name
+  - set:
+      field: aws.vpcflow.srcaddr
+      copy_from: attributes.source.address
+  - set:
+      field: aws.vpcflow.dstaddr
+      copy_from: attributes.destination.address
+  - set:
+      field: aws.vpcflow.srcport
+      copy_from: attributes.source.port
+  - set:
+      field: aws.vpcflow.dstport
+      copy_from: attributes.destination.port
+  - set:
+      field: aws.vpcflow.protocol
+      copy_from: attributes.network.protocol.name
+  - set:
+      field: aws.vpcflow.packets
+      copy_from: attributes.aws.vpc.flow.packets
+  - set:
+      field: aws.vpcflow.bytes
+      copy_from: attributes.aws.vpc.flow.bytes
+  - script:
+      lang: painless
+      source: |
+        ctx.tmpStart = Instant.ofEpochMilli(ctx.attributes.aws.vpc.flow.start).toEpochMilli();
+  - date:
+      field: tmpStart
+      target_field: event.start
+      ignore_failure: true
+      formats:
+        - UNIX
+  - set:
+      field: event.end
+      copy_from: '@timestamp'
+  - set:
+      field: aws.vpcflow.action
+      copy_from: attributes.aws.vpc.flow.action
+  - set:
+      field: aws.vpcflow.log_status
+      copy_from: attributes.aws.vpc.flow.status
+  - remove:
+      field:
+        - attributes
+      ignore_missing: true
+  - set:
+      field: event.source
+      value: otel
+on_failure:
+  - set:
+      field: error.message
+      value: '{{ _ingest.on_failure_message }}'

packages/otel_shim/data_stream/aws_vpcflow/fields/base-fields.yml

@@ -0,0 +1,12 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.

packages/otel_shim/data_stream/aws_vpcflow/manifest.yml

@@ -0,0 +1,6 @@
+title: "Route OTel AWS VPC Flow Logs to ECS"
+type: logs
+dataset: aws.vpcflow.otel
+elasticsearch:
+  dynamic_dataset: true
+  dynamic_namespace: true

packages/otel_shim/data_stream/aws_vpcflow/routing_rules.yml

@@ -0,0 +1,8 @@
+- source_dataset: aws.vpcflow.otel
+  rules:
+    # Route to aws.vpcflow dataset if event parsing is successful
+    - target_dataset: aws.vpcflow
+      if: ctx?.event?.source == "otel"
+      namespace:
+        - "{{data_stream.namespace}}"
+        - default