[AWS] Add cookies field in cloudfront datastream (elastic#16122)

* fix

* add log

Author: Linu-Elias

packages/aws/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "5.3.1"
+  changes:
+    - description: Add `cookies` field in cloudfront logs datastream.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/16122
 - version: "5.3.0"
   changes:
     - description: Added rate limiting and retry configuration for AWS Config data stream.

packages/aws/data_stream/cloudfront_logs/_dev/test/pipeline/test-cloudfront.log

@@ -12,3 +12,4 @@
 2022-11-15	08:43:04	SEA19-C2	10157	81.2.69.143	GET	d111111abcdef8.cloudfront.net	/getApplications	200	https://test.com/global	Mozilla/5.0%20(X11;%20Linux%20x86_64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20HeadlessChrome/100.0.4896.88%20Safari/537.36	-	-	Miss	hrsHM5OM6sTIXUleC1G20YtDxMf5Cq0Jbz0pwhVpod2kgEn_W6akCQ==	test.com	https	1057	0.093	81.2.69.142, 216.160.83.56	TLSv1.2	ECDHE-RSA-AES128-GCM-SHA256	Miss	HTTP/1.1	-	-	33359	0.093	Miss	application/javascript	-	-	-
 2022-11-15	08:43:04	SEA19-C2	10157	81.2.69.143	GET	d111111abcdef8.cloudfront.net	/getApplications	200	https://test.com/global	Mozilla/5.0%20(X11;%20Linux%20x86_64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20HeadlessChrome/100.0.4896.88%20Safari/537.36	-	-	Miss	hrsHM5OM6sTIXUleC1G20YtDxMf5Cq0Jbz0pwhVpod2kgEn_W6akCQ==	test.com	https	1057	0.093	localhost:8080	TLSv1.2	ECDHE-RSA-AES128-GCM-SHA256	Miss	HTTP/1.1	-	-	33359	0.093	Miss	application/javascript	-	-	-
 2024-07-13	15:29:45	EWR53-C1	198083	127.0.0.1	GET	xxxxxxxxxxxxx.cloudfront.net	/en(test)	404	https://domain.tld/	User-Agent:%20Mozilla/4.0%20(compatible;%20MSIE%207.0;%20Windows%20NT%205.1;%20360SE)	-	-	Error	somevalidbase64==	domain.tld	https	609	0.318	-	TLSv1.3	TLS_AES_128_GCM_SHA256	Error	HTTP/1.1	-	-	50294	0.318	Error	text/html	-
+2024-07-13	15:29:45	EWR53-C1	198083	127.0.0.1	GET	xxxxxxxxxxxxx.cloudfront.net	/en(test)	404	https://domain.tld/	User-Agent:%20Mozilla/4.0%20(compatible;%20MSIE%207.0;%20Windows%20NT%205.1;%20360SE)	-	sessionid=abc123; theme=dark; lang=en	Error	somevalidbase64==	domain.tld	https	609	0.318	-	TLSv1.3	TLS_AES_128_GCM_SHA256	Error	HTTP/1.1	-	-	50294	0.318	Error	text/html	-

packages/aws/data_stream/cloudfront_logs/_dev/test/pipeline/test-cloudfront.log-expected.json

@@ -1334,6 +1334,102 @@
                 },
                 "version": "7.0"
             }
+        },
+        {
+            "@timestamp": "2024-07-13T15:29:45.000Z",
+            "aws": {
+                "cloudfront": {
+                    "cookies": "sessionid=abc123; theme=dark; lang=en",
+                    "domain": "xxxxxxxxxxxxx.cloudfront.net",
+                    "edge_detailed_result_type": "Error",
+                    "edge_location": "EWR53-C1",
+                    "edge_response_result_type": "Error",
+                    "edge_result_type": "Error",
+                    "time_to_first_byte": 0.318
+                }
+            },
+            "cloud": {
+                "provider": "aws"
+            },
+            "destination": {
+                "address": "domain.tld",
+                "domain": "domain.tld"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "category": [
+                    "web"
+                ],
+                "duration": 318000000,
+                "id": "somevalidbase64==",
+                "kind": "event",
+                "original": "2024-07-13\t15:29:45\tEWR53-C1\t198083\t127.0.0.1\tGET\txxxxxxxxxxxxx.cloudfront.net\t/en(test)\t404\thttps://domain.tld/\tUser-Agent:%20Mozilla/4.0%20(compatible;%20MSIE%207.0;%20Windows%20NT%205.1;%20360SE)\t-\tsessionid=abc123; theme=dark; lang=en\tError\tsomevalidbase64==\tdomain.tld\thttps\t609\t0.318\t-\tTLSv1.3\tTLS_AES_128_GCM_SHA256\tError\tHTTP/1.1\t-\t-\t50294\t0.318\tError\ttext/html\t-",
+                "outcome": "failure",
+                "type": [
+                    "access"
+                ]
+            },
+            "http": {
+                "request": {
+                    "bytes": 609,
+                    "id": "somevalidbase64==",
+                    "method": "GET",
+                    "referrer": "https://domain.tld/"
+                },
+                "response": {
+                    "bytes": 198083,
+                    "mime_type": "text/html",
+                    "status_code": 404
+                },
+                "version": "1.1"
+            },
+            "network": {
+                "protocol": "https",
+                "type": "ipv4"
+            },
+            "related": {
+                "hosts": [
+                    "xxxxxxxxxxxxx.cloudfront.net",
+                    "domain.tld"
+                ],
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "source": {
+                "address": "127.0.0.1",
+                "ip": "127.0.0.1",
+                "port": 50294
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "tls": {
+                "cipher": "TLS_AES_128_GCM_SHA256",
+                "version": "1.3",
+                "version_protocol": "tls"
+            },
+            "url": {
+                "domain": "domain.tld",
+                "full": "https://domain.tld/en(test)",
+                "path": "/en(test)",
+                "scheme": "https"
+            },
+            "user_agent": {
+                "device": {
+                    "name": "Other"
+                },
+                "name": "IE",
+                "original": "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; 360SE)",
+                "os": {
+                    "full": "Windows XP",
+                    "name": "Windows",
+                    "version": "XP"
+                },
+                "version": "7.0"
+            }
         }
     ]
 }

packages/aws/data_stream/cloudfront_logs/elasticsearch/ingest_pipeline/default.yml

@@ -164,7 +164,7 @@ processors:
   - rename:
       field: _tmp.cs_cookie
       target_field: aws.cloudfront.cookies
-      if: ctx._tmp?.cs_cookies != null && ctx._tmp.cs_cookies != '-'
+      if: ctx._tmp?.cs_cookie != null && ctx._tmp.cs_cookie != '-'
   # x-edge-result-type
   - rename:
       field: _tmp.x_edge_result_type

packages/aws/data_stream/cloudfront_logs/fields/fields.yml

@@ -32,3 +32,7 @@
       type: long
       description: |-
         When the response contains the HTTP Content-Range header, this field contains the range end value.
+    - name: cookies
+      type: keyword
+      description: |-
+        This key is used to capture the cookies specifically.

packages/aws/docs/cloudfront.md

@@ -55,6 +55,7 @@ Refer to the following [document](https://www.elastic.co/guide/en/ecs/current/ec
 | Field | Description | Type |
 |---|---|---|
 | @timestamp | Event timestamp. | date |
+| aws.cloudfront.cookies | This key is used to capture the cookies specifically. | keyword |
 | aws.cloudfront.domain | The domain name of the CloudFront distribution (for example, d111111abcdef8.cloudfront.net). | keyword |
 | aws.cloudfront.edge_detailed_result_type | When the value of the x-edge-result-type field is Error, this field contains the specific type of error. When the object was served to the viewer from the Origin Shield cache, this field contains OriginShieldHit. In all other cases, this field contains the same value as x-edge-result-type. | keyword |
 | aws.cloudfront.edge_location | The edge location that served the request. Each edge location is identified by a three-letter code and an arbitrarily assigned number (for example, DFW3). The three-letter code typically corresponds with the International Air Transport Association (IATA) airport code for an airport near the edge location’s geographic location. | keyword |

packages/aws/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.3.2
 name: aws
 title: AWS
-version: "5.3.0"
+version: "5.3.1"
 description: Collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.
 type: integration
 categories: