[Enhancement] extract the correct body if s3 notify via SNS->SQS

[christianherweg0807]

What does this PR do?

This PR parses the SQS Message Body and tries to match to a SNS Message Structure. If BodyJSON.TopicArn is not empty, it delivers the bodyJSON.Message as body instead of m.Body.

Use cases

Configless detections of S3 notifications delivered via SNS to a SQS Queue.

[elasticmachine]

💔 Build Failed

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2021-07-27T04:50:25.576+0000

• Duration: 14 min 39 sec

• Commit: 545f3f3

Trends 🧪

Steps errors

Expand to view the steps failures

x-pack/filebeat-lint - make -C x-pack/filebeat check;make -C x-pack/filebeat update;make -C filebe

• Took 3 min 0 sec . View more details on here
• Description: make -C x-pack/filebeat check;make -C x-pack/filebeat update;make -C filebeat check;make -C filebeat update;make check-no-changes;

Check for changes

• Took 0 min 4 sec . View more details on here
• Description: make check-no-changes

Error signal

• Took 0 min 0 sec . View more details on here
• Description: Error 'hudson.AbortException: script returned exit code 2'

Log output

Expand to view the last 100 lines of log output

[2021-07-27T05:03:17.701Z] Generated fields.yml for filebeat to /var/lib/jenkins/workspace/PR-25492-10-8f84d746-d1c9-4de0-b811-77c8d5581783/src/github.com/elastic/beats/filebeat/build/fields/fields.all.yml
[2021-07-27T05:03:32.597Z] make: Leaving directory '/var/lib/jenkins/workspace/PR-25492-10-8f84d746-d1c9-4de0-b811-77c8d5581783/src/github.com/elastic/beats/filebeat'
[2021-07-27T05:03:32.597Z] + make check-no-changes
[2021-07-27T05:03:33.539Z] diff --git a/go.sum b/go.sum
[2021-07-27T05:03:33.539Z] index a2a089d0d1..19b2ae2161 100644
[2021-07-27T05:03:33.539Z] --- a/go.sum
[2021-07-27T05:03:33.539Z] +++ b/go.sum
[2021-07-27T05:03:33.539Z] @@ -700,7 +700,6 @@ github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5
[2021-07-27T05:03:33.539Z]  github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
[2021-07-27T05:03:33.539Z]  github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
[2021-07-27T05:03:33.539Z]  github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
[2021-07-27T05:03:33.539Z] -github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8 h1:zLV6q4e8Jv9EHjNg/iHfzwDkCve6Ua5jCygptrtXHvI=
[2021-07-27T05:03:33.539Z]  github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
[2021-07-27T05:03:33.539Z]  github.com/tsg/go-daemon v0.0.0-20200207173439-e704b93fd89b h1:X/8hkb4rQq3+QuOxpJK7gWmAXmZucF0EI1s1BfBLq6U=
[2021-07-27T05:03:33.539Z]  github.com/tsg/go-daemon v0.0.0-20200207173439-e704b93fd89b/go.mod h1:jAqhj/JBVC1PwcLTWd6rjQyGyItxxrhpiBl8LSuAGmw=
[2021-07-27T05:03:33.539Z] go.sum: needs update
[2021-07-27T05:03:33.539Z] Makefile:113: recipe for target 'check-no-changes' failed
[2021-07-27T05:03:33.539Z] make: *** [check-no-changes] Error 1
[2021-07-27T05:03:33.634Z] Timeout set to expire in 5 min 0 sec
[2021-07-27T05:03:33.931Z] Cleaning up /var/lib/jenkins/workspace/PR-25492-10-8f84d746-d1c9-4de0-b811-77c8d5581783
[2021-07-27T05:03:33.931Z] Change ownership of all files inside the specific folder from root/root to current user/group
[2021-07-27T05:03:33.931Z] ++ id -u
[2021-07-27T05:03:33.931Z] ++ id -g
[2021-07-27T05:03:33.931Z] + docker run -v /var/lib/jenkins/workspace/PR-25492-10-8f84d746-d1c9-4de0-b811-77c8d5581783:/beat alpine:3.4 sh -c 'find /beat -user 0 -exec chown -h 1166:1167 {} \;'
[2021-07-27T05:03:33.931Z] Unable to find image 'alpine:3.4' locally
[2021-07-27T05:03:34.870Z] 3.4: Pulling from library/alpine
[2021-07-27T05:03:34.870Z] c1e54eec4b57: Pulling fs layer
[2021-07-27T05:03:35.130Z] c1e54eec4b57: Download complete
[2021-07-27T05:03:35.130Z] c1e54eec4b57: Pull complete
[2021-07-27T05:03:35.130Z] Digest: sha256:b733d4a32c4da6a00a84df2ca32791bb03df95400243648d8c539e7b4cce329c
[2021-07-27T05:03:35.130Z] Status: Downloaded newer image for alpine:3.4
[2021-07-27T05:03:37.041Z] + set -e
[2021-07-27T05:03:37.041Z] + echo 'Change permissions with write access of all files inside the specific folder'
[2021-07-27T05:03:37.041Z] Change permissions with write access of all files inside the specific folder
[2021-07-27T05:03:37.041Z] + chmod -R +w /var/lib/jenkins/workspace/PR-25492-10-8f84d746-d1c9-4de0-b811-77c8d5581783
[2021-07-27T05:03:38.025Z] Running in /var/lib/jenkins/workspace/PR-25492-10-8f84d746-d1c9-4de0-b811-77c8d5581783/src/github.com/elastic/beats/build
[2021-07-27T05:03:38.318Z] + rm -rf ve
[2021-07-27T05:03:38.318Z] + find . -type d -name vendor -exec rm -r {} ;
[2021-07-27T05:03:38.629Z] + python .ci/scripts/pre_archive_test.py
[2021-07-27T05:03:38.888Z] Copy ./x-pack/filebeat/build into build/x-pack/filebeat/build
[2021-07-27T05:03:38.888Z] Copy ./filebeat/build into build/filebeat/build
[2021-07-27T05:03:38.900Z] Running in /var/lib/jenkins/workspace/PR-25492-10-8f84d746-d1c9-4de0-b811-77c8d5581783/src/github.com/elastic/beats/build
[2021-07-27T05:03:38.925Z] Recording test results
[2021-07-27T05:03:39.214Z] None of the test reports contained any result
[2021-07-27T05:03:39.215Z] [Checks API] No suitable checks publisher found.
[2021-07-27T05:03:39.534Z] + tar --version
[2021-07-27T05:03:39.850Z] + tar --exclude=test-build-artifacts-x-pack-filebeat-lint-tgz -czf test-build-artifacts-x-pack-filebeat-lint-tgz .
[2021-07-27T05:03:40.515Z] + gsutil --version
[2021-07-27T05:03:43.855Z] Masking supported pattern matches of $FILE_CREDENTIAL
[2021-07-27T05:03:44.217Z] + gcloud auth activate-service-account --key-file ****
[2021-07-27T05:03:45.161Z] Activated service account credentials for: [[email protected]]
[2021-07-27T05:03:45.734Z] + gsutil -m -q cp -a public-read test-build-artifacts-x-pack-filebeat-lint-tgz gs://beats-ci-temp/Beats/beats/PR-25492-10
[2021-07-27T05:03:47.994Z] + python .ci/scripts/search_system_tests.py
[2021-07-27T05:03:48.017Z] [INFO] system-tests=''. If no empty then let's create a tarball
[2021-07-27T05:03:48.348Z] + go clean -modcache
[2021-07-27T05:03:51.676Z] Timeout set to expire in 5 min 0 sec
[2021-07-27T05:03:52.051Z] Cleaning up /var/lib/jenkins/workspace/PR-25492-10-8f84d746-d1c9-4de0-b811-77c8d5581783
[2021-07-27T05:03:52.051Z] Change ownership of all files inside the specific folder from root/root to current user/group
[2021-07-27T05:03:52.051Z] ++ id -u
[2021-07-27T05:03:52.051Z] ++ id -g
[2021-07-27T05:03:52.051Z] + docker run -v /var/lib/jenkins/workspace/PR-25492-10-8f84d746-d1c9-4de0-b811-77c8d5581783:/beat alpine:3.4 sh -c 'find /beat -user 0 -exec chown -h 1166:1167 {} \;'
[2021-07-27T05:03:52.991Z] + set -e
[2021-07-27T05:03:52.991Z] + echo 'Change permissions with write access of all files inside the specific folder'
[2021-07-27T05:03:52.991Z] Change permissions with write access of all files inside the specific folder
[2021-07-27T05:03:52.991Z] + chmod -R +w /var/lib/jenkins/workspace/PR-25492-10-8f84d746-d1c9-4de0-b811-77c8d5581783
[2021-07-27T05:03:53.302Z] Running in /var/lib/jenkins/workspace/PR-25492-10-8f84d746-d1c9-4de0-b811-77c8d5581783
[2021-07-27T05:03:56.078Z] Failed in branch x-pack/filebeat-lint
[2021-07-27T05:03:56.424Z] + go clean -modcache
[2021-07-27T05:03:59.003Z] Timeout set to expire in 5 min 0 sec
[2021-07-27T05:03:59.298Z] Cleaning up /var/lib/jenkins/workspace/Beats_beats_PR-25492
[2021-07-27T05:03:59.298Z] Change ownership of all files inside the specific folder from root/root to current user/group
[2021-07-27T05:03:59.298Z] ++ id -u
[2021-07-27T05:03:59.298Z] ++ id -g
[2021-07-27T05:03:59.298Z] + docker run -v /var/lib/jenkins/workspace/Beats_beats_PR-25492:/beat alpine:3.4 sh -c 'find /beat -user 0 -exec chown -h 1166:1167 {} \;'
[2021-07-27T05:03:59.298Z] Unable to find image 'alpine:3.4' locally
[2021-07-27T05:03:59.866Z] 3.4: Pulling from library/alpine
[2021-07-27T05:04:00.126Z] c1e54eec4b57: Pulling fs layer
[2021-07-27T05:04:00.386Z] c1e54eec4b57: Download complete
[2021-07-27T05:04:00.646Z] c1e54eec4b57: Pull complete
[2021-07-27T05:04:00.646Z] Digest: sha256:b733d4a32c4da6a00a84df2ca32791bb03df95400243648d8c539e7b4cce329c
[2021-07-27T05:04:00.646Z] Status: Downloaded newer image for alpine:3.4
[2021-07-27T05:04:01.586Z] + set -e
[2021-07-27T05:04:01.586Z] + echo 'Change permissions with write access of all files inside the specific folder'
[2021-07-27T05:04:01.586Z] Change permissions with write access of all files inside the specific folder
[2021-07-27T05:04:01.586Z] + chmod -R +w /var/lib/jenkins/workspace/Beats_beats_PR-25492
[2021-07-27T05:04:01.638Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-25492
[2021-07-27T05:04:04.099Z] Stage "Build&Test" skipped due to earlier failure(s)
[2021-07-27T05:04:04.129Z] Stage "Extended" skipped due to earlier failure(s)
[2021-07-27T05:04:04.158Z] Stage "Packaging" skipped due to earlier failure(s)
[2021-07-27T05:04:04.187Z] Stage "Packaging-Pipeline" skipped due to earlier failure(s)
[2021-07-27T05:04:04.233Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-25492/src/github.com/elastic/beats
[2021-07-27T05:04:04.528Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats_PR-25492
[2021-07-27T05:04:04.569Z] [INFO] getVaultSecret: Getting secrets
[2021-07-27T05:04:04.603Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2021-07-27T05:04:05.261Z] + chmod 755 generate-build-data.sh
[2021-07-27T05:04:05.261Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-25492/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-25492/runs/10 FAILURE 819421
[2021-07-27T05:04:05.261Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-25492/runs/10/steps/?limit=10000 -o steps-info.json
[2021-07-27T05:04:05.512Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-25492/runs/10/tests/?status=FAILED -o tests-errors.json
[2021-07-27T05:04:05.762Z] Retry 1/3 exited 22, retrying in 1 seconds...
[2021-07-27T05:04:06.673Z] Retry 2/3 exited 22, retrying in 2 seconds...

❕ Flaky test report

No test was executed to be analysed.

[elasticmachine]

Pinging @elastic/integrations (Team:Integrations)

[christianherweg0807]

Now we´ve added the tests. Ready for review. Sorry for the delay.

[kaiyan-sheng]

Thank you for working on this. Could you add a changelog entry for this fix please?

[christianherweg0807]

Added a simple line to the changelog. Any other documentation needed?

[christianherweg0807]

Anything, I could do here? @kaiyan-sheng

[kaiyan-sheng]

Seems like these two error checks have duplicate code, could you simplify this part please?

[christianherweg0807]

Deduplicated this. You are right...

[kaiyan-sheng]

@christianherweg0807 Sorry for the delay on this!! Thank you for your contribution. With this change, does that mean users can setup S3 bucket to create and subscribe to an SNS topic?

[christianherweg0807]

Before this change filebeat only supports this setup:

If the SQS Message was delivered via S3->SNS there is an additional layer in the SQS messsage. With this PR Filebeat detect´s this layer. Now beats supports this, too:

regards
Christian

[kaiyan-sheng]

Thank you @christianherweg0807 so much for the information! I think this is a great addition to s3 input, maybe we should also add more in the documentation?

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b awss3_sns_sqs upstream/awss3_sns_sqs
git merge upstream/master
git push upstream awss3_sns_sqs

[kaiyan-sheng]

/test

[kaiyan-sheng]

seems like CI is not happy, maybe you need go mod tidy?

[christianherweg0807]

Sorry, i missed a variable scope...

[kaiyan-sheng]

/test

[kaiyan-sheng]

@christianherweg0807 Hmm seems like CI is not happy with go.sum?

[2021-07-27T05:00:16.151Z] + make check-no-changes

[2021-07-27T05:00:18.060Z] diff --git a/go.sum b/go.sum

[2021-07-27T05:00:18.060Z] index a2a089d0d1..19b2ae2161 100644

[2021-07-27T05:00:18.060Z] --- a/go.sum

[2021-07-27T05:00:18.060Z] +++ b/go.sum

[2021-07-27T05:00:18.060Z] @@ -700,7 +700,6 @@ github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5

[2021-07-27T05:00:18.060Z]  github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=

[2021-07-27T05:00:18.060Z]  github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=

[2021-07-27T05:00:18.060Z]  github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=

[2021-07-27T05:00:18.060Z] -github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8 h1:zLV6q4e8Jv9EHjNg/iHfzwDkCve6Ua5jCygptrtXHvI=

[2021-07-27T05:00:18.060Z]  github.com/syndtr/gocapability v0.0.0-20170704070218-db04d3cc01c8/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=

[2021-07-27T05:00:18.060Z]  github.com/tsg/go-daemon v0.0.0-20200207173439-e704b93fd89b h1:X/8hkb4rQq3+QuOxpJK7gWmAXmZucF0EI1s1BfBLq6U=

[2021-07-27T05:00:18.060Z]  github.com/tsg/go-daemon v0.0.0-20200207173439-e704b93fd89b/go.mod h1:jAqhj/JBVC1PwcLTWd6rjQyGyItxxrhpiBl8LSuAGmw=

[2021-07-27T05:00:19.439Z] go.sum: needs update

[2021-07-27T05:00:19.439Z] Makefile:113: recipe for target 'check-no-changes' failed

[2021-07-27T05:00:19.439Z] make: *** [check-no-changes] Error 1

script returned exit code 2

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b awss3_sns_sqs upstream/awss3_sns_sqs
git merge upstream/master
git push upstream awss3_sns_sqs

[kaiyan-sheng]

@christianherweg0807 Hi sorry you have to deal with the conflict because there were two big prs got merged for s3 input.

[schoi-godaddy]

Love the work, Any traction on this PR by chance?

For me it seems like converting msg to raw (https://docs.aws.amazon.com/sns/latest/dg/sns-large-payload-raw-message-delivery.html) fixed problem where filebeat wasn't able to access file in s3 as a quick fix

[kaiyan-sheng]

@christianherweg0807 Thank you so much for your initiative on this!! I'm closing this PR and will use #28800 to continue to work.