[7.6] Fix Elasticsearch GC logs ingestion from Docker logs (#17164) (#…

…17207)

* Fix Elasticsearch GC logs ingestion from Docker logs (#17164)

* [Filebeat][elasticsearch] fix JSON lines picked up in gc.logs

When used with docker autodiscover, the elasticsearch gc module
erroneously picks up JSON formatted line from docker's stdout.

Fix by excluding lines that start with `{`.

* Adding test files

* Adding CHANGELOG entry

* Moving test files to correct fileset

* Introduce GC log entry in test fixture + golden file

* Make sure multiline pattern excludes lines starting with {

* Fixing golden file

Co-authored-by: Magnus Kessler <magnus.kessler@elastic.co>

* Cleaning up CHANGELOG

* Removing event.{kind,category,type} fields (only available starting 7.7)

Co-authored-by: Magnus Kessler <magnus.kessler@elastic.co>

CHANGELOG.next.asciidoc

@@ -48,6 +48,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix s3 input with cloudtrail fileset reading json file. {issue}16374[16374] {pull}16441[16441]
 - Add queue_url definition in manifest file for aws module. {pull}16640{16640}
 - Fixed a mapping exception when ingesting CEF logs that used the spriv or dpriv extensions. {issue}17216[17216] {pull}17220[17220]
+- Fix `elasticsearch.gc` fileset to not collect _all_ logs when Elasticsearch is running in Docker. {issue}13164[13164] {issue}16583[16583] {pull}17164[17164]
 
 *Heartbeat*
 

filebeat/module/elasticsearch/gc/config/gc.yml

@@ -4,8 +4,8 @@ paths:
  - {{$path}}
 {{ end }}
 exclude_files: [".gz$"]
-exclude_lines: ["^(OpenJDK|Java HotSpot).* Server VM ", "^CommandLine flags: ", "^Memory: "] # exclude JVM8 banner
+exclude_lines: ["^(OpenJDK|Java HotSpot).* Server VM ", "^CommandLine flags: ", "^Memory: ", "^{"] # exclude JVM8 banner and JSON
 multiline:
-  pattern: '^\[?[0-9]{4}-[0-9]{2}-[0-9]{2}'
+  pattern: '^(\[?[0-9]{4}-[0-9]{2}-[0-9]{2}|{)'
   negate: true
   match: after