[Filebeat] Add option for S3 input to work without SQS notification

[aspacca]

What does this PR do?

Introduces an alternative polling method to ingest logs in S3 buckets through buckets listing instead of SQS notifications

Why is it important?

Some users are prevented to attach SQS notifications to S3 buckets and this enhancement will allow them to use Filebeat to ingest logs from the buckets anyway

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

• [ ]

How to test this PR locally

• Create an S3 bucket and uploads logs file for a fileset of your choice, mixing uncompressed format and tar.gz format
• In the fileset configuration use the following config:

    enabled: true
    input.type: aws-s3
    input.bucket_arn: 'aws:s3:::created-s3-bucket'
    input.number_of_workers: 2
    input.bucket_list_interval: 5s

• Run Filebeat with full debug messages (-d *)
• Assure that events from the logs file are published on the target elasticsearch instance
• Keep Filebeat running and check in the debug logs an entry like:

2021-08-18T10:16:37.654+0200    DEBUG   [input.aws-s3.s3_poller]        awss3/s3.go:177 skipping state. {"id": "4F67B762988BFE04", "bucket_arn": "aws:s3:::created-s3-bucket", "state": {"id":"created-s3-bucketfilename.ext\"etag\"2021-08-04 11:06:25 +0000 UTC","bucket":"created-s3-bucket","key":"filename.ext","etag":"\"etag\"","last_modified":"2021-08-04T11:06:25Z","stored":false,"error":false}}

• Add a new log file in the bucket and check that events from it are published on the target elasticsearch instance
• Stop Filebeat and restart
• Assure that the events from the logs are not sent again
• Check for debug entries like:

2021-08-18T10:16:37.654+0200    DEBUG   [input.aws-s3.s3_poller]        awss3/s3.go:177 skipping state. {"id": "4F67B762988BFE04", "bucket_arn": "aws:s3:::created-s3-bucket", "state": {"id":"created-s3-bucketfilename.ext\"etag\"2021-08-04 11:06:25 +0000 UTC","bucket":"created-s3-bucket","key":"filename.ext","etag":"\"etag\"","last_modified":"2021-08-04T11:06:25Z","stored":false,"error":false}}

Related issues

Closes #18205

Use cases

Screenshots

Logs

[elasticmachine]

Pinging @elastic/integrations (Team:Integrations)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2021-08-16T18:59:28.072+0000

• Duration: 158 min 55 sec

• Commit: 4087528

Test stats 🧪

Test	Results
Failed	0
Passed	53349
Skipped	5320
Total	58669

Trends 🧪

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test	Results
Failed	0
Passed	53349
Skipped	5320
Total	58669

[aspacca]

=== RUN   TestBenchmarkInputS3
+-------------------+------------------------+---------------------------+-----------------------+--------------------+------------------+--------------+------+
| NUMBER OF WORKERS | OBJECTS LISTED PER SEC | OBJECTS PROCESSED PER SEC | OBJECTS ACKED PER SEC |   EVENTS PER SEC   | S3 BYTES PER SEC |  TIME (SEC)  | CPUS |
+-------------------+------------------------+---------------------------+-----------------------+--------------------+------------------+--------------+------+
|                 1 |     1480.0946260194296 |         740.0473130097148 |     740.0473130097148 |  46622.98071961203 | 1.6 MB           | 13.512649562 |   16 |
|                 2 |     2542.4276952352016 |        1271.2138476176008 |    1271.2138476176008 |  80086.47239990885 | 2.7 MB           |  7.866497064 |   16 |
|                 4 |     3830.9806879633325 |        1915.4903439816662 |    1915.4903439816662 | 120675.89167084497 | 4.1 MB           |  5.220595359 |   16 |
|                 8 |      5156.841457565499 |        2578.4207287827494 |    2578.4207287827494 | 162440.50591331322 | 5.6 MB           |  3.878343006 |   16 |
|                16 |      5740.807503567915 |        2870.4037517839574 |    2870.4037517839574 | 180835.43636238933 | 6.2 MB           |  3.483830452 |   16 |
|                32 |      5795.253020568674 |         2897.626510284337 |     2897.626510284337 | 182550.47014791323 | 6.3 MB           |  3.451100397 |   16 |
|                64 |       6076.29982837242 |          3038.14991418621 |      3038.14991418621 | 191403.44459373123 | 6.6 MB           |  3.291476814 |   16 |
|               128 |      6329.421405740139 |        3164.7107028700693 |    3164.7107028700693 | 199376.77428081437 | 6.8 MB           |  3.159846488 |   16 |
|               256 |      6622.546088022572 |         3311.273044011286 |     3311.273044011286 |   208610.201772711 | 7.2 MB           |  3.019986533 |   16 |
|               512 |      6632.511804289157 |        3316.2559021445786 |    3316.2559021445786 | 208924.12183510847 | 7.2 MB           |  3.015448836 |   16 |
|              1024 |     6876.8124812793185 |        3438.4062406396592 |    3438.4062406396592 |  216619.5931602985 | 7.4 MB           |  2.908324177 |   16 |
+-------------------+------------------------+---------------------------+-----------------------+--------------------+------------------+--------------+------+

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[andrewkroh]

Looks good. My comments are all minor things and a few questions.

For other reviewers - please look over states.go. I didn't spend much time on that.

[andrewkroh]

Suggested change

	// Add increments the number of pending ACKs
	// Add increments the number of pending ACKs.

[andrewkroh]

I'm thinking about the config names. How about s3.bucket and s3.bucket_list_interval (I think "list" might be more descriptive than "poll")?

On the s3_bucket_number_of_workers, thinking about the future, perhaps we should call this number_of_workers. Then if we do make the changes you mentioned to SQS we could use this option for both.

[andrewkroh]

Suggested change

	LastModified time.Time `json:"last_modified" struct:"last_modifed"`
	LastModified time.Time `json:"last_modified" struct:"last_modified"`

[andrewkroh]

Suggested change

	// status is forget. if there is no previous state and
	// status is forgotten. if there is no previous state and

[andrewkroh]

This function is deprecated. Prefer creating a logger per instance, but if you must then use lopg.L().Debugf.

[andrewkroh]

Suggested change

	// try to decode. Ingore faulty/incompatible values.
	// try to decode. Ignore faulty/incompatible values.

[aspacca]

@andrewkroh
I've found what seems to be a caveat with the eventACKTracker:

func TestEventACKHandlerWait(t *testing.T) {
	ctx, cancel := context.WithCancel(context.Background())
	t.Cleanup(cancel)

	// Create acker. Add one pending ACK.
	acker := newEventACKTracker(ctx)
	acker.Add()
	acker.ACK()
	acker.Wait()
	acker.Add()

	assert.EqualValues(t, 1, acker.pendingACKs)
	assert.ErrorIs(t, acker.ctx.Err(), context.Canceled)
}

As soon there's an even number of Add and ACK the pendingACKs property goes to zero and the context is canceled, therefore Wait will return.

Similarly to what I reported I the other PR: we should clarify that Add/Wait should be called sequentially, with the latter only when every expected Add are already called

That's what we do for both input method so it's not a problem.

[andrewkroh]

The godocs should be clarified that the eventACKTracker cannot be reused to wait for multiple independent sets of ACKs.

But we could also change the implementation to allow for reuse if this is what you need. Do you need that?

[aspacca]

The godocs should be clarified that the eventACKTracker cannot be reused to wait for multiple independent sets of ACKs.

https://github.com/elastic/beats/pull/27332/files#diff-86ce06343e1fd48ccaa25dad04bb1e799646e4d7326d48e2a27058e38915bd89R54-R57

But we could also change the implementation to allow for reuse if this is what you need. Do you need that?

I don't need it, just wanted to be sure I didn't overlook the limitation

[aspacca]

/test

[aspacca]

@andrewkroh I should have addressed all the comments, please check, thanks

[andrewkroh]

LGTM

[andrewkroh]

Suggested change

	Wait interval between completion of a list request to the S3 bucket and beginning of the nest one. Default to be 120 seconds.
	Wait interval between completion of a list request to the S3 bucket and beginning of the next one. Default to be 120 seconds.

[andrewkroh]

This one has two godocs.

Suggested change

	s3ObjectsAckedTotal *monitoring.Uint // Number of S3 objects fully ACKed.
	s3ObjectsAckedTotal *monitoring.Uint

[kaiyan-sheng]

Suggested change

	#var.bucket: 'arn:aws:s3:::mybucket
	#var.bucket: 'arn:aws:s3:::mybucket'

[kaiyan-sheng]

and same for the other sections below.

[kaiyan-sheng]

Besides the missing quote, everything else looks great. Thanks!

[aspacca]

/test