[Filebeat] sync checkpoint module with Fleet integration

[andrewkroh]

What does this PR do?

This adds network.transport to events derived from the IANA number. It brings in the change related to elastic/integrations#2463.

The Filebeat module was missing definitions for these four fields.

• checkpoint.comment
• checkpoint.conn_direction
• checkpoint.db_ver
• checkpoint.update_status

On difference between Fleet and Filebeat is that the Filebeat pipeline is setting client and server based on the source and destination. That behavior was kept. Another difference is event.ingested is required in the Filebeat version of the pipeline. Otherwise the pipelines are the same.

This commit was used:

elastic/integrations@2aee5ee

Filebeat had some ~10000 test log lines, but only the first 100 are checked in test_modules.py so I removed 9900 of them.

Why is it important?

Consistency is nice.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Note to reviewers

I think it would be easier to review the diff commit by commit. And turn off whitespace for the pipeline YAML diff.

Related issues

• Relates Checkpoint | Map IANA Protocol Numbers integrations#2463
• Requires [Checkpoint] Fix multiple field conflicts integrations#2895

[mergify]

This pull request does not have a backport label. Could you fix it @andrewkroh? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 7./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-04-04T21:05:32.193+0000

• Duration: 68 min 10 sec

Test stats 🧪

Test	Results
Failed	0
Passed	6191
Skipped	728
Total	6919

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[andrewkroh]

At this point the failures appear to be caused by to the fact that Beats main branch now requires 8.3.0 ES versions for testing purposes (due to output.elasticsearch.allow_older_versions: false). So until there is an 8.3.0-SNAPSHOT build AND beats is updated to use it, then this will not pass.

[v1v]

/test

[v1v]

/test

[v1v]

/test

[v1v]

/test

[v1v]

/test

[andrewkroh]

@Mergifyio update

[mergify]

update

✅ Branch has been successfully updated

[efd6]

It would be a great thing to have this embedded using embed and not requiring base64 </random-thoughts>.

[andrewkroh]

Agree.

[efd6]

What was this?

[andrewkroh]

It added ecs.version to the outgoing event. This is now being set as part of the ingest pipeline with a set processor.