[Bug] Fix 400 bad request in localhost_access.*.log causing dissect failure on pipeline.

packages/apache_tomcat/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.8.1"
+ changes:
+ - description: "Fix 400 bad request within access log causing pipeline failure."
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/11515
 - version: "1.8.0"
  changes:
  - description: "Allow @custom pipeline access to event.original without setting preserve_original_event."

packages/apache_tomcat/data_stream/access/_dev/test/pipeline/test-access.log

@@ -7,3 +7,4 @@
 81.2.69.144 - admin [02/Mar/2023:18:58:17 +0530] "POST /host-manager/images/asf-logo.svg HTTP/1.1" 200 20486 81.2.69.145 - "http://localhost:8080/host-manager/html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36" X-Forwarded-For=""
 81.2.69.144 - admin [02/Mar/2023:19:01:17 +0530] "GET /manager/status HTTP/1.1" 200 4654 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
 81.2.69.144 - admin [02/Mar/2023:19:02:25 +0530] "GET / HTTP/1.1" 200 11235
+81.2.69.144 - - [24/Oct/2024:14:18:49 +1100] "-" 400 - 81.2.69.145 + 0.000 "-" "-" X-Forwarded-For="-"

packages/apache_tomcat/data_stream/access/_dev/test/pipeline/test-access.log-expected.json

@@ -647,6 +647,60 @@
  "original": "/",
  "path": "/"
  }
+ },
+ {
+ "@timestamp": "2024-10-24T03:18:49.000Z",
+ "apache_tomcat": {
+ "access": {
+ "http": {
+ "useragent": "-",
+ "ident": "-"
+ },
+ "response_time": 0,
+ "ip": {
+ "local": "81.2.69.145"
+ },
+ "connection_status": "+"
+ }
+ },
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "category": [
+ "web"
+ ],
+ "type": [
+ "access"
+ ],
+ "kind": "event",
+ "module": "apache_tomcat",
+ "original": "81.2.69.144 - - [24/Oct/2024:14:18:49 +1100] \"-\" 400 - 81.2.69.145 + 0.000 \"-\" \"-\" X-Forwarded-For=\"-\"",
+ "outcome": "failure"
+ },
+ "related": {
+ "ip": [
+ "81.2.69.144",
+ "81.2.69.145"
+ ]
+ },
+ "http": {
+ "request": {
+ "referrer": "-"
+ },
+ "response": {
+ "status_code": 400
+ }
+ },
+ "source": {
+ "ip": "81.2.69.144"
+ },
+ "tags": [
+ "preserve_original_event"
+ ],
+ "user_agent": {
+ "original": "-"
+ }
  }
  ]
-}
+}

packages/apache_tomcat/data_stream/access/elasticsearch/ingest_pipeline/default.yml

@@ -24,7 +24,15 @@ processors:
  - dissect:
  field: event.original
  tag: 'dissect_event_original'
- pattern: '%{_tmp.sourceorusername} %{apache_tomcat.access.http.ident} %{apache_tomcat.access.http.useragent} [%{_tmp.timestamp}] "%{http.request.method} %{url.original} HTTP/%{http.version}" %{_tmp.dissectgrok}'
+ pattern: '%{_tmp.sourceorusername} %{apache_tomcat.access.http.ident} %{apache_tomcat.access.http.useragent} [%{_tmp.timestamp}] "%{_tmp.dissect_request}" %{_tmp.dissectgrok}'
+ on_failure:
+ - append:
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag fail-{{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - dissect:
+ field: _tmp.dissect_request
+ pattern: '%{http.request.method} %{url.original} HTTP/%{http.version}'
+ if: ctx._tmp.dissect_request != '-'
  on_failure:
  - append:
  field: error.message

packages/apache_tomcat/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.2"
 name: apache_tomcat
 title: Apache Tomcat
-version: "1.8.0"
+version: "1.8.1"
 description: Collect and parse logs and metrics from Apache Tomcat servers with Elastic Agent.
 categories: ["web", "observability"]
 type: integration