Add Suricata package

[andrewkroh]

What does this PR do?

Import the Suricata Filebeat module via PACKAGES=suricata mage -v ImportBeats.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all datasets collect metrics or logs.

Related issues

• Depends on: [Ingest Manager] Add contains handlebar helper for conditional blocks in yaml kibana#72698

Screenshots

[elasticmachine]

💚 Build Succeeded

Expand to view the summary

Build stats

• Build Cause: [Branch indexing]

• Start Time: 2020-08-05T01:45:07.478+0000

• Duration: 4 min 55 sec

[andrewstucki]

So, just to make sure -- this will actually resolve to foo, bar, baz if it's given an array like ["foo", "bar", "baz"] (notice no brackets in the rendered template, see example).

Does filebeat automatically do string splitting for the tags part of the configuration? If not I think this needs to become something like:

tags: {{#each tags as |tag i|}} - {{tag}} {{/each}}

[andrewkroh]

Fixed. Thanks.

[andrewkroh]

Where should the fields that Filebeat adds be defined? Things like input.type are not in the index template.

Additionally there could be fields from processors like add_host_metadata or add_docker_metadata? Is it the responsibility of each package to define these?

[andrewkroh]

This module reads log files. Some of the log lines are metrics about the software. These documents have event.kind: metric. Should they have dataset.type: metrics or dataset.type: logs? If dataset.type: metrics then how would I accomplish this?

[ruflin]

@andrewkroh At the moment it is the responsibility of each package / dataset to add these fields.

[andrewkroh]

This has been updated to add the datastream.* fields.

[andrewstucki]

Does this need container.id? I notice that filebeat is putting that in too. Other than that, LGTM

[mtojek]

LGTM, I will merge this PR before introducing any breaking changes in the solution.