[Logs UI] Fix pre-ECS filebeat module message reconstruction rules

[weltenwort]

Summary

This fixes the message reconstruction for the pre-ECS formats of several filebeat modules by adding appropriate rules:

• icinga, fixes [Logs UI] Pre-ECS icinga log messages are not displayed correctly #30381
• haproxy, fixes [Logs UI] Pre-ECS haproxy log messages are not displayed correctly #30382
• mongodb, fixes [Logs UI] Pre-ECS mongodb log messages are not displayed correctly #30384
• iis, fixes [Logs UI] Pre-ECS iis log messages are not displayed correctly #30386
• logstash, fixes [Logs UI] Pre-ECS logstash log messages are not displayed correctly #30391
• osquery, fixes [Logs UI] Pre-ECS osquery log messages are not displayed correctly #30394
• traefik, fixes [Logs UI] Pre-ECS traefik log messages are not displayed correctly #30396

Notes on testing

The screenshot below have been created by ingesting the test data used by filebeat 6.7 itself.

Icinga

HAProxy

MongoDB

IIS

Logstash

Osquery

Checklist

• This was checked for cross-browser compatibility, including a check against IE11
• Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
• Documentation was added for features that require explanation or tutorials
• Unit or functional tests were updated or added to match the most common scenarios
• This was checked for keyboard-only and screenreader accessibility

For maintainers

• This was checked for breaking API changes and was labeled appropriately
• This includes a feature addition or change that requires a release note and was labeled appropriately

[elasticmachine]

Pinging @elastic/infrastructure-ui

[elasticmachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request

[elasticmachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request

[elasticmachine]

💔 Build Failed

• continuous-integration/kibana-ci/pull-request

[elasticmachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request

[elasticmachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request

[elasticmachine]

💔 Build Failed

• continuous-integration/kibana-ci/pull-request

[elasticmachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request

[simianhacker]

We should probably use this in the Flyout code too.

[weltenwort]

makes sense 👍 ➡️ #30930

I hope that was what you meant?

[simianhacker]

From a review standpoint I looked through everything and nothing stands out. What was your testing setup? Is a visual read through good enough?

[weltenwort]

For manual testing I used the *.log test sample files from the 6.7 branch of the filebeat sources. The unit test contain some copy+pasted expected json from the filebeat tests.

Given that there are unit tests for the new rules and that I included screenshots above, I would say checking for typos in the constant parts of the messages and consistency in the field selection would be most valuable.

[weltenwort]

jenkins, test this

[elasticmachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request

[weltenwort]

@simianhacker is there anything else you need in order to perform the review?

[simianhacker]

I made another visual pass and everything looks good to me. I did load it in Kibana just to make sure nothing fatal happens.

 __         ______     ______   __    __    
/\ \       /\  ___\   /\__  _\ /\ "-./  \   
\ \ \____  \ \ \__ \  \/_/\ \/ \ \ \-./\ \  
 \ \_____\  \ \_____\    \ \_\  \ \_\ \ \_\ 
  \/_____/   \/_____/     \/_/   \/_/  \/_/