[gitlab] Initial release for Gitlab integration (#9747)

* adding integration folder from integration_builder output

* filling in actual logo

* elastic-package check formatting tweaks

* updating integration categories

* pipeline tweaks, updated some fields to accommodate

* test run outputs

* pipeline adjustments and generated outputs

* codeowners

* filled in and built readme

* filled in changelog pr

* fixing description, tweaking conditional to be more generic

* rebuilding the readme

* added in api datastream from integration_builder run

* formatting updates from elastic-package check

* update to accommodate addition of api datastream

* updates to pipelines, fieldname additions, more production samples, test outputs

* build, check and format

* adding empty line at the end of sample logs

* adding api dashboard

* adding production dashboard

* minor fixes for production ds found when trying additional samples

* syncing api to production

* results from build, format, check

* adding the default options for the filepaths, and some docs to explain

* Update packages/gitlab_ce/data_stream/api/agent/stream/filestream.yml.hbs

Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>

* Update packages/gitlab_ce/data_stream/production/agent/stream/filestream.yml.hbs

Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>

* Update packages/gitlab_ce/data_stream/api/elasticsearch/ingest_pipeline/default.yml

Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>

* pipeline updates for converting and formatting; fields updates to be float instead of long for *_duration_s

* formatting updates

* rebuilt

* fixing up convert processors

* rebuilt

* adding additional system tests for instance created via docker

* updating name and fixing formatting

* tests actually running now (still failing)

* drop processor for info log line

* fixed system tests

* renaming from gitlab_ce to gitlab; tweaking the readme to better clarify support

* missed the rest of the rename

* rename updates

* updating logo

* added back canned system tests

* switching around test config

* trying adding chmod to GITLAB_PRE_RECONFIGURE_SCRIPT

* real path

* trying gid

* trying group

* removing 'real' system tests

* removing variants

* formatting

* syncing manifest title/description to be like github

* Update packages/gitlab/_dev/build/docs/README.md

Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>

* Update packages/gitlab/_dev/build/docs/README.md

Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>

* Update packages/gitlab/_dev/build/docs/README.md

Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>

* Update packages/gitlab/_dev/build/docs/README.md

Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>

* Update packages/gitlab/_dev/build/docs/README.md

Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>

* Update packages/gitlab/_dev/build/docs/README.md

Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>

* Update packages/gitlab/data_stream/api/elasticsearch/ingest_pipeline/default.yml

Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>

* Update packages/gitlab/data_stream/api/elasticsearch/ingest_pipeline/default.yml

Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>

* Update packages/gitlab/data_stream/api/elasticsearch/ingest_pipeline/default.yml

Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>

* fixing up the production pipeline like api, rebuilding docs

* rebuilt and cleared out the fields we don't need

* updated viewBox

* Gitlab to GitLab

* Gitlab to GitLab

---------

Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>

Author: kgeller

.github/CODEOWNERS

@@ -192,6 +192,7 @@
 /packages/gcp_metrics @elastic/obs-ds-hosted-services
 /packages/gcp_pubsub @elastic/security-service-integrations
 /packages/github @elastic/security-service-integrations
+/packages/gitlab @elastic/security-service-integrations
 /packages/golang @elastic/obs-infraobs-integrations
 /packages/google_cloud_storage @elastic/security-service-integrations
 /packages/google_scc @elastic/security-service-integrations

packages/gitlab/_dev/build/build.yml

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: "git@v8.11.0"

packages/gitlab/_dev/build/docs/README.md

@@ -0,0 +1,35 @@
+# GitLab Integration
+
+This integration is for ingesting logs from [GitLab](https://about.gitlab.com/).
+
+- `api`: Collect logs for HTTP requests made to the GitLab API
+
+- `production`: Collect logs for Rails controller requests received from GitLab.
+
+See the GitLab [Log system docs](https://docs.gitlab.com/ee/administration/logs/) for more information.
+
+## Compatibility
+
+The GitLab module has been developed with and tested against the [community edition](https://gitlab.com/rluna-gitlab/gitlab-ce) version 16.8.5-ce.0. 
+
+## Setup
+
+Refer to the GitLab documentation for the specific filepath(s) for your instance type. Both are provided as default in the configuration setup, but only one will be needed for use. See [API](https://docs.gitlab.com/ee/administration/logs/#api_jsonlog) and [Production](https://docs.gitlab.com/ee/administration/logs/#production_jsonlog) for details. 
+
+## Logs
+
+### api
+
+Collect logs for HTTP requests made to the GitLab API. Check out the [GitLab API log docs](https://docs.gitlab.com/ee/administration/logs/#api_jsonlog) for more information.
+
+{{fields "api"}}
+
+{{event "api"}}
+
+### production
+
+Collect logs for Rails controller requests received from GitLab. Check out the [GitLab production log docs](https://docs.gitlab.com/ee/administration/logs/#production_jsonlog) for more information.
+
+{{fields "production"}}
+
+{{event "production"}}

packages/gitlab/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,8 @@
+version: '3.0'
+services:
+  gitlab-filestream:
+    image: alpine
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+      - ${SERVICE_LOGS_DIR}:/var/log
+    command: /bin/sh -c "cp /sample_logs/* /var/log/"

packages/gitlab/_dev/deploy/docker/sample_logs/test-gitlab-api.log

@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: 0.1.0
+  changes:
+    - description: Initial Version
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/9747

packages/gitlab/_dev/deploy/docker/sample_logs/test-gitlab-production.log

@@ -0,0 +1,3 @@
+fields:
+  tags:
+    - preserve_original_event

packages/gitlab/changelog.yml

@@ -0,0 +1,15 @@
+service: gitlab-filestream
+input: filestream
+data_stream:
+  vars:
+    preserve_original_event: true
+    paths:
+      - '{{SERVICE_LOGS_DIR}}/test-gitlab-api.log'
+numeric_keyword_fields:
+  - log.file.device_id
+  - log.file.inode
+  - log.file.idxhi
+  - log.file.idxlo
+  - log.file.vol
+assert:
+  hit_count: 10

packages/gitlab/data_stream/api/_dev/test/pipeline/test-common-config.yml

@@ -0,0 +1,27 @@
+paths:
+{{#each paths as |path|}}
+  - {{path}}
+{{/each}}
+{{#if exclude_files}}
+prospector.scanner.exclude_files:
+{{#each exclude_files as |pattern|}}
+  - {{pattern}}
+{{/each}}
+{{/if}}
+{{#if custom}}
+{{custom}}
+{{/if}}
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}

packages/gitlab/data_stream/api/_dev/test/pipeline/test-gitlab-api.log

@@ -0,0 +1,217 @@
+---
+description: Pipeline to process gitlab api logs
+processors:
+- set:
+    field: ecs.version
+    tag: set_ecs_version
+    value: 8.11.0
+- rename:
+    field: message
+    target_field: event.original
+    tag: rename_message
+    ignore_missing: true
+    if: ctx.event?.original == null
+- remove:
+    field: message
+    ignore_missing: true
+    tag: remove_message
+    if: ctx.event?.original != null
+- drop: 
+    if: ctx.event.original.startsWith('#')
+    description: Drop if logline contains header(s), which startswith `#`.
+- json:
+    field: event.original
+    tag: json_original
+    target_field: gitlab.api
+- date:
+    field: gitlab.api.time
+    target_field: '@timestamp'
+    formats:
+    - ISO8601
+    ignore_failure: true
+- rename:
+    field: gitlab.api.severity
+    target_field: log.level
+    ignore_missing: true
+- script:
+    lang: painless
+    source: |-
+      if (ctx.gitlab?.api?.duration_s != null) {
+        ctx.event.duration = ctx.gitlab.api.duration_s * 1000000;
+      }
+    ignore_failure: true
+- rename:
+    field: gitlab.api.status
+    target_field: http.response.status_code
+    ignore_missing: true
+- rename:
+    field: gitlab.api.method
+    target_field: http.request.method
+    ignore_missing: true
+- rename:
+    field: gitlab.api.path
+    target_field: url.path
+    ignore_missing: true
+- rename:
+    field: gitlab.api.host
+    target_field: url.domain
+    ignore_missing: true
+- dot_expander:
+    path: gitlab.api
+    field: meta.caller_id
+- dot_expander:
+    path: gitlab.api
+    field: meta.client_id
+- dot_expander:
+    path: gitlab.api
+    field: meta.feature_category
+- dot_expander:
+    path: gitlab.api
+    field: meta.remote_ip
+- convert:
+    field: gitlab.api.meta.remote_ip
+    type: ip
+    ignore_missing: true
+    on_failure:
+        - remove:
+            field: gitlab.api.meta.remote_ip
+            ignore_missing: true
+        - append:
+            field: error.message
+            value: '{{{_ingest.on_failure_message}}}'
+- dot_expander:
+    path: gitlab.api
+    field: meta.user
+- dot_expander:
+    path: gitlab.api
+    field: meta.user_id
+- rename:
+    field: gitlab.api.meta.caller_id
+    target_field: event.provider
+    ignore_missing: true
+- split:
+    field: gitlab.api.remote_ip
+    if: ctx.gitlab?.api?.remote_ip != null && ctx.gitlab?.api?.remote_ip != ''
+    tag: split_ips
+    target_field: source.ip
+    separator: ', ?'
+- foreach:
+    field: source.ip
+    if: ctx.source?.ip instanceof List
+    ignore_failure: true
+    processor:
+      convert:
+        field: _ingest._value.name
+        type: ip
+        target_field: _ingest._value.name_ips
+        ignore_missing: true
+        on_failure:
+          - remove:
+              field: _ingest._value.ip
+              ignore_missing: true
+- remove:
+    field: gitlab.api.remote_ip
+    ignore_missing: true
+- rename:
+    field: gitlab.api.ua
+    target_field: user_agent.original
+    ignore_missing: true
+- rename:
+    field: gitlab.api.pid
+    target_field: process.pid
+    ignore_missing: true
+- rename:
+    field: gitlab.api.user_id
+    target_field: user.id
+    ignore_missing: true
+- convert:
+    field: user.id
+    type: string
+    ignore_missing: true
+- rename:
+    field: gitlab.api.username
+    target_field: user.name
+    ignore_missing: true
+- geoip:
+    field: client.address
+    tag: geoip_client_address
+    target_field: client.geo
+    ignore_missing: true
+- geoip:
+    ignore_missing: true
+    database_file: GeoLite2-ASN.mmdb
+    field: client.address
+    tag: geoip_client_asn
+    target_field: client.as
+    properties:
+    - asn
+    - organization_name
+- rename:
+    field: client.as.asn
+    tag: rename_client_as_asn
+    target_field: client.as.number
+    ignore_missing: true
+- rename:
+    field: client.as.organization_name
+    tag: rename_client_as_organization_name
+    target_field: client.as.organization.name
+    ignore_missing: true
+- append:
+    field: event.category
+    value:
+    - api
+    allow_duplicates: false
+- append:
+    field: event.type
+    value:
+    - info
+    allow_duplicates: false
+- append:
+    field: event.category
+    value:
+    - database
+    allow_duplicates: false
+    if: ctx.gitlab?.api?.db_count != null && ctx.gitlab?.api?.db_count > 0
+- append:
+    field: event.type
+    value:
+    - error
+    allow_duplicates: false
+    if: ctx.http?.response?.status_code != null && (ctx.http.response.status_code < 200 || ctx.http.response.status_code >= 400)
+- append:
+    field: event.kind
+    value:
+    - pipeline_error
+    allow_duplicates: false
+    if: ctx.error?.message != null
+- remove:
+    field: event.original
+    tag: remove_original_event
+    if: ctx?.tags == null || !(ctx.tags.contains("preserve_original_event"))
+    ignore_failure: true
+    ignore_missing: true
+- script:
+    description: Drops null/empty values recursively.
+    lang: painless
+    source: |
+      boolean dropEmptyFields(Object object) {
+        if (object == null || object == "") {
+          return true;
+        } else if (object instanceof Map) {
+          ((Map) object).values().removeIf(value -> dropEmptyFields(value));
+          return (((Map) object).size() == 0);
+        } else if (object instanceof List) {
+          ((List) object).removeIf(value -> dropEmptyFields(value));
+          return (((List) object).length == 0);
+        }
+        return false;
+      }
+      dropEmptyFields(ctx);
+on_failure:
+- append:
+    field: error.message
+    value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}}
+      in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+- set:
+    field: event.kind
+    value: pipeline_error

packages/gitlab/data_stream/api/_dev/test/pipeline/test-gitlab-api.log-expected.json

@@ -0,0 +1,44 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+

packages/gitlab/data_stream/api/_dev/test/system/test-filestream-config.yml

@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset name.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: gitlab
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: gitlab.api
+- name: "@timestamp"
+  type: date
+  description: Event timestamp.