[Filebeat] Preserve case of http.request.method (#18359) (#18788)

* Preserve case of http.request.method

ECS previously specified normalizing http.request.method to lowercase.
This resulted in the loss of information. Affects filesets from the
following versions:

- apache/access (7.7 - 7.8)
- elasticsearch/audit (7.7 - 7.8)
- iis/access (7.7 - 7.8)
- iis/error (7.7 - 7.8)
- nginx/access (7.8)
- nginx/ingress_controller (7.8)
- aws/elb (7.7 - 7.8)
- suricata/eve (7.4 - 7.8)
- zeek/http (7.8)

Closes #18154

(cherry picked from commit 87c3ad3)

Author: leehinman

CHANGELOG.next.asciidoc

@@ -22,6 +22,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 *Filebeat*
 
 - Fix parsing of Elasticsearch node name by `elasticsearch/slowlog` fileset. {pull}14547[14547]
+- Preserve case of http.request.method.  ECS prior to 1.6 specified normalizing to lowercase, which lost information. Affects filesets: apache/access, elasticsearch/audit, iis/access, iis/error, aws/elb, suricata/eve. {issue}18154[18154] {pull}18359[18359]
 
 *Heartbeat*
 

filebeat/module/apache/access/ingest/pipeline.yml

@@ -34,9 +34,6 @@ processors:
     field: event.outcome
     value: failure
     if: "ctx?.http?.response?.status_code != null && ctx.http.response.status_code > 399"
-- lowercase:
-    field: http.request.method
-    ignore_missing: true
 - grok:
     field: source.address
     ignore_missing: true

filebeat/module/apache/access/test/darwin-2.4.23.log-expected.json

@@ -7,7 +7,7 @@
         "event.module": "apache",
         "event.outcome": "success",
         "fileset.name": "access",
-        "http.request.method": "get",
+        "http.request.method": "GET",
         "http.response.body.bytes": 45,
         "http.response.status_code": 200,
         "http.version": "1.1",
@@ -27,7 +27,7 @@
         "event.module": "apache",
         "event.outcome": "failure",
         "fileset.name": "access",
-        "http.request.method": "get",
+        "http.request.method": "GET",
         "http.response.body.bytes": 209,
         "http.response.status_code": 404,
         "http.version": "1.1",
@@ -63,7 +63,7 @@
         "event.module": "apache",
         "event.outcome": "success",
         "fileset.name": "access",
-        "http.request.method": "get",
+        "http.request.method": "GET",
         "http.response.body.bytes": 45,
         "http.response.status_code": 200,
         "http.version": "1.1",
@@ -92,7 +92,7 @@
         "event.module": "apache",
         "event.outcome": "failure",
         "fileset.name": "access",
-        "http.request.method": "get",
+        "http.request.method": "GET",
         "http.response.body.bytes": 206,
         "http.response.status_code": 404,
         "http.version": "1.1",
@@ -121,7 +121,7 @@
         "event.module": "apache",
         "event.outcome": "failure",
         "fileset.name": "access",
-        "http.request.method": "get",
+        "http.request.method": "GET",
         "http.response.body.bytes": 201,
         "http.response.status_code": 404,
         "http.version": "1.1",

filebeat/module/apache/access/test/ssl-request.log-expected.json

@@ -8,7 +8,7 @@
         "event.kind": "event",
         "event.module": "apache",
         "fileset.name": "access",
-        "http.request.method": "get",
+        "http.request.method": "GET",
         "http.response.body.bytes": 1375,
         "http.version": "1.1",
         "input.type": "log",
@@ -30,7 +30,7 @@
         "event.kind": "event",
         "event.module": "apache",
         "fileset.name": "access",
-        "http.request.method": "get",
+        "http.request.method": "GET",
         "http.version": "1.1",
         "input.type": "log",
         "log.offset": 276,

filebeat/module/apache/access/test/test-vhost.log-expected.json

@@ -8,7 +8,7 @@
         "event.module": "apache",
         "event.outcome": "failure",
         "fileset.name": "access",
-        "http.request.method": "get",
+        "http.request.method": "GET",
         "http.request.referrer": "-",
         "http.response.body.bytes": 499,
         "http.response.status_code": 404,

filebeat/module/apache/access/test/test.log-expected.json

@@ -7,7 +7,7 @@
         "event.module": "apache",
         "event.outcome": "failure",
         "fileset.name": "access",
-        "http.request.method": "get",
+        "http.request.method": "GET",
         "http.response.body.bytes": 209,
         "http.response.status_code": 404,
         "http.version": "1.1",
@@ -27,7 +27,7 @@
         "event.module": "apache",
         "event.outcome": "failure",
         "fileset.name": "access",
-        "http.request.method": "get",
+        "http.request.method": "GET",
         "http.request.referrer": "-",
         "http.response.body.bytes": 499,
         "http.response.status_code": 404,
@@ -71,7 +71,7 @@
         "event.module": "apache",
         "event.outcome": "failure",
         "fileset.name": "access",
-        "http.request.method": "get",
+        "http.request.method": "GET",
         "http.request.referrer": "-",
         "http.response.body.bytes": 612,
         "http.response.status_code": 404,
@@ -99,7 +99,7 @@
         "event.module": "apache",
         "event.outcome": "success",
         "fileset.name": "access",
-        "http.request.method": "get",
+        "http.request.method": "GET",
         "http.request.referrer": "-",
         "http.response.body.bytes": 612,
         "http.response.status_code": 200,

filebeat/module/apache/access/test/ubuntu-2.2.22.log-expected.json

@@ -7,7 +7,7 @@
         "event.module": "apache",
         "event.outcome": "success",
         "fileset.name": "access",
-        "http.request.method": "get",
+        "http.request.method": "GET",
         "http.request.referrer": "-",
         "http.response.body.bytes": 491,
         "http.response.status_code": 200,
@@ -33,7 +33,7 @@
         "event.module": "apache",
         "event.outcome": "success",
         "fileset.name": "access",
-        "http.request.method": "get",
+        "http.request.method": "GET",
         "http.request.referrer": "-",
         "http.response.body.bytes": 484,
         "http.response.status_code": 200,
@@ -61,7 +61,7 @@
         "event.module": "apache",
         "event.outcome": "failure",
         "fileset.name": "access",
-        "http.request.method": "get",
+        "http.request.method": "GET",
         "http.request.referrer": "http://192.168.33.72/",
         "http.response.body.bytes": 504,
         "http.response.status_code": 404,
@@ -89,7 +89,7 @@
         "event.module": "apache",
         "event.outcome": "success",
         "fileset.name": "access",
-        "http.request.method": "get",
+        "http.request.method": "GET",
         "http.request.referrer": "-",
         "http.response.body.bytes": 484,
         "http.response.status_code": 200,
@@ -117,7 +117,7 @@
         "event.module": "apache",
         "event.outcome": "failure",
         "fileset.name": "access",
-        "http.request.method": "get",
+        "http.request.method": "GET",
         "http.request.referrer": "-",
         "http.response.body.bytes": 504,
         "http.response.status_code": 404,
@@ -145,7 +145,7 @@
         "event.module": "apache",
         "event.outcome": "failure",
         "fileset.name": "access",
-        "http.request.method": "get",
+        "http.request.method": "GET",
         "http.request.referrer": "-",
         "http.response.body.bytes": 504,
         "http.response.status_code": 404,
@@ -173,7 +173,7 @@
         "event.module": "apache",
         "event.outcome": "failure",
         "fileset.name": "access",
-        "http.request.method": "get",
+        "http.request.method": "GET",
         "http.request.referrer": "-",
         "http.response.body.bytes": 498,
         "http.response.status_code": 404,
@@ -201,7 +201,7 @@
         "event.module": "apache",
         "event.outcome": "failure",
         "fileset.name": "access",
-        "http.request.method": "get",
+        "http.request.method": "GET",
         "http.request.referrer": "-",
         "http.response.body.bytes": 499,
         "http.response.status_code": 404,
@@ -229,7 +229,7 @@
         "event.module": "apache",
         "event.outcome": "failure",
         "fileset.name": "access",
-        "http.request.method": "get",
+        "http.request.method": "GET",
         "http.request.referrer": "-",
         "http.response.body.bytes": 499,
         "http.response.status_code": 404,

filebeat/module/elasticsearch/audit/ingest/pipeline.yml

@@ -40,9 +40,6 @@ processors:
         ctx.event.outcome = 'failure';
       }
 
-- lowercase:
-    field: http.request.method
-    ignore_missing: true
 - set:
     field: host.id
     value: "{{elasticsearch.node.id}}"

filebeat/module/elasticsearch/audit/test/test-audit-docker.log-expected.json

@@ -13,7 +13,7 @@
         "event.outcome": "failure",
         "fileset.name": "audit",
         "host.id": "Xaq2BFVcQ1OhyMrjL8gNOg",
-        "http.request.method": "get",
+        "http.request.method": "GET",
         "input.type": "log",
         "log.offset": 0,
         "message": "{\"type\": \"audit\", \"timestamp\":\"2019-06-11T15:03:32,102+0000\", \"node.id\":\"Xaq2BFVcQ1OhyMrjL8gNOg\", \"event.type\":\"rest\", \"event.action\":\"anonymous_access_denied\", \"origin.type\":\"rest\", \"origin.address\":\"172.17.0.1:40380\", \"url.path\":\"/\", \"request.method\":\"GET\", \"request.id\":\"pkduyMB5Tly6xgmkYbZi-A\"}",
@@ -37,7 +37,7 @@
         "event.outcome": "failure",
         "fileset.name": "audit",
         "host.id": "Xaq2BFVcQ1OhyMrjL8gNOg",
-        "http.request.method": "get",
+        "http.request.method": "GET",
         "input.type": "log",
         "log.offset": 690,
         "message": "{\"type\": \"audit\", \"timestamp\":\"2019-06-11T15:03:32,778+0000\", \"node.id\":\"Xaq2BFVcQ1OhyMrjL8gNOg\", \"event.type\":\"rest\", \"event.action\":\"authentication_failed\", \"user.name\":\"elastic\", \"origin.type\":\"rest\", \"origin.address\":\"172.17.0.1:40380\", \"url.path\":\"/\", \"request.method\":\"GET\", \"request.id\":\"KPgEINaXSbGNaIobp8OcMw\"}",

filebeat/module/elasticsearch/audit/test/test-audit.log-expected.json

@@ -202,7 +202,7 @@
         "fileset.name": "audit",
         "host.id": "y8fa3M5zSSGo1M_KJRMUXw",
         "http.request.body.content": "\n{\n    \"query\" : {\n        \"term\" : { \"user\" : \"kimchy\" }\n    }\n}\n",
-        "http.request.method": "get",
+        "http.request.method": "GET",
         "input.type": "log",
         "log.offset": 2056,
         "message": "{\"@timestamp\":\"2019-01-27T20:15:10,380\", \"node.name\":\"node-0\", \"node.id\":\"y8fa3M5zSSGo1M_KJRMUXw\", \"event.type\":\"rest\", \"event.action\":\"authentication_success\", \"user.name\":\"elastic-admin\", \"origin.type\":\"rest\", \"origin.address\":\"[::1]:58955\", \"realm\":\"default_file\", \"url.path\":\"/_search\", \"request.method\":\"GET\", \"request.body\":\"\\n{\\n    \\\"query\\\" : {\\n        \\\"term\\\" : { \\\"user\\\" : \\\"kimchy\\\" }\\n    }\\n}\\n\", \"request.id\":\"WzL_kb6VSvOhAq0twPvHOQ\"}",