[Apache Tomcat] Fix pipelines to correctly split the X-Forwarded-For comma delineated IPs (#15873)

* fix

* Update changelog.yml

Author: Linu-Elias

packages/apache_tomcat/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.12.1"
+  changes:
+    - description: Fix IP seperator regex for access logs
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/15873
 - version: "1.12.0"
   changes:
     - description: Improve documentation

packages/apache_tomcat/data_stream/access/_dev/test/pipeline/test-access.log

@@ -13,4 +13,5 @@
 81.2.69.144 - admin [02/Mar/2023:18:58:17 +0530] "POST /host-manager/images/asf-logo.svg HTTP/1.1" 200 20486 ms:54321 X 400 "http://localhost:8080/host-manager/html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36" X-Forwarded-For="127.0.0.1"
 81.2.69.144 - admin [02/Mar/2023:18:58:17 +0530] "POST /host-manager/images/asf-logo.svg HTTP/1.1" 200 20486 ms:3214 81.2.69.145 40 "http://localhost:8080/host-manager/html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36" X-Forwarded-For="127.0.0.1, 127.0.0.3"
 81.2.69.144 - admin [02/Mar/2023:18:58:17 +0530] "POST /host-manager/images/asf-logo.svg HTTP/1.1" 200 20486 ms:98765 50 "http://localhost:8080/host-manager/html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36" X-Forwarded-For=""
-10.10.10.10 - - [28/May/2024:17:20:05 +0200] "GET / " 200 17 ms:1234
+10.10.10.10 - - [28/May/2024:17:20:05 +0200] "GET / " 200 17 ms:1234
+81.2.69.144 - admin [02/Mar/2023:18:58:17 +0530] "POST /host-manager/images/asf-logo.svg HTTP/1.1" 200 20486 ms:3214 81.2.69.145 40 "http://localhost:8080/host-manager/html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36" X-Forwarded-For="127.0.0.1,127.0.0.3, 127.0.0.4"

packages/apache_tomcat/data_stream/access/_dev/test/pipeline/test-access.log-expected.json

@@ -1090,6 +1090,90 @@
             "tags": [
                 "preserve_original_event"
             ]
+        },
+        {
+            "@timestamp": "2023-03-02T13:28:17.000Z",
+            "apache_tomcat": {
+                "access": {
+                    "http": {
+                        "ident": "-",
+                        "useragent": "admin"
+                    },
+                    "ip": {
+                        "local": "81.2.69.145"
+                    },
+                    "request_process_time": 3214.0,
+                    "response_time": 40.0
+                }
+            },
+            "client": {
+                "ip": [
+                    "127.0.0.1",
+                    "127.0.0.3",
+                    "127.0.0.4"
+                ]
+            },
+            "destination": {
+                "bytes": 20486
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "category": [
+                    "web"
+                ],
+                "kind": "event",
+                "module": "apache_tomcat",
+                "original": "81.2.69.144 - admin [02/Mar/2023:18:58:17 +0530] \"POST /host-manager/images/asf-logo.svg HTTP/1.1\" 200 20486 ms:3214 81.2.69.145 40 \"http://localhost:8080/host-manager/html\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36\" X-Forwarded-For=\"127.0.0.1,127.0.0.3, 127.0.0.4\"",
+                "outcome": "success",
+                "type": [
+                    "access"
+                ]
+            },
+            "http": {
+                "request": {
+                    "method": "POST",
+                    "referrer": "http://localhost:8080/host-manager/html"
+                },
+                "response": {
+                    "status_code": 200
+                },
+                "version": "1.1"
+            },
+            "related": {
+                "ip": [
+                    "81.2.69.144",
+                    "81.2.69.145",
+                    "127.0.0.1",
+                    "127.0.0.3",
+                    "127.0.0.4"
+                ]
+            },
+            "source": {
+                "ip": "81.2.69.144"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "url": {
+                "extension": "svg",
+                "original": "/host-manager/images/asf-logo.svg",
+                "path": "/host-manager/images/asf-logo.svg"
+            },
+            "user_agent": {
+                "device": {
+                    "name": "Other"
+                },
+                "name": "Chrome",
+                "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36",
+                "os": {
+                    "full": "Windows 10",
+                    "name": "Windows",
+                    "version": "10"
+                },
+                "version": "109.0.0.0"
+            }
         }
     ]
-}
+}

packages/apache_tomcat/data_stream/access/elasticsearch/ingest_pipeline/default.yml

@@ -163,7 +163,7 @@ processors:
       if: ctx._tmp?.header_forwarder != null && ctx._tmp.header_forwarder != '' && ctx._tmp.header_forwarder != '-'
       tag: 'split_x_forwarded_for'
       target_field: client.ip
-      separator: ', '
+      separator: ',\s?'
   - foreach:
       field: client.ip
       if: ctx.client?.ip instanceof List

packages/apache_tomcat/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.2"
 name: apache_tomcat
 title: Apache Tomcat
-version: "1.12.0"
+version: "1.12.1"
 description: Collect and parse logs and metrics from Apache Tomcat servers with Elastic Agent.
 categories:
   - web