keycloak: allow ISO8601 datetime format (#14191)

Author: Alphayeeeet

packages/keycloak/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.29.0"
+  changes:
+    - description: Allow ISO8601 datetime format.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/14191
 - version: "1.28.0"
   changes:
     - description: Set the ECS field `event.outcome` based on the value of `keycloak.login.type`.

packages/keycloak/data_stream/log/_dev/test/pipeline/test-log.log

@@ -28,3 +28,4 @@
     at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
 2021-10-22 23:05:03,371 DEBUG [org.keycloak.events] (default task-8) operationType=CREATE, realmId=test, clientId=7bcaf1cb-820a-40f1-91dd-75ced03ef03b, userId=ce637d23-b89c-4fca-9088-1aea1d053e19, ipAddress=10.2.2.156, resourceType=GROUP, resourcePath=groups/a57cd49f-fdfd-4d25-9fd2-2a46de44a9e6/children
 2024-07-17 12:05:32,104 INFO [org.keycloak.events] (main-thread-1) type=\"LOGOUT\", realmId=\"12345678-9abc-def0-1234-56789abcdef0\", clientId=\"user-console\", userId=\"abcdef12-3456-7890-abcd-ef1234567890\", sessionId=\"abcd1234-5678-90ab-cdef-1234567890ab\", ipAddress=\"192.168.1.1\", auth_method=\"oauth2\", auth_type=\"token\", response_type=\"token\", redirect_uri=\"https://example.com/realms/demo/account/\", consent=\"consent_required\", code_id=\"abcd1234-5678-90ab-cdef-1234567890ab\", response_mode=\"fragment\", username=\"dummyuser\", authSessionParentId=\"abcd1234-5678-90ab-cdef-1234567890ab\", authSessionTabId=\"zXY987wvuTsr\"
+2024-07-17T12:05:32,104 INFO [org.keycloak.events] (main-thread-1) type=\"LOGOUT\", realmId=\"12345678-9abc-def0-1234-56789abcdef0\", clientId=\"user-console\", userId=\"abcdef12-3456-7890-abcd-ef1234567890\", sessionId=\"abcd1234-5678-90ab-cdef-1234567890ab\", ipAddress=\"192.168.1.1\", auth_method=\"oauth2\", auth_type=\"token\", response_type=\"token\", redirect_uri=\"https://example.com/realms/demo/account/\", consent=\"consent_required\", code_id=\"abcd1234-5678-90ab-cdef-1234567890ab\", response_mode=\"fragment\", username=\"dummyuser\", authSessionParentId=\"abcd1234-5678-90ab-cdef-1234567890ab\", authSessionTabId=\"zXY987wvuTsr\"

packages/keycloak/data_stream/log/_dev/test/pipeline/test-log.log-expected.json

@@ -519,7 +519,6 @@
             ],
             "url": {
                 "domain": "www.example.com",
-                "extension": "sso/SAML2/POST",
                 "original": "https://www.example.com/Shibboleth.sso/SAML2/POST",
                 "path": "/Shibboleth.sso/SAML2/POST",
                 "scheme": "https"
@@ -1237,6 +1236,81 @@
                 "id": "abcdef12-3456-7890-abcd-ef1234567890",
                 "name": "dummyuser"
             }
+        },
+        {
+            "@timestamp": "2024-07-17T12:05:32.104-05:00",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "LOGOUT",
+                "category": [
+                    "authentication"
+                ],
+                "kind": "event",
+                "original": "2024-07-17T12:05:32,104 INFO [org.keycloak.events] (main-thread-1) type=\\\"LOGOUT\\\", realmId=\\\"12345678-9abc-def0-1234-56789abcdef0\\\", clientId=\\\"user-console\\\", userId=\\\"abcdef12-3456-7890-abcd-ef1234567890\\\", sessionId=\\\"abcd1234-5678-90ab-cdef-1234567890ab\\\", ipAddress=\\\"192.168.1.1\\\", auth_method=\\\"oauth2\\\", auth_type=\\\"token\\\", response_type=\\\"token\\\", redirect_uri=\\\"https://example.com/realms/demo/account/\\\", consent=\\\"consent_required\\\", code_id=\\\"abcd1234-5678-90ab-cdef-1234567890ab\\\", response_mode=\\\"fragment\\\", username=\\\"dummyuser\\\", authSessionParentId=\\\"abcd1234-5678-90ab-cdef-1234567890ab\\\", authSessionTabId=\\\"zXY987wvuTsr\\\"",
+                "outcome": "unknown",
+                "timezone": "America/Chicago",
+                "type": [
+                    "info",
+                    "end"
+                ]
+            },
+            "keycloak": {
+                "client": {
+                    "id": "user-console"
+                },
+                "event_type": "login",
+                "login": {
+                    "auth_method": "oauth2",
+                    "auth_session_parent_id": "abcd1234-5678-90ab-cdef-1234567890ab",
+                    "auth_session_tab_id": "zXY987wvuTsr",
+                    "auth_type": "token",
+                    "code_id": "abcd1234-5678-90ab-cdef-1234567890ab",
+                    "redirect_uri": "https://example.com/realms/demo/account/",
+                    "type": "LOGOUT"
+                },
+                "realm": {
+                    "id": "12345678-9abc-def0-1234-56789abcdef0"
+                }
+            },
+            "log": {
+                "level": "INFO",
+                "logger": "org.keycloak.events"
+            },
+            "process": {
+                "thread": {
+                    "name": "main-thread-1"
+                }
+            },
+            "related": {
+                "hosts": [
+                    "example.com"
+                ],
+                "ip": [
+                    "192.168.1.1"
+                ],
+                "user": [
+                    "abcdef12-3456-7890-abcd-ef1234567890"
+                ]
+            },
+            "source": {
+                "address": "192.168.1.1",
+                "ip": "192.168.1.1"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "url": {
+                "domain": "example.com",
+                "original": "https://example.com/realms/demo/account/",
+                "path": "/realms/demo/account/",
+                "scheme": "https"
+            },
+            "user": {
+                "id": "abcdef12-3456-7890-abcd-ef1234567890",
+                "name": "dummyuser"
+            }
         }
     ]
 }

packages/keycloak/data_stream/log/elasticsearch/ingest_pipeline/default.yml

@@ -26,13 +26,15 @@ processors:
       timezone: "{{{ event.timezone }}}"
       formats:
         - yyyy-MM-dd HH:mm:ss,SSS
+        - ISO8601
       if: ctx.event?.timezone != null
       tag: date_timestamp_timezone
   - date:
       field: _tmp.timestamp
       target_field: '@timestamp'
       formats:
         - yyyy-MM-dd HH:mm:ss,SSS
+        - ISO8601
       if: ctx.event?.timezone == null
       tag: date_timestamp_no_timezone
   - pipeline:

packages/keycloak/manifest.yml

@@ -1,6 +1,6 @@
 name: keycloak
 title: Keycloak
-version: "1.28.0"
+version: "1.29.0"
 description: Collect logs from Keycloak with Elastic Agent.
 type: integration
 format_version: "3.0.3"