[AWSX-3190] feat(go-forwarder): log model and parsing logic

[ndakkoune]

What does this PR do?

Set up log parsing and model logic.

Motivation

Following the migration of the Lambda Log Forwarder to Go, the log model is a necessary and critical step that will dictate how the data flow.

Testing Guidelines

Additional Notes

The natural divergence of both the log events received by the Lambda and the outbound payload sent to Datadog needs a model as generic as possible. The most noticeable design choices are :

• The CloudwatchLogsContext and CloudwatchLogsLogEvent types that closely mimic some of their equivalents in the github.com/aws/aws-lambda-go/events package.
• The LogContent interface is responsible to return its own Message(), required in the future steps (e.g. scrubbing) and MarshalFields(), responsible to return the top-level fields to match the intake API format (different for each event source for S3 invocations, especially for CloudTrail).
• LogEntry.MarshalJSON() is the custom marshaler that merges Content.MarshalFields() so that each LogEntry is serialized to the correct format.

Types of changes

• Bug fix
• New feature
• Breaking change
• Misc (docs, refactoring, dependency upgrade, etc.)

Check all that apply

• This PR's description is comprehensive
• This PR contains breaking changes that are documented in the description
• This PR introduces new APIs or parameters that are documented and unlikely to change in the foreseeable future
• This PR impacts documentation, and it has been updated (or a ticket has been logged)
• This PR's changes are covered by the automated tests
• This PR collects user input/sensitive content into Datadog
• This PR passes the integration tests (ask a Datadog member to run the tests)
• This PR passes the unit tests
• This PR passes the installation tests (ask a Datadog member to run the tests)

[ndakkoune]

Used for ldflags

[ndakkoune]

Even though this is not very clean, I don't see another way to detect the invokation type apart from unmarshalling the whole JSON (way more expensive).

[ndakkoune]

Will log a double error from both the unmarshalling + unknown source. Fair ?

[ndakkoune]

Decided to replace the old AWSEventSource by invokationSource, which is way more explicit.

[ndakkoune]

Pointer here because its shared between all log entries.

[ViBiOh]

It doesn't need to be a pointer for this, we can copy it on each LogEntry. it will not escape to the heap and might be more efficient in the end.

[ViBiOh]

💬 suggestion: ‏ We'll mainly used them as a slice of string, so it might be interesting to convert the string directly to a slice when loading the config.

[ndakkoune]

I agree for CustomTags (and maybe UseFIPS) since we'll append all the specified tags (e.g. env:prod,team:aws) along with other tags such as forwarder_version. However, Source and Host belong other top-level fields (i.e. ddsource:X and host:Y) and I don't see any benefit from that.

[ViBiOh]

It doesn't need to be a pointer for this, we can copy it on each LogEntry. it will not escape to the heap and might be more efficient in the end.

[ViBiOh]

💬 suggestion: ‏ Add the event as a log field, otherwise it will be complex to debug.

[ViBiOh]

Benchmark this and try the decoder approach

[ndakkoune]

Will make a separate PR for this. Thank you!

[ge0Aja]

nit: prefer to have complete variable names

[ge0Aja]

what's the ID here ?

[ge0Aja]

nit: Marshal gives the impression that the output should be a json string, instead we're getting a map. we should either rename the function, or implement as it says

[ge0Aja]

please rename the variable to match the type suggestion: Metadata

[ndakkoune]

These two lines are CloudwatchLogs specific. We'll probably have to put them as pointers in the future, so that they won't appear with their zero values when Marshalling. The other possibility would be to detect the zero values in the backend to deal with them properly (e.g. timestamp: 0 => impossible => generate current timestamp).

[ndakkoune]

Adding the context here avoids us to write a custom MarshalJSON. Since there is only two invocation sources (i.e. CW and S3), it seems a good compromise.

[ge0Aja]

if this is to be shared then I don't think we should adda a cloudwatch logs specific context here.

[ndakkoune]

Will benchmark this and probably try the Decoder strategy.

[ge0Aja]

yes, we did that for cloudtrail events if you're looking for specific keywords at the beginning of the raw json

[ge0Aja]

regarding CloudwatchLogs specific. I thought we agreed to have a separate struct for cloudwatch logs, s3 records, and events. which should remove the need for optional fields.

also , did you check the timestamp format ? is it a linux timestamp or a different format ?

[ndakkoune]

The timestamps provided by AWS are RFC3339, the Datadog intake endpoints ones expect unix epoch times.

[ndakkoune]

Rectifying: Cloudwatch events are also unix epoch time, but S3/SQS/... are still RFC3339

[ge0Aja]

could we have this case ? unknown invocation source ? I think the default case in the switch should be enough

[ndakkoune]

Nothing prevent a customer to create a trigger from an event source we do not support (e.g. Alexa, API Gateway, CloudFront, AppSync).

[ndakkoune]

Btw the 0 value of iota would become the Cloudwatch one, which could be thought as a default case (we could _ invocationSource = iota to skip this).

[ge0Aja]

forwarder level source override (for all logs) if set by the customer

[ge0Aja]

suggestion: use emit function callback instead of passing the channel explicitly.