[Awscloudwatch] Input creates non-ecs dotted field instead of ecs nested object.

[leandrojmp]

Hello,

The awscloudwatch input creates some fields with information about the log group, log stream and ingestion time.

• aws.cloudwatch.log_group
• aws.cloudwatch.log_stream
• aws.cloudwatch.ingestion_time

For this to be ecs compliant it would be expected for the resulting document to have the following structure:

{
    "aws": {
        "cloudwatch": {
            "log_group": "somevalue",
            "log_stream": "somevalue",
            "ingestion_time": "someValue"
        }
    }
}

But in the document the structure is this one:

{
    "aws.cloudwatch": {
        "log_group": "somevalue",
        "log_stream": "somevalue",
        "ingestion_time": "someValue"
        }
}

We have a field with a literal dot in it, which leads to confusion and can lead to problems in ingest pipelines as well.

Those fields are being created in this part of the code:

"aws.cloudwatch": mapstr.M{
    "log_group":      logGroupId,
    "log_stream":     *logEvent.LogStreamName,
    "ingestion_time": time.Unix(*logEvent.IngestionTime/1000, 0),
},

It seems that this needs to be changed to something like this:

"aws": mapstr.M{
	"cloudwatch": mapstr.M{
		"log_group":      logGroupId,
		"log_stream":     *logEvent.LogStreamName,
		"ingestion_time": time.Unix(*logEvent.IngestionTime/1000, 0),
	}
},

I've opened an issue about this a couple of years ago in the integrations repository, but it went stale.

There was a PR to fix a similar issue in the same input with the field log.file.path here: #41099

Since we are nearing version 9.0 I opened the same PR here in the beats repository.

[botelastic]

This issue doesn't have a Team:<team> label.