chore: Add user_agent.original, destination.address, destination.port, url.domain to ELB access logs (#43141)

<!--Ex. Fixing a bug - Describe the bug and how this fixes the issue.
Ex. Adding a feature - Explain what this achieves.-->
#### Description

This PR enhances ELB access log parsing in the
`awslogsencodingextension` to include additional HTTP and
network-related fields:
- ALB and CLB
       - `user_agent.original` - Original User-Agent header value
- NLB, ALB and CLB
      - `destination.address` - Target destination address
      - `destination.port ` - Target destination port
- ALB and NLB
      - `url.domain` - Domain from the request URL

These fields provide better observability for ELB access logs by
capturing important HTTP request metadata that was previously missing.

Author: MichaelKatsoulis

.chloggen/chore_add-fields-elb-logs.yaml

@@ -0,0 +1,27 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: 'enhancement'
+
+# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver)
+component: 'extension/encoding/awslogsencodingextension'
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: 'Add user_agent.original, destination.address, destination.port, url.domain to ELB access logs'
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+issues: [43141]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
+
+# If your change doesn't affect end users or the exported elements of any package,
+# you should instead start your pull request title with [chore] or use the "Skip Changelog" label.
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: []

extension/encoding/awslogsencodingextension/README.md

@@ -282,27 +282,27 @@ ELB access log record fields are mapped this way in the resulting OpenTelemetry
 > AWS Fields are according to [documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html).
 
 
-| **AWS Field**                | **OpenTelemetry Field(s)**                                      |
-|------------------------------|-----------------------------------------------------------------------|
-| type                         | `network.protocol.name`                                |
-| time                         | Log timestamp                                |
+| **AWS Field**                | **OpenTelemetry Field(s)**                                           |
+|------------------------------|----------------------------------------------------------------------|
+| type                         | `network.protocol.name`                                              |
+| time                         | Log timestamp                                                        |
 | elb                          | `cloud.resource_id`                                                  |
 | client:port                  | `client.address`, `client.port`                                      |
 | received_bytes               | `http.request.size`                                                  |
 | sent_bytes                   | `http.response.size`                                                 |
-| "request"                    | `url.full`, `http.request.method`, `network.protocol.version`                                    |
+| "request"                    | `url.full`, `http.request.method`, `network.protocol.version`        |
 | ssl_cipher                   | `tls.cipher`                                                         |
 | ssl_protocol                 | `tls.protocol.version`                                               |
 | elb_status_code              | `aws.elb.status.code`                                                |
+| user_agent                   | `user_agent.original`                                                |
+| domain_name                  | `url.domain`                                                         |
 | target:port                  | _Currently not supported_                                |
 | request_processing_time      | _Currently not supported_                                |
 | target_processing_time       | _Currently not supported_                                |
 | response_processing_time     | _Currently not supported_                                |
 | target_status_code           | _Currently not supported_                                |
-| "user_agent"                 | _Currently not supported_                                |
 | target_group_arn             | _Currently not supported_                                |
 | "trace_id"                   | _Currently not supported_                                |
-| "domain_name"                | _Currently not supported_                                |
 | "chosen_cert_arn"            | _Currently not supported_                                |
 | matched_rule_priority        | _Currently not supported_                                |
 | request_creation_time        | _Currently not supported_                                |
@@ -319,26 +319,26 @@ ELB access log record fields are mapped this way in the resulting OpenTelemetry
 
 > AWS Fields are according to [documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest//network/load-balancer-access-logs.html#access-log-entry-format).
 
-| **AWS Field**                | **OpenTelemetry Field(s)**                                      |
+| **AWS Field**                | **OpenTelemetry Field(s)**                                  |
 |------------------------------|-------------------------------------------------------------|
 | type                         | `network.protocol.name`                                     |
 | version                      | `network.protocol.version`                                  |
 | time                         | Log timestamp                                               |
 | elb                          | `cloud.resource_id`                                         |
-| listener                     | `aws.elb.tls.listener.resource_id`                                  |
+| listener                     | `aws.elb.tls.listener.resource_id`                          |
 | client:port                  | `client.address`, `client.port`                             |
+| destination:port             | `destination.address`, `destination.port`                   |
 | received_bytes               | `http.request.size`                                         |
 | sent_bytes                   | `http.response.size`                                        |
 | tls_cipher                   | `tls.cipher`                                                |
 | tls_protocol_version         | `tls.protocol.version`                                      |
-| destination:port             | _Currently not supported_                                   |
+| domain_name                  | `url.domain`                                                |
 | connection_time              | _Currently not supported_                                   |
 | tls_handshake_time           | _Currently not supported_                                   |
 | incoming_tls_alert           | _Currently not supported_                                   |
 | chosen_cert_arn              | _Currently not supported_                                   |
 | chosen_cert_serial           | _Currently not supported_                                   |
 | tls_named_group              | _Currently not supported_                                   |
-| domain_name                  | _Currently not supported_                                   |
 | alpn_fe_protocol             | _Currently not supported_                                   |
 | alpn_be_protocol             | _Currently not supported_                                   |
 | alpn_client_preference_list  | _Currently not supported_                                   |
@@ -352,16 +352,16 @@ ELB access log record fields are mapped this way in the resulting OpenTelemetry
 |-----------------------|--------------------------------------------------------------------------------------------|
 | time                  | Log timestamp                                                                              |
 | elb                   | `cloud.resource_id`                                                                        |
-| client:port                  | `client.address`, `client.port`                             |
+| client:port           | `client.address`, `client.port`                                                            |
 | elb_status_code       | `aws.elb.status.code`                                                                      |
 | backend_status_code   | `aws.elb.backend.status.code`                                                              |
 | received_bytes        | `http.request.size`                                                                        |
 | sent_bytes            | `http.response.size`                                                                       |
 | "request"                    | `url.full`, `http.request.method`, `network.protocol.name`, `network.protocol.version`                                    |
 | ssl_cipher            | `tls.cipher`                                                                               |
 | ssl_protocol          | `tls.protocol.version`                                                                     |
-| backend:port                  | _Currently not supported_                                |
+| user_agent            | `user_agent.original`                                                                      |
+| backend:port          | _Currently not supported_                                                                  |
 | request_processing_time | _Currently not supported_                                                                |
 | backend_processing_time | _Currently not supported_                                                                |
 | response_processing_time | _Currently not supported_                                                               |
-| user_agent                            | _Currently not supported_            |

extension/encoding/awslogsencodingextension/internal/unmarshaler/elb-access-log/elb.go

@@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"net"
 	"strconv"
 	"strings"
 	"time"
@@ -30,7 +31,9 @@ type CLBAccessLogRecord struct {
 	ELB                    string  // The name of the load balancer
 	ClientIP               string  // Client IP
 	ClientPort             int64   // Client  port
-	BackendIPPort          string  // The IP address and port of the registered instance that processed this request, or -
+	BackendIPPort          string  // Backend IP:Port or -
+	BackendIP              string  // Backend IP split from BackendIPPort
+	BackendPort            int64   // Backend port split from BackendIPPort
 	RequestProcessingTime  float64 // Time taken to process the request in seconds (HTTP/TCP)
 	BackendProcessingTime  float64 // Time taken for the registered instance to respond
 	ResponseProcessingTime float64 // Time taken to send the response to the client
@@ -59,7 +62,7 @@ func convertTextToCLBAccessLogRecord(fields []string) (CLBAccessLogRecord, error
 	record := CLBAccessLogRecord{
 		Time:              fields[0],  // Timestamp
 		ELB:               fields[1],  // Load balancer name
-		BackendIPPort:     fields[3],  // Backend IP:Port
+		BackendIPPort:     fields[3],  // Backend IP:Port or -
 		ELBStatusCode:     0,          // Placeholder for ELB status code
 		BackendStatusCode: 0,          // Placeholder for Backend status code
 		UserAgent:         fields[12], // User-Agent
@@ -68,10 +71,25 @@ func convertTextToCLBAccessLogRecord(fields []string) (CLBAccessLogRecord, error
 	}
 
 	// Process the fields for numerical values (convenient to parse from string)
-	record.ClientIP = strings.Split(fields[2], ":")[0]
-	if record.ClientPort, err = safeConvertStrToInt(strings.Split(fields[2], ":")[1]); err != nil {
+	var clientPort string
+	if record.ClientIP, clientPort, err = net.SplitHostPort(fields[2]); err != nil {
+		return record, fmt.Errorf("could not parse client IP:Port %s: %w", fields[2], err)
+	}
+	if record.ClientPort, err = safeConvertStrToInt(clientPort); err != nil {
 		return record, fmt.Errorf("could not convert client port to integer: %w", err)
 	}
+
+	// Parse BackendIPPort into BackendIP and BackendPort
+	if record.BackendIPPort != unknownField {
+		var backendPort string
+		if record.BackendIP, backendPort, err = net.SplitHostPort(record.BackendIPPort); err != nil {
+			return record, fmt.Errorf("could not parse backend IP:Port %s: %w", record.BackendIPPort, err)
+		}
+		if record.BackendPort, err = safeConvertStrToInt(backendPort); err != nil {
+			return record, fmt.Errorf("could not convert backend port to integer: %w", err)
+		}
+	}
+
 	if record.RequestProcessingTime, err = safeConvertStrToFloat(fields[4]); err != nil {
 		return record, fmt.Errorf("could not convert request processing time to float: %w", err)
 	}
@@ -121,7 +139,8 @@ type NLBAccessLogRecord struct {
 	Listener                  string // Resource ID of the TLS listener for the connection
 	ClientIP                  string // Client IP
 	ClientPort                int64  // Client  port
-	DestinationIPPort         string // The destination IP and port of the target
+	DestinationIP             string // Destination IP
+	DestinationPort           int64  // Destination port
 	ConnectionTime            int64  // Total time for the connection to complete, in milliseconds
 	TLSHandshakeTime          int64  // Time for the TLS handshake to complete, in milliseconds, or -
 	ReceivedBytes             int64  // Count of bytes received by the load balancer from the client, after decryption
@@ -156,7 +175,6 @@ func convertTextToNLBAccessLogRecord(fields []string) (NLBAccessLogRecord, error
 		Time:                      fields[2],  // Timestamp
 		ELB:                       fields[3],  // Load balancer resource ID
 		Listener:                  fields[4],  // Listener ID
-		DestinationIPPort:         fields[6],  // Destination IP and port
 		TLSHandshakeTime:          0,          // TLSHandshakeTime placeholder value
 		IncomingTLSAlert:          fields[11], // Incoming TLS alert
 		ChosenCertARN:             fields[12], // Chosen certificate ARN
@@ -172,11 +190,22 @@ func convertTextToNLBAccessLogRecord(fields []string) (NLBAccessLogRecord, error
 	}
 
 	// Processing additional fields if applicable
-	record.ClientIP = strings.Split(fields[5], ":")[0]
-	if record.ClientPort, err = safeConvertStrToInt(strings.Split(fields[5], ":")[1]); err != nil {
+	var clientPort string
+	if record.ClientIP, clientPort, err = net.SplitHostPort(fields[5]); err != nil {
+		return record, fmt.Errorf("could not parse client IP:Port %s: %w", fields[5], err)
+	}
+	if record.ClientPort, err = safeConvertStrToInt(clientPort); err != nil {
 		return record, fmt.Errorf("could not convert client port to integer: %w", err)
 	}
 
+	var destinationPort string
+	if record.DestinationIP, destinationPort, err = net.SplitHostPort(fields[6]); err != nil {
+		return record, fmt.Errorf("could not parse destination IP:Port %s: %w", fields[6], err)
+	}
+	if record.DestinationPort, err = safeConvertStrToInt(destinationPort); err != nil {
+		return record, fmt.Errorf("could not convert destination port to integer: %w", err)
+	}
+
 	if record.ConnectionTime, err = safeConvertStrToInt(fields[7]); err != nil {
 		return record, fmt.Errorf("could not convert connection time to integer: %w", err)
 	}
@@ -205,7 +234,9 @@ type ALBAccessLogRecord struct {
 	ELB                    string // Load balancer resource ID
 	ClientIP               string // Client IP
 	ClientPort             int64  // Client  port
-	TargetIPPort           string // Target IP and port
+	TargetIPPort           string // Target IP:Port or -
+	TargetIP               string // Target IP
+	TargetPort             int64  // Target port
 	RequestProcessingTime  string // Time taken to process the request in seconds
 	TargetProcessingTime   string // Time taken for the target to process the request in seconds
 	ResponseProcessingTime string // Time taken to send the response to the client in seconds
@@ -269,10 +300,25 @@ func convertTextToALBAccessLogRecord(fields []string) (ALBAccessLogRecord, error
 		Classification:         fields[27],
 		ClassificationReason:   fields[28],
 	}
-	record.ClientIP = strings.Split(fields[3], ":")[0]
-	if record.ClientPort, err = safeConvertStrToInt(strings.Split(fields[3], ":")[1]); err != nil {
+	var clientPort string
+	if record.ClientIP, clientPort, err = net.SplitHostPort(fields[3]); err != nil {
+		return record, fmt.Errorf("could not parse client IP:Port %s: %w", fields[3], err)
+	}
+	if record.ClientPort, err = safeConvertStrToInt(clientPort); err != nil {
 		return record, fmt.Errorf("could not convert client port to integer: %w", err)
 	}
+
+	// Parse TargetIPPort into TargetIP and TargetPort
+	if record.TargetIPPort != unknownField {
+		var targetPort string
+		if record.TargetIP, targetPort, err = net.SplitHostPort(record.TargetIPPort); err != nil {
+			return record, fmt.Errorf("could not parse target IP:Port %s: %w", record.TargetIPPort, err)
+		}
+		if record.TargetPort, err = safeConvertStrToInt(targetPort); err != nil {
+			return record, fmt.Errorf("could not convert target port to integer: %w", err)
+		}
+	}
+
 	if record.ELBStatusCode, err = safeConvertStrToInt(fields[8]); err != nil {
 		return record, fmt.Errorf("could not convert elb status code to integer: %w", err)
 	}

extension/encoding/awslogsencodingextension/internal/unmarshaler/elb-access-log/testdata/alb_al_valid_logs.log

@@ -1 +1,2 @@
-https 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 192.168.131.39:2817 10.0.0.1:80 0.086 0.048 0.037 200 200 0 57 "GET https://www.example.com:443/ HTTP/1.1" "curl/7.46.0" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 "Root=1-58337281-1d84f3d73c47ec4e58577259" "www.example.com" "arn:aws:acm:us-east-2:123456789012:certificate/12345678-1234-1234-1234-123456789012" 1 2018-07-02T22:22:48.364000Z "authenticate,forward" "-" "-" "10.0.0.1:80" "200" "-" "-" TID_1234abcd5678ef90
+https 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 192.168.131.39:2817 10.0.0.1:80 0.086 0.048 0.037 200 200 0 57 "GET https://www.example.com:443/ HTTP/1.1" "curl/7.46.0" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 "Root=1-58337281-1d84f3d73c47ec4e58577259" "www.example.com" "arn:aws:acm:us-east-2:123456789012:certificate/12345678-1234-1234-1234-123456789012" 1 2018-07-02T22:22:48.364000Z "authenticate,forward" "-" "-" "10.0.0.1:80" "200" "-" "-" TID_1234abcd5678ef90
+https 2018-07-02T22:23:00.186641Z app/my-loadbalancer/50dc6c495c0c9188 [fe80::202:b3ff:fe1e:8329]:443 [2001:db8::1]:80 0.086 0.048 0.037 200 200 0 57 "GET https://www.example.com:443/ HTTP/1.1" "curl/7.46.0" ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 arn:aws:elasticloadbalancing:us-east-2:123456789012:targetgroup/my-targets/73e2d6bc24d8a067 "Root=1-58337281-1d84f3d73c47ec4e58577259" "www.example.com" "arn:aws:acm:us-east-2:123456789012:certificate/12345678-1234-1234-1234-123456789012" 1 2018-07-02T22:22:48.364000Z "authenticate,forward" "-" "-" "10.0.0.1:80" "200" "-" "-" TID_1234abcd5678ef90