Implement ECS-Compatibility Mode

[kares]

this one falls under: logstash-plugins/logstash-filter-grok#157

There's going to be 2 set of patterns provided out-of-the-box that provide around the same functionality (at start).
The existing (legacy) set and an ECS set of patterns - with mostly captures reviewed/renamed for compliance.

Patterns are already logically split by functionality into separate files - good enough to convert the whole set one-by-one :

• aws Feat: make AWS patterns ECS compliant #287
• bacula Feat: make BACULA_LOGLINE captures ECS compliant #295
• bind Feat: ecs-ize BIND9 query log captures #281
• bro Feat: ecs-ification of BRO_ patterns #286
• exim (legacy) EXIM base-line for ECS-ification #283 (base-line) Feat: ecs-ify EXIM captures #290
• firewalls Feat: make firewall patterns ECS compliant (1/2) #293 and Feat: make firewall patterns ECS compliant (2/2) #296
• grok-patterns - core set Feat: syslog patterns ecs compatibility #262
• haproxy Feat: make Haproxy captures ECS compliant #289
• httpd normalize HTTPD_COMBINEDLOG matching #280 Feat: ecs-ize httpd patterns #267
• java Feat: make java patterns match in an ecs compatible way #268
• junos Feat: ECS compliant Juniper (SRX) RT_FLOW captures #294
• linux-syslog Feat: syslog patterns ecs compatibility #262
• maven
• mcollective+mcollective-patterns Feat: ecs-ize MCOLLECTIVE named captures #271
• mongodb Feat: ecs-ize MongoDB pattern captures #269
• nagios Feat: ECS compliant NAGIOSLOGLINE captures #276
• postgresql Feat: ecs-ize postgresql named captures #266
• rails Feat: ruby and rails pattern ecs compatibility #265
• redis Feat: redis patterns ecs compatibility #263
• ruby Feat: ruby and rails pattern ecs compatibility #265
• squid Feat: make SQUID3 captures ecs compliant #270

Post TODOs

• ship (legacy) pattern updates 4.2.0 before ECS-ified release

• check if ECS 1.6 is around with http.response.mime_type Feat: make SQUID3 captures ecs compliant #270 (comment)
  in the mean time consider renaming squid.response.content_type to squid.response.mime_type ?
  UPDATE 1.7 shipped http.[request|response].mime_type as GA
  ✔️ renamed squid.response.content_type at 3b86557

• host.name vs host.hostname
  https://github.com/logstash-plugins/logstash-patterns-core/pull/262/files#r459038278
  https://github.com/logstash-plugins/logstash-patterns-core/pull/262/files#r504850250
  ✔️ we'll be using hostname, users should opt-in to name (due SIEM)

• introduce grok conversions for ES ingest node compatibility (strict :int and :float parsing modes, add :long, :double, :boolean + we could also use an AS style :bool conversion e.g. with bro's T/F flags)
  than review patterns
  ✔️ won't block shipping ECS-ified patterns - we should double check :int capture INT-like values
  ✅ ...:int captures reviewed 6dd657b

• need to make sure to set event.original (in grok?) and potentially remove message field before reaching grok
  patterns that extract message to keep the field flat (or default to running with overwrite => [ 'message' ]) in ECS mode

• type-casting doesn't always work due a grok library bug

• avoid mixed <style> named captures (Feat: ruby and rails pattern ecs compatibility #265 (comment))