feat: Preserve event.original when errors occur in pipelines (#15798)

- Added append processor to global on_failure to preserve event original
- Added append processor to default pipelines to preserve event original if error.message is set

Affects the following integrations:

- arista_ngfw
- cef
- checkpoint
- cisco_aironet
- cisco_asa
- cisco_ftd
- cisco_ios
- cisco_ise
- cisco_nexus
- cisco_secure_email_gateway

Author: taylor-swanson

packages/arista_ngfw/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.5.0"
+  changes:
+    - description: Preserve event.original on pipeline error.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15798
 - version: "1.4.2"
   changes:
     - description: Generate processor tags and normalize error handler.

packages/arista_ngfw/data_stream/log/elasticsearch/ingest_pipeline/admin_login.yml

@@ -77,3 +77,7 @@ on_failure:
         {{#_ingest.on_failure_processor_tag}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
         {{/_ingest.on_failure_processor_tag}}in pipeline '{{{ _ingest.pipeline }}}'
         failed with message '{{{ _ingest.on_failure_message }}}'
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false

packages/arista_ngfw/data_stream/log/elasticsearch/ingest_pipeline/default.yml

@@ -987,6 +987,12 @@ processors:
         - _conf
         - _ingest
       ignore_missing: true
+  - append:
+      tag: append_preserve_original_event_on_error
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false
+      if: ctx.error?.message != null
 on_failure:
   - set:
       field: event.kind
@@ -998,3 +1004,7 @@ on_failure:
         {{#_ingest.on_failure_processor_tag}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
         {{/_ingest.on_failure_processor_tag}}in pipeline '{{{ _ingest.pipeline }}}'
         failed with message '{{{ _ingest.on_failure_message }}}'
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false

packages/arista_ngfw/data_stream/log/elasticsearch/ingest_pipeline/http_event.yml

@@ -130,3 +130,7 @@ on_failure:
         {{#_ingest.on_failure_processor_tag}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
         {{/_ingest.on_failure_processor_tag}}in pipeline '{{{ _ingest.pipeline }}}'
         failed with message '{{{ _ingest.on_failure_message }}}'
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false

packages/arista_ngfw/data_stream/log/elasticsearch/ingest_pipeline/interface_stats.yml

@@ -50,3 +50,7 @@ on_failure:
         {{#_ingest.on_failure_processor_tag}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
         {{/_ingest.on_failure_processor_tag}}in pipeline '{{{ _ingest.pipeline }}}'
         failed with message '{{{ _ingest.on_failure_message }}}'
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false

packages/arista_ngfw/data_stream/log/elasticsearch/ingest_pipeline/intrusion_prevention.yml

@@ -69,3 +69,7 @@ on_failure:
         {{#_ingest.on_failure_processor_tag}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
         {{/_ingest.on_failure_processor_tag}}in pipeline '{{{ _ingest.pipeline }}}'
         failed with message '{{{ _ingest.on_failure_message }}}'
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false

packages/arista_ngfw/data_stream/log/elasticsearch/ingest_pipeline/session_stats.yml

@@ -37,3 +37,7 @@ on_failure:
         {{#_ingest.on_failure_processor_tag}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
         {{/_ingest.on_failure_processor_tag}}in pipeline '{{{ _ingest.pipeline }}}'
         failed with message '{{{ _ingest.on_failure_message }}}'
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false

packages/arista_ngfw/data_stream/log/elasticsearch/ingest_pipeline/system_stats.yml

@@ -148,3 +148,7 @@ on_failure:
         {{#_ingest.on_failure_processor_tag}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
         {{/_ingest.on_failure_processor_tag}}in pipeline '{{{ _ingest.pipeline }}}'
         failed with message '{{{ _ingest.on_failure_message }}}'
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false

packages/arista_ngfw/data_stream/log/elasticsearch/ingest_pipeline/web_filter.yml

@@ -40,3 +40,7 @@ on_failure:
         {{#_ingest.on_failure_processor_tag}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
         {{/_ingest.on_failure_processor_tag}}in pipeline '{{{ _ingest.pipeline }}}'
         failed with message '{{{ _ingest.on_failure_message }}}'
+  - append:
+      field: tags
+      value: preserve_original_event
+      allow_duplicates: false

packages/arista_ngfw/manifest.yml

@@ -1,7 +1,7 @@
 format_version: "3.0.3"
 name: arista_ngfw
 title: "Arista NG Firewall"
-version: "1.4.2"
+version: "1.5.0"
 source:
   license: "Elastic-2.0"
 description: "Collect logs and metrics from Arista NG Firewall."