Add support for truncated bytes in MAC addresses as seen with arpwatch and elsewhere

[dspruell]

• Version: Logstash 6.3.2
• Operating System: Debian Stretch 9.5 amd64
• Config File (if you have sensitive info, please remove it):

Would like to request a variation be added to the MAC pattern to support matching the format used by at least arpwatch when a leading 0 appears in bytes of the MAC address and is stripped in the logs.

Current patterns for reference:

MAC (?:%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC})
CISCOMAC (?:(?:[A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4})
WINDOWSMAC (?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2})
COMMONMAC (?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2})

Example logs where this modified MAC address pattern exhibits:

Oct  8 16:59:31 router arpwatch: new station 10.0.4.38 0:f:60:9:9e:d9
Oct  8 22:40:54 router arpwatch: new station 10.0.1.39 0:d:b9:49:58:74
Oct  9 00:17:55 router arpwatch: bogon 0.0.0.0 70:ef:0:df:1c:31

This condition is also referenced here in relation to development topics and suggests that the format may appear (intended or unintended) in other code as well, hopefully further justifying inclusion of this in Logstash:

• https://kb.isc.org/docs/aa-01039
• https://stackoverflow.com/questions/41895236/remove-leading-zeros-from-mac-address

Potential modification? Not certain if it's proper to add in a new pattern to the alternation in MAC that could match this (matching 1 hex character in place of 2), or if COMMONMAC should be modified in that way instead. Can this be implemented?