Skip to content

Commit

Permalink
Add a disable_host option to Filebeat inputs (elastic#18159)
Browse files Browse the repository at this point in the history
This adds a configuration option `publisher_pipeline.disable_host` to disable the addition
of `host.name` in events. By default Filebeat adds `host.name` to all events and we want
to be able to disable this for data sources that do not originate on the host (like cloud logs).

Relates elastic#13920
  • Loading branch information
andrewkroh authored May 4, 2020
1 parent f80f82c commit 6ea21a9
Show file tree
Hide file tree
Showing 10 changed files with 62 additions and 0 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -289,6 +289,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Improve ECS categorization field mappings in redis module. {issue}16179[16179] {pull}17918[17918]
- Improve ECS categorization field mappings for zeek module. {issue}16029[16029] {pull}17738[17738]
- Improve ECS categorization field mappings for netflow module. {issue}16135[16135] {pull}18108[18108]
- Added an input option `publisher_pipeline.disable_host` to disable `host.name`
from being added to events by default. {pull}18159[18159]
- Improve ECS categorization field mappings in system module. {issue}16031[16031] {pull}18065[18065]

*Heartbeat*
Expand Down
5 changes: 5 additions & 0 deletions filebeat/_meta/common.reference.inputs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,11 @@ filebeat.inputs:
# Set to true to publish fields with null values in events.
#keep_null: false

# By default, all events contain `host.name`. This option can be set to true
# to disable the addition of this field to all events. The default value is
# false.
#publisher_pipeline.disable_host: false

# Ignore files which were modified more then the defined timespan in the past.
# ignore_older is disabled by default, so no files are ignored by setting it to 0.
# Time strings like 2h (2 hours), 5m (5 minutes) can be used.
Expand Down
5 changes: 5 additions & 0 deletions filebeat/channel/runner.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,10 @@ type commonInputConfig struct {
Processors processors.PluginConfig `config:"processors"`
KeepNull bool `config:"keep_null"`

PublisherPipeline struct {
DisableHost bool `config:"disable_host"` // Disable addition of host.name.
} `config:"publisher_pipeline"`

// implicit event fields
Type string `config:"type"` // input.type
ServiceType string `config:"service.type"` // service.type
Expand Down Expand Up @@ -184,6 +188,7 @@ func newCommonConfigEditor(
clientCfg.Processing.Fields = fields
clientCfg.Processing.Processor = procs
clientCfg.Processing.KeepNull = config.KeepNull
clientCfg.Processing.DisableHost = config.PublisherPipeline.DisableHost

return clientCfg, nil
}, nil
Expand Down
6 changes: 6 additions & 0 deletions filebeat/docs/inputs/input-common-options.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -101,3 +101,9 @@ version and the event timestamp; for access to dynamic fields, use

Example value: `"%{[agent.name]}-myindex-%{+yyyy.MM.dd}"` might
expand to `"filebeat-myindex-2019.11.01"`.

[float]
===== `publisher_pipeline.disable_host`

By default, all events contain `host.name`. This option can be set to `true` to
disable the addition of this field to all events. The default value is `false`.
5 changes: 5 additions & 0 deletions filebeat/filebeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -451,6 +451,11 @@ filebeat.inputs:
# Set to true to publish fields with null values in events.
#keep_null: false

# By default, all events contain `host.name`. This option can be set to true
# to disable the addition of this field to all events. The default value is
# false.
#publisher_pipeline.disable_host: false

# Ignore files which were modified more then the defined timespan in the past.
# ignore_older is disabled by default, so no files are ignored by setting it to 0.
# Time strings like 2h (2 hours), 5m (5 minutes) can be used.
Expand Down
5 changes: 5 additions & 0 deletions filebeat/tests/system/config/filebeat.yml.j2
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,11 @@ filebeat.{{input_config | default("inputs")}}:
{{k}}: {{v}}
{% endfor %}
{% endif %}
{%- if publisher_pipeline %}
{%- for name, value in publisher_pipeline.items() %}
publisher_pipeline.{{name}}: {{value | tojson}}
{%- endfor %}
{% endif %}

fields_under_root: {{"true" if fieldsUnderRoot else "false"}}

Expand Down
20 changes: 20 additions & 0 deletions filebeat/tests/system/test_input.py
Original file line number Diff line number Diff line change
Expand Up @@ -662,3 +662,23 @@ def test_disable_recursive_glob(self):
"recursive glob disabled"),
max_timeout=10)
filebeat.check_kill_and_wait()

def test_input_processing_pipeline_disable_host(self):
"""
Check processing_pipeline.disable_host in input config.
"""
self.render_config_template(
path=os.path.abspath(self.working_dir) + "/test.log",
publisher_pipeline={
"disable_host": True,
},
)
with open(self.working_dir + "/test.log", "w") as f:
f.write("test message\n")

filebeat = self.start_beat()
self.wait_until(lambda: self.output_has(lines=1))
filebeat.check_kill_and_wait()

output = self.read_output()
assert "host.name" not in output[0]
3 changes: 3 additions & 0 deletions libbeat/beat/pipeline.go
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,9 @@ type ProcessingConfig struct {
// KeepNull determines whether published events will keep null values or omit them.
KeepNull bool

// Disables the addition of host.name if it was enabled for the publisher.
DisableHost bool

// Private contains additional information to be passed to the processing
// pipeline builder.
Private interface{}
Expand Down
6 changes: 6 additions & 0 deletions libbeat/publisher/processing/default.go
Original file line number Diff line number Diff line change
Expand Up @@ -269,6 +269,12 @@ func (b *builder) Create(cfg beat.ProcessingConfig, drop bool) (beat.Processor,
needsCopy := b.alwaysCopy || localProcessors != nil || b.processors != nil

builtin := b.builtinMeta
if cfg.DisableHost {
tmp := builtin.Clone()
tmp.Delete("host")
builtin = tmp
}

var clientFields common.MapStr
for _, mod := range b.modifiers {
m := mod.ClientFields(b.info, cfg)
Expand Down
5 changes: 5 additions & 0 deletions x-pack/filebeat/filebeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1114,6 +1114,11 @@ filebeat.inputs:
# Set to true to publish fields with null values in events.
#keep_null: false

# By default, all events contain `host.name`. This option can be set to true
# to disable the addition of this field to all events. The default value is
# false.
#publisher_pipeline.disable_host: false

# Ignore files which were modified more then the defined timespan in the past.
# ignore_older is disabled by default, so no files are ignored by setting it to 0.
# Time strings like 2h (2 hours), 5m (5 minutes) can be used.
Expand Down

0 comments on commit 6ea21a9

Please sign in to comment.