Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

All cisco datasets enabled by default cause poor UX #24242

Closed
immon opened this issue Feb 25, 2021 · 4 comments
Closed

All cisco datasets enabled by default cause poor UX #24242

immon opened this issue Feb 25, 2021 · 4 comments
Labels
Filebeat Filebeat Team:Elastic-Agent Label for the Agent team

Comments

@immon
Copy link
Contributor

immon commented Feb 25, 2021

Describe the enhancement:

Disable cisco datasets by default or be more lenient about umbrella dataset misconfiguration.

Describe a specific use case for the enhancement or feature:

We're using CISCO module and use ASA and FTD datasets only. After enabling cisco module all datasets are enabled by default (including meraki, umbrella, nexus, ios). A lack of proper configuration for umbrella caused the following error:

2021-02-18T11:17:37.102Z ERROR instance/beat.go:956 Exiting: Error getting config for fileset cisco/umbrella: Error interpreting the template of the input: template: text:4:14: executing "text" at <.queue_url>: map has no entry for key "queue_url"

Initially we failed to understand that the error complains about but it's complaining about umbrella dataset misconfiguration where dataset is enabled by default, its input defaults to s3, but queue url is not defined, as the whole section for umbrella is non-existent in our configuration.

We keep all configuration in single filebeat.yml file to simplify management over multiple places.

Steps to reproduce:

  • configure cisco ftd in filebeat.yml as following:
$ cat >> filebeat.yml <<EOF
filebeat.modules:
- module: cisco
  ftd:
    enabled: true
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9123
EOF
  • filebeat fails with an error message stated above

Expected behaviour:

  • Enable ftd dataset only. Don't complain about queue_url. Start successfully.

Possible solution:

  • Disable all datasets by default. Be explicit. If one wants them enabled, they will toggle the setting.
  • Be more lenient regarding other datasets misconfiguration. Implicit approach where different listening ports get opened for unused datasets etc.

Current workaround (for others who found that issue):

  • you should explicitly set enabled: false for every dataset not used to get rid of the startup error.

Note, this issue may apply to all modules enabling multiple datasets by default.
@immon immon added the Filebeat Filebeat label Feb 25, 2021
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Feb 25, 2021
@andresrc
Copy link
Contributor

@urso @andrewkroh related: #17256

@elasticmachine
Copy link
Collaborator

Pinging @elastic/agent (Team:Agent)

@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Feb 25, 2021
@andrewkroh
Copy link
Member

This is being address by #27526 for 8.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Filebeat Filebeat Team:Elastic-Agent Label for the Agent team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@andresrc @immon @andrewkroh @elasticmachine