From c1ad82e3d642ed6b151d0192f6a5b0719b240681 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Tue, 9 Jun 2020 18:37:25 -0400 Subject: [PATCH] Disable host.* fields by default for netflow module For the netflow module when data is forwarded to Filebeat from another host/device you don't want Filebeat to add `host`. So by default this modules add a `forwarded` tag to events. If you configure the module to not include the `forwarded` tag (e.g. `var.tags: [my_tag]`) then Filebeat will add the `host.*` fields. Relates: #13920 --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/modules/netflow.asciidoc | 6 ++++++ x-pack/filebeat/module/netflow/_meta/docs.asciidoc | 6 ++++++ x-pack/filebeat/module/netflow/log/config/netflow.yml | 3 +++ x-pack/filebeat/module/netflow/log/manifest.yml | 2 ++ 5 files changed, 18 insertions(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index e0b88067f469..a6eda0f9390a 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -41,6 +41,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d * Cisco {pull}18753[18753] * iptables {pull}18756[18756] * Checkpoint {pull}18754[18754] +* Netflow {pull}19087[19087] - Preserve case of http.request.method. ECS prior to 1.6 specified normalizing to lowercase, which lost information. Affects filesets: apache/access, elasticsearch/audit, iis/access, iis/error, nginx/access, nginx/ingress_controller, aws/elb, suricata/eve, zeek/http. {issue}18154[18154] {pull}18359[18359] - Adds check on `` config option value for the azure input `resource_manager_endpoint`. {pull}18890[18890] - Okta module now requires objects instead of JSON strings for the `http_headers`, `http_request_body`, `pagination`, `rate_limit`, and `ssl` variables. {pull}18953[18953] diff --git a/filebeat/docs/modules/netflow.asciidoc b/filebeat/docs/modules/netflow.asciidoc index 016e48f3e9ef..44ab1dca085d 100644 --- a/filebeat/docs/modules/netflow.asciidoc +++ b/filebeat/docs/modules/netflow.asciidoc @@ -72,6 +72,12 @@ details. monitor sequence numbers in the Netflow packets to detect an Exporting Process reset. See <> for details. +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[forwarded]`. + :has-dashboards!: :fileset_ex!: diff --git a/x-pack/filebeat/module/netflow/_meta/docs.asciidoc b/x-pack/filebeat/module/netflow/_meta/docs.asciidoc index f882a253fbd2..b696ca4dea3c 100644 --- a/x-pack/filebeat/module/netflow/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/netflow/_meta/docs.asciidoc @@ -67,6 +67,12 @@ details. monitor sequence numbers in the Netflow packets to detect an Exporting Process reset. See <> for details. +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[forwarded]`. + :has-dashboards!: :fileset_ex!: diff --git a/x-pack/filebeat/module/netflow/log/config/netflow.yml b/x-pack/filebeat/module/netflow/log/config/netflow.yml index 194a9020c73c..b34160bd6b9c 100644 --- a/x-pack/filebeat/module/netflow/log/config/netflow.yml +++ b/x-pack/filebeat/module/netflow/log/config/netflow.yml @@ -24,6 +24,9 @@ custom_definitions: detect_sequence_reset: {{.detect_sequence_reset}} {{end}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + processors: - add_fields: target: '' diff --git a/x-pack/filebeat/module/netflow/log/manifest.yml b/x-pack/filebeat/module/netflow/log/manifest.yml index 8e1e1b727399..e46428b2fc0b 100644 --- a/x-pack/filebeat/module/netflow/log/manifest.yml +++ b/x-pack/filebeat/module/netflow/log/manifest.yml @@ -15,6 +15,8 @@ var: - name: timeout - name: custom_definitions - name: detect_sequence_reset + - name: tags + default: [forwarded] ingest_pipeline: ingest/pipeline.yml input: config/netflow.yml