From 95c80712144cd397f0a18df20cb5db282e5e4508 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Wed, 10 Jun 2020 10:41:29 -0400 Subject: [PATCH] Allow host.* fields to be disabled in Suricata module If `forwarded` as configured as a tag (e.g. `var.tags: [forwarded]`) for the Suricata module then Filebeat will not add `host` fields to events. This is for use cases where Suricata is analyzing forwarded data (like from a network tap or mirror port). Relates: #13920 --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/modules/suricata.asciidoc | 6 ++++++ x-pack/filebeat/module/suricata/_meta/docs.asciidoc | 6 ++++++ x-pack/filebeat/module/suricata/eve/config/eve.yml | 3 ++- x-pack/filebeat/module/suricata/eve/manifest.yml | 2 -- 5 files changed, 15 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 09d610d3182d..6e603b228937 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -42,6 +42,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d * iptables {pull}18756[18756] * Checkpoint {pull}18754[18754] * Netflow {pull}19087[19087] +* Suricata {pull}19107[19107] (`forwarded` tag is not included by default) - Preserve case of http.request.method. ECS prior to 1.6 specified normalizing to lowercase, which lost information. Affects filesets: apache/access, elasticsearch/audit, iis/access, iis/error, nginx/access, nginx/ingress_controller, aws/elb, suricata/eve, zeek/http. {issue}18154[18154] {pull}18359[18359] - Adds check on `` config option value for the azure input `resource_manager_endpoint`. {pull}18890[18890] - Okta module now requires objects instead of JSON strings for the `http_headers`, `http_request_body`, `pagination`, `rate_limit`, and `ssl` variables. {pull}18953[18953] diff --git a/filebeat/docs/modules/suricata.asciidoc b/filebeat/docs/modules/suricata.asciidoc index 067fa6935122..0e7348b291da 100644 --- a/filebeat/docs/modules/suricata.asciidoc +++ b/filebeat/docs/modules/suricata.asciidoc @@ -45,6 +45,12 @@ include::../include/config-option-intro.asciidoc[] include::../include/var-paths.asciidoc[] +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + [float] === Example dashboard diff --git a/x-pack/filebeat/module/suricata/_meta/docs.asciidoc b/x-pack/filebeat/module/suricata/_meta/docs.asciidoc index 4cdff6aa3d23..08d5feb61cb2 100644 --- a/x-pack/filebeat/module/suricata/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/suricata/_meta/docs.asciidoc @@ -40,6 +40,12 @@ include::../include/config-option-intro.asciidoc[] include::../include/var-paths.asciidoc[] +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + [float] === Example dashboard diff --git a/x-pack/filebeat/module/suricata/eve/config/eve.yml b/x-pack/filebeat/module/suricata/eve/config/eve.yml index 67ebcf13d4bd..700c8db17e98 100644 --- a/x-pack/filebeat/module/suricata/eve/config/eve.yml +++ b/x-pack/filebeat/module/suricata/eve/config/eve.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - rename: diff --git a/x-pack/filebeat/module/suricata/eve/manifest.yml b/x-pack/filebeat/module/suricata/eve/manifest.yml index 804dc96bed94..99efdd65ed40 100644 --- a/x-pack/filebeat/module/suricata/eve/manifest.yml +++ b/x-pack/filebeat/module/suricata/eve/manifest.yml @@ -13,8 +13,6 @@ var: - name: community_id default: true - # - name: nested_ecs - # default: false ingest_pipeline: ingest/pipeline.yml input: config/eve.yml