Disable host.* fields by default for Checkpoint module (#18754)

For the Checkpoint module when data is forwarded to Filebeat from another host/device (this is most of the time) you don't want Filebeat to add `host`. So by default this modules add a `forwarded` tag to events. If you configure the module to not include the `forwarded` tag (e.g. `var.tags: [my_tag]`) then Filebeat will add the `host.*` fields.

Relates: #13920
(cherry picked from commit 4c74b14)

CHANGELOG.next.asciidoc

@@ -38,6 +38,14 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Improve ECS field mappings in panw module.  event.outcome now only contains success/failure per ECS specification. {issue}16025[16025] {pull}17910[17910]
 - Improve ECS categorization field mappings for nginx module. http.request.referrer only populated when nginx sets a value {issue}16174[16174] {pull}17844[17844]
 - Improve ECS field mappings in santa module. move hash.sha256 to process.hash.sha256 & move certificate fields to santa.certificate . {issue}16180[16180] {pull}17982[17982]
+- With the default configuration the cloud modules (aws, azure, googlecloud, o365, okta)
+  will no longer send the `host` field that contains information about the host Filebeat is
+  running on. This is because the `host` field specifies the host on which the event
+  happened. {issue}13920[13920] {pull}18223[18223]
+- With the default configuration the following modules will no longer send the `host`
+  field. You can revert this change by configuring tags for the module and omitting
+  `forwarded` from the list. {issue}13920[13920]
+* Checkpoint {pull}18754[18754]
 - Preserve case of http.request.method.  ECS prior to 1.6 specified normalizing to lowercase, which lost information. Affects filesets: apache/access, elasticsearch/audit, iis/access, iis/error, nginx/access, nginx/ingress_controller, aws/elb, suricata/eve, zeek/http. {issue}18154[18154] {pull}18359[18359]
 
 *Heartbeat*

filebeat/docs/modules/checkpoint.asciidoc

@@ -62,6 +62,12 @@ Set to 0.0.0.0 to bind to all available interfaces.
 
 The UDP port to listen for syslog traffic. Defaults to 9001.
 
+*`var.tags`*::
+
+A list of tags to include in events. Including `forwarded` indicates that the
+events did not originate on this host and causes `host.name` to not be added to
+events. Defaults to `[checkpoint-firewall, forwarded]`.
+
 [float]
 ==== Check Point devices
 
@@ -166,6 +172,7 @@ Check Point Syslog extensions are mapped as follows to ECS:
 
 :modulename!:
 
+
 [float]
 === Fields
 

x-pack/filebeat/module/checkpoint/_meta/docs.asciidoc

@@ -57,6 +57,12 @@ Set to 0.0.0.0 to bind to all available interfaces.
 
 The UDP port to listen for syslog traffic. Defaults to 9001.
 
+*`var.tags`*::
+
+A list of tags to include in events. Including `forwarded` indicates that the
+events did not originate on this host and causes `host.name` to not be added to
+events. Defaults to `[checkpoint-firewall, forwarded]`.
+
 [float]
 ==== Check Point devices
 
@@ -159,4 +165,4 @@ Check Point Syslog extensions are mapped as follows to ECS:
 | xlatedport                 | destination.nat.port           |
 |==============================================================
 
-:modulename!:
+:modulename!:

x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml

@@ -15,7 +15,8 @@ exclude_files: [".gz$"]
 
 {{ end }}
 
-tags: {{.tags}}
+tags: {{.tags | tojson}}
+publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
 
 processors:
   - add_locale: ~

x-pack/filebeat/module/checkpoint/firewall/manifest.yml

@@ -4,12 +4,12 @@ var:
   - name: syslog_host
     default: localhost
   - name: tags
-    default: [checkpoint-firewall]
+    default: [checkpoint-firewall, forwarded]
   - name: syslog_port
     default: 9001
   - name: input
     default: syslog
 
-ingest_pipeline: 
+ingest_pipeline:
   - ingest/pipeline.yml
 input: config/firewall.yml