Skip to content

Commit

Permalink
Disable host.* fields by default for iptables module (#18756)
Browse files Browse the repository at this point in the history 
For the iptables module when data is forwarded to Filebeat from another host/device you don't want Filebeat to add `host`. So by default this modules add a `forwarded` tag to events. If you configure the module to not include the `forwarded` tag (e.g. `var.tags: [my_tag]`) then Filebeat will add the `host.*` fields.

Relates: #13920
  • Loading branch information
@andrewkroh
andrewkroh authored Jun 1, 2020
1 parent 2644743 commit 60c6ba4
Show file tree
Hide file tree
Showing 10 changed files with 74 additions and 37 deletions.
10 changes: 3 additions & 7 deletions CHANGELOG.next.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,17 +32,13 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
running on. This is because the `host` field specifies the host on which the event
happened. {issue}13920[13920] {pull}18223[18223]
- With the default configuration the following modules will no longer send the `host`
field. You can revert this change by configuring tags for the module and omitting
field that contains information about the host on which Filebeat is running.
You can revert this change by configuring tags for the module and omitting
`forwarded` from the list. {issue}13920[13920]
* CEF {pull}18223[18223]
* PANW {pull}18223[18223]
* Cisco {pull}18753[18753]
will no longer send the `host` field that contains information about the host Filebeat is
running on. This is because the `host` field specifies the host on which the event
happened. {issue}13920[13920] {pull}18223[18223]
- With the default configuration the cef and panw modules will no longer send the `host`
field. You can revert this change by configuring tags for the module and omitting
`forwarded` from the list. {issue}13920[13920] {pull}18223[18223]
* iptables {pull}18756[18756]
* Checkpoint {pull}18754[18754]
- Preserve case of http.request.method. ECS prior to 1.6 specified normalizing to lowercase, which lost information. Affects filesets: apache/access, elasticsearch/audit, iis/access, iis/error, nginx/access, nginx/ingress_controller, aws/elb, suricata/eve, zeek/http. {issue}18154[18154] {pull}18359[18359]

Expand Down
6 changes: 6 additions & 0 deletions filebeat/docs/modules/iptables.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,12 @@ The UDP port to listen for syslog traffic. Defaults to `9001`

NOTE: Ports below 1024 require Filebeat to run as root.

*`var.tags`*::

A list of tags to include in events. Including `forwarded` indicates that the
events did not originate on this host and causes `host.name` to not be added to
events. Defaults to `[iptables, forwarded]`.

include::../include/timezone-support.asciidoc[]

[float]
Expand Down
6 changes: 6 additions & 0 deletions x-pack/filebeat/module/iptables/_meta/docs.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,12 @@ The UDP port to listen for syslog traffic. Defaults to `9001`

NOTE: Ports below 1024 require Filebeat to run as root.

*`var.tags`*::

A list of tags to include in events. Including `forwarded` indicates that the
events did not originate on this host and causes `host.name` to not be added to
events. Defaults to `[iptables, forwarded]`.

include::../include/timezone-support.asciidoc[]

[float]
Expand Down
3 changes: 2 additions & 1 deletion x-pack/filebeat/module/iptables/log/config/input.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,8 @@ exclude_files: [".gz$"]

{{ end }}

tags: {{.tags}}
tags: {{.tags | tojson}}
publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}

processors:
- add_locale: ~
Expand Down
2 changes: 1 addition & 1 deletion x-pack/filebeat/module/iptables/log/manifest.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ var:
default:
- /var/log/iptables.log
- name: tags
default: [iptables]
default: [iptables, forwarded]
- name: syslog_host
default: localhost
- name: syslog_port
Expand Down
3 changes: 2 additions & 1 deletion x-pack/filebeat/module/iptables/log/test/geo.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,8 @@
"source.mac": "90:10:65:29:b6:2a",
"source.port": 38842,
"tags": [
"iptables"
"iptables",
"forwarded"
]
}
]
3 changes: 2 additions & 1 deletion x-pack/filebeat/module/iptables/log/test/icmp.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,8 @@
"source.ip": "192.0.2.71",
"source.mac": "90:10:18:5a:89:2a",
"tags": [
"iptables"
"iptables",
"forwarded"
]
}
]
30 changes: 20 additions & 10 deletions x-pack/filebeat/module/iptables/log/test/iptables.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,8 @@
"source.mac": "90:10:9e:ec:2c:71",
"source.port": 17805,
"tags": [
"iptables"
"iptables",
"forwarded"
]
},
{
Expand Down Expand Up @@ -91,7 +92,8 @@
"source.mac": "90:10:76:e0:e2:d5",
"source.port": 47091,
"tags": [
"iptables"
"iptables",
"forwarded"
]
},
{
Expand Down Expand Up @@ -140,7 +142,8 @@
"source.mac": "90:10:9e:ec:2c:71",
"source.port": 59319,
"tags": [
"iptables"
"iptables",
"forwarded"
]
},
{
Expand Down Expand Up @@ -189,7 +192,8 @@
"source.mac": "90:10:9e:ec:2c:71",
"source.port": 44181,
"tags": [
"iptables"
"iptables",
"forwarded"
]
},
{
Expand Down Expand Up @@ -238,7 +242,8 @@
"source.mac": "90:10:76:e0:e2:d5",
"source.port": 64358,
"tags": [
"iptables"
"iptables",
"forwarded"
]
},
{
Expand Down Expand Up @@ -284,7 +289,8 @@
"source.mac": "90:10:9e:ec:2c:71",
"source.port": 58830,
"tags": [
"iptables"
"iptables",
"forwarded"
]
},
{
Expand Down Expand Up @@ -333,7 +339,8 @@
"source.mac": "90:10:76:e0:e2:d5",
"source.port": 51985,
"tags": [
"iptables"
"iptables",
"forwarded"
]
},
{
Expand Down Expand Up @@ -382,7 +389,8 @@
"source.mac": "90:10:76:e0:e2:d5",
"source.port": 4099,
"tags": [
"iptables"
"iptables",
"forwarded"
]
},
{
Expand Down Expand Up @@ -428,7 +436,8 @@
"source.mac": "90:10:9e:ec:2c:71",
"source.port": 59287,
"tags": [
"iptables"
"iptables",
"forwarded"
]
},
{
Expand Down Expand Up @@ -474,7 +483,8 @@
"source.mac": "90:10:76:e0:e2:d5",
"source.port": 53296,
"tags": [
"iptables"
"iptables",
"forwarded"
]
}
]
33 changes: 22 additions & 11 deletions x-pack/filebeat/module/iptables/log/test/ipv6.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,8 @@
"service.type": "iptables",
"source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001",
"tags": [
"iptables"
"iptables",
"forwarded"
]
},
{
Expand Down Expand Up @@ -72,7 +73,8 @@
"service.type": "iptables",
"source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001",
"tags": [
"iptables"
"iptables",
"forwarded"
]
},
{
Expand Down Expand Up @@ -110,7 +112,8 @@
"service.type": "iptables",
"source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001",
"tags": [
"iptables"
"iptables",
"forwarded"
]
},
{
Expand Down Expand Up @@ -148,7 +151,8 @@
"service.type": "iptables",
"source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001",
"tags": [
"iptables"
"iptables",
"forwarded"
]
},
{
Expand Down Expand Up @@ -186,7 +190,8 @@
"service.type": "iptables",
"source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001",
"tags": [
"iptables"
"iptables",
"forwarded"
]
},
{
Expand Down Expand Up @@ -224,7 +229,8 @@
"service.type": "iptables",
"source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001",
"tags": [
"iptables"
"iptables",
"forwarded"
]
},
{
Expand Down Expand Up @@ -262,7 +268,8 @@
"service.type": "iptables",
"source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001",
"tags": [
"iptables"
"iptables",
"forwarded"
]
},
{
Expand Down Expand Up @@ -300,7 +307,8 @@
"service.type": "iptables",
"source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001",
"tags": [
"iptables"
"iptables",
"forwarded"
]
},
{
Expand Down Expand Up @@ -338,7 +346,8 @@
"service.type": "iptables",
"source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001",
"tags": [
"iptables"
"iptables",
"forwarded"
]
},
{
Expand Down Expand Up @@ -376,7 +385,8 @@
"service.type": "iptables",
"source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001",
"tags": [
"iptables"
"iptables",
"forwarded"
]
},
{
Expand Down Expand Up @@ -416,7 +426,8 @@
"source.ip": "fe80:0000:0000:0000:0084:88ff:feae:790a",
"source.mac": "90:10:aa:bb:cc:dd",
"tags": [
"iptables"
"iptables",
"forwarded"
]
}
]
15 changes: 10 additions & 5 deletions x-pack/filebeat/module/iptables/log/test/ubiquiti.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,8 @@
"source.mac": "90:10:73:ba:d6:77",
"source.port": 48689,
"tags": [
"iptables"
"iptables",
"forwarded"
]
},
{
Expand Down Expand Up @@ -100,7 +101,8 @@
"source.mac": "90:10:24:67:f4:89",
"source.port": 43189,
"tags": [
"iptables"
"iptables",
"forwarded"
]
},
{
Expand Down Expand Up @@ -159,7 +161,8 @@
"source.mac": "90:10:65:29:b6:2a",
"source.port": 50093,
"tags": [
"iptables"
"iptables",
"forwarded"
]
},
{
Expand Down Expand Up @@ -214,7 +217,8 @@
"source.mac": "90:10:65:29:b6:2a",
"source.port": 50093,
"tags": [
"iptables"
"iptables",
"forwarded"
]
},
{
Expand Down Expand Up @@ -269,7 +273,8 @@
"source.mac": "90:10:65:29:b6:2a",
"source.port": 50093,
"tags": [
"iptables"
"iptables",
"forwarded"
]
}
]

0 comments on commit 60c6ba4

Please sign in to comment.