Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cherry-pick #18754 to 7.x: Disable host.* fields by default for Checkpoint module #19035

Merged
merged 1 commit into from
Jun 9, 2020
Merged

Cherry-pick #18754 to 7.x: Disable host.* fields by default for Checkpoint module #19035

merged 1 commit into from
Jun 9, 2020

Conversation

andrewkroh
Copy link
Member

Cherry-pick of PR #18754 to 7.x branch. Original message:

What does this PR do?

For the Checkpoint module when data is forwarded to Filebeat from another host/device (this is most of the time) you don't want Filebeat to add host. So by default this modules add a forwarded tag to events. If you configure the module to not include the forwarded tag (e.g. var.tags: [my_tag]) then Filebeat will add the host.* fields.

Why is it important?

We want Filebeat to follow Elastic Common Schema. And setting host with the correct value is part of that. By setting (or not setting host) we can better interpret events. Without this change the Filebeat host is being attributed as the source of Checkpoint firewall events.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jun 8, 2020
@andrewkroh
Disable host.* fields by default for Checkpoint module (elastic#18754)
450d9bb 
For the Checkpoint module when data is forwarded to Filebeat from another host/device (this is most of the time) you don't want Filebeat to add `host`. So by default this modules add a `forwarded` tag to events. If you configure the module to not include the `forwarded` tag (e.g. `var.tags: [my_tag]`) then Filebeat will add the `host.*` fields.

Relates: elastic#13920
(cherry picked from commit 4c74b14)
@andrewkroh andrewkroh force-pushed the backport_18754_7.x branch from 88eeaff to 450d9bb Compare June 8, 2020 14:58
@elasticmachine
Copy link
Collaborator

elasticmachine commented Jun 8, 2020
edited
Loading

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [andrewkroh commented: run tests]

  • Start Time: 2020-06-09T18:55:45.028+0000

  • Duration: 66 min 40 sec

Test stats 🧪

Test Results
Failed 0
Passed 2656
Skipped 417
Total 3073

@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jun 8, 2020
@andrewkroh
Copy link
Member Author

run tests

@andrewkroh andrewkroh merged commit 814b9be into elastic:7.x Jun 9, 2020
@andrewkroh andrewkroh deleted the backport_18754_7.x branch January 14, 2022 14:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adriansr adriansr adriansr approved these changes

Assignees
No one assigned
Labels
backport review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andrewkroh @elasticmachine @adriansr