diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 55b0faf71e34..c06066ef3aa0 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -689,6 +689,9 @@ field. You can revert this change by configuring tags for the module and omittin *Packetbeat* +- Add an example to packetbeat.yml of using the `forwarded` tag to disable + `host` metadata fields when processing network data from network tap or mirror + port. {pull}19209[19209] - Add ECS fields for x509 certs, event categorization, and related IP info. {pull}19167[19167] - Add 100-continue support {issue}15830[15830] {pull}19349[19349] diff --git a/packetbeat/_meta/config/general.yml.tmpl b/packetbeat/_meta/config/general.yml.tmpl new file mode 100644 index 000000000000..94a0affbbc3b --- /dev/null +++ b/packetbeat/_meta/config/general.yml.tmpl @@ -0,0 +1,15 @@ +{{header "General"}} + +# The name of the shipper that publishes the network data. It can be used to group +# all the transactions sent by a single shipper in the web interface. +#name: + +# A list of tags to include in every event. In the default configuration file +# the forwarded tag causes Packetbeat to not add any host fields. If you are +# monitoring a network tap or mirror port then add the forwarded tag. +#tags: [forwarded] + +# Optional fields that you can specify to add additional information to the +# output. +#fields: +# env: staging diff --git a/packetbeat/_meta/config/processors.yml.tmpl b/packetbeat/_meta/config/processors.yml.tmpl new file mode 100644 index 000000000000..d2cadbe46b12 --- /dev/null +++ b/packetbeat/_meta/config/processors.yml.tmpl @@ -0,0 +1,12 @@ +{{header "Processors"}} + +processors: + - # Add forwarded to tags when processing data from a network tap or mirror. + if.contains.tags: forwarded + then: + - drop_fields: + fields: [host] + else: + - add_host_metadata: ~ + - add_cloud_metadata: ~ + - add_docker_metadata: ~ diff --git a/packetbeat/packetbeat.yml b/packetbeat/packetbeat.yml index c162650c6a19..53f87d730035 100644 --- a/packetbeat/packetbeat.yml +++ b/packetbeat/packetbeat.yml @@ -114,9 +114,10 @@ setup.template.settings: # all the transactions sent by a single shipper in the web interface. #name: -# The tags of the shipper are included in their own field with each -# transaction published. -#tags: ["service-X", "web-tier"] +# A list of tags to include in every event. In the default configuration file +# the forwarded tag causes Packetbeat to not add any host fields. If you are +# monitoring a network tap or mirror port then add the forwarded tag. +#tags: [forwarded] # Optional fields that you can specify to add additional information to the # output. @@ -199,14 +200,17 @@ output.elasticsearch: # ================================= Processors ================================= -# Configure processors to enhance or manipulate events generated by the beat. - processors: - - add_host_metadata: ~ + - # Add forwarded to tags when processing data from a network tap or mirror. + if.contains.tags: forwarded + then: + - drop_fields: + fields: [host] + else: + - add_host_metadata: ~ - add_cloud_metadata: ~ - add_docker_metadata: ~ - # ================================== Logging =================================== # Sets log level. The default log level is info.