Skip to content

Commit

Permalink
Add forwarded tag example to packetbeat.yml (elastic#19209) (elastic#…
Browse files Browse the repository at this point in the history
…20309)

Add an example to packetbeat.yml of using the `forwarded` tag to disable `host` metadata fields when processing network data from network tap or mirror port.

Relates elastic#13920

(cherry picked from commit 28cb613)
  • Loading branch information
andrewkroh authored Jul 29, 2020
1 parent c8fade2 commit c76d2c1
Show file tree
Hide file tree
Showing 4 changed files with 41 additions and 7 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -689,6 +689,9 @@ field. You can revert this change by configuring tags for the module and omittin

*Packetbeat*

- Add an example to packetbeat.yml of using the `forwarded` tag to disable
`host` metadata fields when processing network data from network tap or mirror
port. {pull}19209[19209]
- Add ECS fields for x509 certs, event categorization, and related IP info. {pull}19167[19167]
- Add 100-continue support {issue}15830[15830] {pull}19349[19349]

Expand Down
15 changes: 15 additions & 0 deletions packetbeat/_meta/config/general.yml.tmpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{{header "General"}}

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:

# A list of tags to include in every event. In the default configuration file
# the forwarded tag causes Packetbeat to not add any host fields. If you are
# monitoring a network tap or mirror port then add the forwarded tag.
#tags: [forwarded]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
# env: staging
12 changes: 12 additions & 0 deletions packetbeat/_meta/config/processors.yml.tmpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{{header "Processors"}}

processors:
- # Add forwarded to tags when processing data from a network tap or mirror.
if.contains.tags: forwarded
then:
- drop_fields:
fields: [host]
else:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~
18 changes: 11 additions & 7 deletions packetbeat/packetbeat.yml
Original file line number Diff line number Diff line change
Expand Up @@ -114,9 +114,10 @@ setup.template.settings:
# all the transactions sent by a single shipper in the web interface.
#name:

# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]
# A list of tags to include in every event. In the default configuration file
# the forwarded tag causes Packetbeat to not add any host fields. If you are
# monitoring a network tap or mirror port then add the forwarded tag.
#tags: [forwarded]

# Optional fields that you can specify to add additional information to the
# output.
Expand Down Expand Up @@ -199,14 +200,17 @@ output.elasticsearch:

# ================================= Processors =================================

# Configure processors to enhance or manipulate events generated by the beat.

processors:
- add_host_metadata: ~
- # Add forwarded to tags when processing data from a network tap or mirror.
if.contains.tags: forwarded
then:
- drop_fields:
fields: [host]
else:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~


# ================================== Logging ===================================

# Sets log level. The default log level is info.
Expand Down

0 comments on commit c76d2c1

Please sign in to comment.