From 7858df6fc802a2b84afbb90294508b295df5bcf6 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Fri, 26 Jun 2020 11:08:15 -0400 Subject: [PATCH] Allow host.* fields to be disabled in Zeek module (#19113) (#19296) If `forwarded` as configured as a tag (e.g. `var.tags: [forwarded]`) for the Zeek module then Filebeat will not add `host` fields to events. This is for use cases where Zeek is analyzing forwarded data (like from a network tap or mirror port). Relates: #13920 (cherry picked from commit 018b17cae8665ccfe2f1796c86f7cb9b6050a580) --- CHANGELOG.next.asciidoc | 1 + .../module/zeek/capture_loss/config/capture_loss.yml | 3 ++- x-pack/filebeat/module/zeek/connection/config/connection.yml | 3 ++- x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml | 3 ++- x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml | 3 ++- x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml | 3 ++- x-pack/filebeat/module/zeek/dns/config/dns.yml | 3 ++- x-pack/filebeat/module/zeek/dpd/config/dpd.yml | 3 ++- x-pack/filebeat/module/zeek/files/config/files.yml | 3 ++- x-pack/filebeat/module/zeek/ftp/config/ftp.yml | 3 ++- x-pack/filebeat/module/zeek/http/config/http.yml | 5 +++-- x-pack/filebeat/module/zeek/intel/config/intel.yml | 3 ++- x-pack/filebeat/module/zeek/irc/config/irc.yml | 3 ++- x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml | 3 ++- x-pack/filebeat/module/zeek/modbus/config/modbus.yml | 3 ++- x-pack/filebeat/module/zeek/mysql/config/mysql.yml | 3 ++- x-pack/filebeat/module/zeek/notice/config/notice.yml | 3 ++- x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml | 3 ++- x-pack/filebeat/module/zeek/ocsp/config/ocsp.yml | 3 ++- x-pack/filebeat/module/zeek/pe/config/pe.yml | 3 ++- x-pack/filebeat/module/zeek/radius/config/radius.yml | 3 ++- x-pack/filebeat/module/zeek/rdp/config/rdp.yml | 3 ++- x-pack/filebeat/module/zeek/rfb/config/rfb.yml | 3 ++- x-pack/filebeat/module/zeek/sip/config/sip.yml | 3 ++- x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml | 3 ++- x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml | 3 ++- .../filebeat/module/zeek/smb_mapping/config/smb_mapping.yml | 3 ++- x-pack/filebeat/module/zeek/smtp/config/smtp.yml | 3 ++- x-pack/filebeat/module/zeek/snmp/config/snmp.yml | 3 ++- x-pack/filebeat/module/zeek/socks/config/socks.yml | 3 ++- x-pack/filebeat/module/zeek/ssh/config/ssh.yml | 3 ++- x-pack/filebeat/module/zeek/ssl/config/ssl.yml | 3 ++- x-pack/filebeat/module/zeek/stats/config/stats.yml | 3 ++- x-pack/filebeat/module/zeek/syslog/config/syslog.yml | 3 ++- x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml | 3 ++- x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml | 3 ++- x-pack/filebeat/module/zeek/weird/config/weird.yml | 3 ++- x-pack/filebeat/module/zeek/x509/config/x509.yml | 3 ++- 38 files changed, 76 insertions(+), 38 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 9d7633023fef..e4963636df7f 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -49,6 +49,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d * Checkpoint {pull}18754[18754] * Netflow {pull}19087[19087] * Suricata {pull}19107[19107] (`forwarded` tag is not included by default) +* Zeek {pull}19113[19113] (`forwarded` tag is not included by default) - Preserve case of http.request.method. ECS prior to 1.6 specified normalizing to lowercase, which lost information. Affects filesets: apache/access, elasticsearch/audit, iis/access, iis/error, nginx/access, nginx/ingress_controller, aws/elb, suricata/eve, zeek/http. {issue}18154[18154] {pull}18359[18359] - With the default configuration the cloud modules (aws, azure, googlecloud, o365, okta) will no longer send the `host` field that contains information about the host Filebeat is diff --git a/x-pack/filebeat/module/zeek/capture_loss/config/capture_loss.yml b/x-pack/filebeat/module/zeek/capture_loss/config/capture_loss.yml index 474e4d94ffad..6b6fcf216f2f 100644 --- a/x-pack/filebeat/module/zeek/capture_loss/config/capture_loss.yml +++ b/x-pack/filebeat/module/zeek/capture_loss/config/capture_loss.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/connection/config/connection.yml b/x-pack/filebeat/module/zeek/connection/config/connection.yml index 2fd07156cd86..b13737a882d6 100644 --- a/x-pack/filebeat/module/zeek/connection/config/connection.yml +++ b/x-pack/filebeat/module/zeek/connection/config/connection.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml b/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml index 4ee5d46f72a2..e99deb6c68f2 100644 --- a/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml +++ b/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml b/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml index cba0c8ccf177..e0eb1831b774 100644 --- a/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml +++ b/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml b/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml index 6bed5fbef2d1..33890a55071b 100644 --- a/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml +++ b/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/dns/config/dns.yml b/x-pack/filebeat/module/zeek/dns/config/dns.yml index 9a137ca2d9f2..a64579359374 100644 --- a/x-pack/filebeat/module/zeek/dns/config/dns.yml +++ b/x-pack/filebeat/module/zeek/dns/config/dns.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - rename: diff --git a/x-pack/filebeat/module/zeek/dpd/config/dpd.yml b/x-pack/filebeat/module/zeek/dpd/config/dpd.yml index d4b8abc101af..49e69972ef66 100644 --- a/x-pack/filebeat/module/zeek/dpd/config/dpd.yml +++ b/x-pack/filebeat/module/zeek/dpd/config/dpd.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/files/config/files.yml b/x-pack/filebeat/module/zeek/files/config/files.yml index 413ccb7959b7..9f2046e78223 100644 --- a/x-pack/filebeat/module/zeek/files/config/files.yml +++ b/x-pack/filebeat/module/zeek/files/config/files.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/ftp/config/ftp.yml b/x-pack/filebeat/module/zeek/ftp/config/ftp.yml index cd380c290572..9be20cbd85b4 100644 --- a/x-pack/filebeat/module/zeek/ftp/config/ftp.yml +++ b/x-pack/filebeat/module/zeek/ftp/config/ftp.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/http/config/http.yml b/x-pack/filebeat/module/zeek/http/config/http.yml index 38f7241b314f..6f517c693201 100644 --- a/x-pack/filebeat/module/zeek/http/config/http.yml +++ b/x-pack/filebeat/module/zeek/http/config/http.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false @@ -62,7 +63,7 @@ processors: - from: "zeek.http.password" to: "url.password" - + - from: "zeek.http.user_agent" to: "user_agent.original" diff --git a/x-pack/filebeat/module/zeek/intel/config/intel.yml b/x-pack/filebeat/module/zeek/intel/config/intel.yml index cb52e756362e..9293393192f5 100644 --- a/x-pack/filebeat/module/zeek/intel/config/intel.yml +++ b/x-pack/filebeat/module/zeek/intel/config/intel.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - rename: diff --git a/x-pack/filebeat/module/zeek/irc/config/irc.yml b/x-pack/filebeat/module/zeek/irc/config/irc.yml index 0b6991603a96..5125e82fac2c 100644 --- a/x-pack/filebeat/module/zeek/irc/config/irc.yml +++ b/x-pack/filebeat/module/zeek/irc/config/irc.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml b/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml index 5a03d269d8e0..79b6b6c94c0c 100644 --- a/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml +++ b/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/modbus/config/modbus.yml b/x-pack/filebeat/module/zeek/modbus/config/modbus.yml index 923177268c67..c6a6c3bf9e12 100644 --- a/x-pack/filebeat/module/zeek/modbus/config/modbus.yml +++ b/x-pack/filebeat/module/zeek/modbus/config/modbus.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/mysql/config/mysql.yml b/x-pack/filebeat/module/zeek/mysql/config/mysql.yml index da2b4b02d924..b3fd2c5484f4 100644 --- a/x-pack/filebeat/module/zeek/mysql/config/mysql.yml +++ b/x-pack/filebeat/module/zeek/mysql/config/mysql.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/notice/config/notice.yml b/x-pack/filebeat/module/zeek/notice/config/notice.yml index 3bf628c0029f..71eef51d512f 100644 --- a/x-pack/filebeat/module/zeek/notice/config/notice.yml +++ b/x-pack/filebeat/module/zeek/notice/config/notice.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml b/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml index 07b4960364ad..dcf1cb46f6fa 100644 --- a/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml +++ b/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/ocsp/config/ocsp.yml b/x-pack/filebeat/module/zeek/ocsp/config/ocsp.yml index f2355d34ad8d..874a0fde6d94 100644 --- a/x-pack/filebeat/module/zeek/ocsp/config/ocsp.yml +++ b/x-pack/filebeat/module/zeek/ocsp/config/ocsp.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/pe/config/pe.yml b/x-pack/filebeat/module/zeek/pe/config/pe.yml index e6464ba86017..3df430d7dc96 100644 --- a/x-pack/filebeat/module/zeek/pe/config/pe.yml +++ b/x-pack/filebeat/module/zeek/pe/config/pe.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/radius/config/radius.yml b/x-pack/filebeat/module/zeek/radius/config/radius.yml index b80a2177a046..d133dbc014cd 100644 --- a/x-pack/filebeat/module/zeek/radius/config/radius.yml +++ b/x-pack/filebeat/module/zeek/radius/config/radius.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/rdp/config/rdp.yml b/x-pack/filebeat/module/zeek/rdp/config/rdp.yml index fad5d1f42341..1ea1c28520cf 100644 --- a/x-pack/filebeat/module/zeek/rdp/config/rdp.yml +++ b/x-pack/filebeat/module/zeek/rdp/config/rdp.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/rfb/config/rfb.yml b/x-pack/filebeat/module/zeek/rfb/config/rfb.yml index aa0f303e28e7..d0eade39d0eb 100644 --- a/x-pack/filebeat/module/zeek/rfb/config/rfb.yml +++ b/x-pack/filebeat/module/zeek/rfb/config/rfb.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/sip/config/sip.yml b/x-pack/filebeat/module/zeek/sip/config/sip.yml index c289ff7103b9..7355ba353c7d 100644 --- a/x-pack/filebeat/module/zeek/sip/config/sip.yml +++ b/x-pack/filebeat/module/zeek/sip/config/sip.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml b/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml index b613880302f9..693c439454ad 100644 --- a/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml +++ b/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml b/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml index 7c188a39f4d0..16fb3d369645 100644 --- a/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml +++ b/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml b/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml index ca6ffa00ada7..168458ba1d05 100644 --- a/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml +++ b/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/smtp/config/smtp.yml b/x-pack/filebeat/module/zeek/smtp/config/smtp.yml index 6ec75151295f..acc02bf91df2 100644 --- a/x-pack/filebeat/module/zeek/smtp/config/smtp.yml +++ b/x-pack/filebeat/module/zeek/smtp/config/smtp.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/snmp/config/snmp.yml b/x-pack/filebeat/module/zeek/snmp/config/snmp.yml index f3a670a9d2d5..684ecd01d066 100644 --- a/x-pack/filebeat/module/zeek/snmp/config/snmp.yml +++ b/x-pack/filebeat/module/zeek/snmp/config/snmp.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/socks/config/socks.yml b/x-pack/filebeat/module/zeek/socks/config/socks.yml index 4d3060ae6572..9ce64d99076c 100644 --- a/x-pack/filebeat/module/zeek/socks/config/socks.yml +++ b/x-pack/filebeat/module/zeek/socks/config/socks.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/ssh/config/ssh.yml b/x-pack/filebeat/module/zeek/ssh/config/ssh.yml index 5657816c73aa..453c6b0fae5b 100644 --- a/x-pack/filebeat/module/zeek/ssh/config/ssh.yml +++ b/x-pack/filebeat/module/zeek/ssh/config/ssh.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/ssl/config/ssl.yml b/x-pack/filebeat/module/zeek/ssl/config/ssl.yml index 74336b8428c7..e140ba94e2c3 100644 --- a/x-pack/filebeat/module/zeek/ssl/config/ssl.yml +++ b/x-pack/filebeat/module/zeek/ssl/config/ssl.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/stats/config/stats.yml b/x-pack/filebeat/module/zeek/stats/config/stats.yml index ff8ca3cf95e9..cdf243f7a454 100644 --- a/x-pack/filebeat/module/zeek/stats/config/stats.yml +++ b/x-pack/filebeat/module/zeek/stats/config/stats.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/syslog/config/syslog.yml b/x-pack/filebeat/module/zeek/syslog/config/syslog.yml index 662968b502e6..16c6ebb6187a 100644 --- a/x-pack/filebeat/module/zeek/syslog/config/syslog.yml +++ b/x-pack/filebeat/module/zeek/syslog/config/syslog.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml b/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml index fc1c4b7230fa..13a2a37cc695 100644 --- a/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml +++ b/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml b/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml index 8781fa6dcd62..ac636e9e7c0a 100644 --- a/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml +++ b/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/weird/config/weird.yml b/x-pack/filebeat/module/zeek/weird/config/weird.yml index 9631d283de4e..5807f95927b3 100644 --- a/x-pack/filebeat/module/zeek/weird/config/weird.yml +++ b/x-pack/filebeat/module/zeek/weird/config/weird.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/x509/config/x509.yml b/x-pack/filebeat/module/zeek/x509/config/x509.yml index cb70bd594e72..34ab8fc651f8 100644 --- a/x-pack/filebeat/module/zeek/x509/config/x509.yml +++ b/x-pack/filebeat/module/zeek/x509/config/x509.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false