-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setting host.* in Beats that forward data #13920
Comments
@webmat Would it be appropriate to populate |
Here are cases that should populate
Here are cases that should not populate
In both of these cases, if the data stream contains the source host's detail, it should to go to |
The case of monitoring containers may require a chat, I see a few cases, there may be more:
I'm not sure the current semantics as defined by ECS are clear nor sufficient to fully capture this. Maybe I'm wrong. But I'd be more than happy to have a chat with folks specialized with monitoring Docker, and hash out ideas here. Let me know if that would be useful. |
I just installed filebeat 7.4 and I am using the netflow module. I have the same problem. agent.hostname is the agent.hostname for the hostname of netflow input server instead of the sender. I had to update some visualization for Kibana and replace agent.hostname with observer.ip. |
It is not only the processors, but also libbeat directly adding some fields. See: https://github.com/elastic/beats/blob/master/libbeat/publisher/processing/default.go#L78 I'm in favor of not automatically modifying any event once it hits libbeat. All modification should be opt-in via processors. |
I totally agree, we have this same problem with cloud metadata and cloud monitoring modules (AWS, Azure, etc). Something we have with beats/libbeat/processors/add_cloud_metadata/add_cloud_metadata.go Lines 112 to 117 in 1fb41ea
In this case, cloud metadata for the agent is not sent, which may not be ideal (it could make sense to have it under Something like this could make sense for
Happy to participate in this conversation @webmat! |
To me it feels like the overall problem is that we have a limited set of namespaces, but yet there is potentially a trail of subsystems an event might have been passed through. Ultimately one might want an array of system descriptors the event has passed. For now I want to solve the issue at hand, as this has come up a few times already. The Overall ECS discussions are maybe better handled in the github.com/elastic/ecs repository. For example in filebeat we introduced a kafka input, to allow architectures like We also do not want to introduce "heavy" breaking changes in 7.x. So for 7.x I'm planning these changes (independent of ECS):
For 8.x I would like to remove setting I will create issues for individual tasks, if we agree on the plan. |
This plan makes a lot of sense. Thanks for putting this together, @urso! |
FWIW this also concerns APM, we are setting |
@urso, regarding an
This sounds good but I don't think it cannot work as long as libbeat continues to set For reference this is the code that adds beats/libbeat/publisher/processing/default.go Lines 311 to 317 in 61fe9fc
|
When {{ .tags }} is evaluated in the module config it not written in the correct format. This fixes that issue and also conditionally enables `publisher_pipeline.disable_host` based on whether tags contains `forwarded` to be consistent with every other module that allows for `var.tags` to be set (relates: #13920). For example (https://play.golang.org/p/LUr-X94msd1): var.tags: [foo, bar] will be written into the config as tags: [foo bar] which is a single value array containing the string "foo bar" rather than two tags. (cherry picked from commit b48c388)
For the Checkpoint module when data is forwarded to Fortinet from another host/device (this is most of the time) you don't want Filebeat to add `host`. So by default this modules add a `forwarded` tag to events. If you configure the module to not include the `forwarded` tag (e.g. `var.tags: [my_tag]`) then Filebeat will add the `host.*` fields. Relates: elastic#13920 (cherry picked from commit ff0d22b)
For the Checkpoint module when data is forwarded to Fortinet from another host/device (this is most of the time) you don't want Filebeat to add `host`. So by default this modules add a `forwarded` tag to events. If you configure the module to not include the `forwarded` tag (e.g. `var.tags: [my_tag]`) then Filebeat will add the `host.*` fields. Relates: #13920 (cherry picked from commit ff0d22b)
Update Filebeat's test_modules.py integration test to not strip the `host.name` field in events marked as forwarded. Relates elastic#13920
Update Filebeat's test_modules.py integration test to not strip the `host.name` field in events marked as forwarded. Relates #13920
Update Filebeat's test_modules.py integration test to not strip the `host.name` field in events marked as forwarded. Relates elastic#13920 (cherry picked from commit 156c87b)
Add an example to packetbeat.yml of using the `forwarded` tag to disable `host` metadata fields when processing network data from network tap or mirror port. Relates elastic#13920 (cherry picked from commit 28cb613)
For the netflow module when data is forwarded to Filebeat from another host/device you don't want Filebeat to add `host`. So by default this modules add a `forwarded` tag to events. If you configure the module to not include the `forwarded` tag (e.g. `var.tags: [my_tag]`) then Filebeat will add the `host.*` fields. Relates: elastic#13920
If `forwarded` as configured as a tag (e.g. `var.tags: [forwarded]`) for the Suricata module then Filebeat will not add `host` fields to events. This is for use cases where Suricata is analyzing forwarded data (like from a network tap or mirror port). Relates: elastic#13920
If `forwarded` as configured as a tag (e.g. `var.tags: [forwarded]`) for the Zeek module then Filebeat will not add `host` fields to events. This is for use cases where Zeek is analyzing forwarded data (like from a network tap or mirror port). Relates: elastic#13920
For the CrowdStrike module when data is forwarded to Filebeat from another host/device you don't want Filebeat to add `host`. So by default this modules add a `forwarded` tag to events. If you configure the module to not include the `forwarded` tag (e.g. `var.tags: [my_tag]`) then Filebeat will add the `host.*` fields. Relates: elastic#13920
When {{ .tags }} is evaluated in the module config it not written in the correct format. This fixes that issue and also conditionally enables `publisher_pipeline.disable_host` based on whether tags contains `forwarded` to be consistent with every other module that allows for `var.tags` to be set (relates: elastic#13920). For example (https://play.golang.org/p/LUr-X94msd1): var.tags: [foo, bar] will be written into the config as tags: [foo bar] which is a single value array containing the string "foo bar" rather than two tags.
For the Checkpoint module when data is forwarded to Fortinet from another host/device (this is most of the time) you don't want Filebeat to add `host`. So by default this modules add a `forwarded` tag to events. If you configure the module to not include the `forwarded` tag (e.g. `var.tags: [my_tag]`) then Filebeat will add the `host.*` fields. Relates: elastic#13920
Add an example to packetbeat.yml of using the `forwarded` tag to disable `host` metadata fields when processing network data from network tap or mirror port. Relates elastic#13920
Update Filebeat's test_modules.py integration test to not strip the `host.name` field in events marked as forwarded. Relates elastic#13920
Hi all, |
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane) |
Hi all, I'm using Custom Journald logs from the Elastic Integrations (https://www.elastic.co/docs/current/integrations/journald), is it also possible to disable the host.* replacement? |
oh, sorry, i've added the tag "forwarded" and it works. |
There are several use cases in Beats where the data reported by a Beat did not originate on that Beat host. Some examples are syslog, windows forwarded events, router netflow data, and cloud watch logs. In these cases it would be appropriate to set the
host.*
field to information about the originating machine.From ECS:
Some issues related to this:
host.name
and have host metadata processor enabled #10698I think we need way for inputs and modules to be able to "designate" that
host.*
should not be set by default. The output pipeline and also theadd_host_metadata
processor will need to honor this "designation".The text was updated successfully, but these errors were encountered: