Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Winlogbeat] Skip add_host_metadata for forwarded event logs #18153

Merged
merged 1 commit into from
May 4, 2020
Merged

[Winlogbeat] Skip add_host_metadata for forwarded event logs #18153

merged 1 commit into from
May 4, 2020

Conversation

andrewkroh
Copy link
Member

What does this PR do?

Update config examples to use the "forwarded" tag to skip adding host metadata.

Also disable host.name being added by libbeat. This field was overwritten by
the winlog.computer_name so it didn't serve any purpose to have libbeat set it.

Relates #13920

Why is it important?

Having host.* fields populated with data from the system on which the event occurred is important for interpreting and reacting to the data.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
    - [ ] I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

Relates #13920

Use cases

When reading from ForwardedEvents in a Windows Event Collector (WEC) setup you don't want the WEC machine using it's own host metadata in forwarded events. This solves that problem.

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label May 2, 2020
@andrewkroh andrewkroh force-pushed the feature/winlogbeat-host-forwarded branch 2 times, most recently from 587b765 to 1eab800 Compare May 2, 2020 02:20
@andrewkroh andrewkroh marked this pull request as ready for review May 2, 2020 02:23
@andrewkroh andrewkroh requested a review from a team as a code owner May 2, 2020 02:23
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@elasticmachine
Copy link
Collaborator

elasticmachine commented May 2, 2020
edited
Loading

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview stats

Expand to view the summary

Build stats

Test stats 🧪

Test Results
Failed 0
Passed 7688
Skipped 1210
Total 8898

Steps errors

Expand to view the steps failures

  • Name: Make -C generator/_templates/metricbeat test

    • Description: make -C generator/_templates/metricbeat test

    • Result: FAILURE

    • Duration: 1 min 57 sec<

    • Start Time: 2020-05-04T15:12:37.422+0000

  • Name: Make -C generator/_templates/beat test

    • Description: make -C generator/_templates/beat test

    • Result: FAILURE

    • Duration: 1 min 18 sec<

    • Start Time: 2020-05-04T15:22:22.191+0000

  • Name: Make -C generator/_templates/metricbeat test

    • Description: make -C generator/_templates/metricbeat test

    • Result: FAILURE

    • Duration: 1 min 18 sec<

    • Start Time: 2020-05-04T15:36:00.864+0000

  • Name: Make -C generator/_templates/beat test

    • Description: make -C generator/_templates/beat test

    • Result: FAILURE

    • Duration: 2 min 38 sec<

    • Start Time: 2020-05-04T15:42:24.881+0000

@andresrc andresrc removed the needs_team Indicates that the issue/PR needs a Team:* label label May 2, 2020
@andrewkroh andrewkroh force-pushed the feature/winlogbeat-host-forwarded branch 3 times, most recently from bd5428b to 14beac3 Compare May 3, 2020 16:10
@andrewkroh
Skip add_host_metadata for forwarded event logs
5ff2233 
Update config examples to use the "forwarded" tag to skip adding host metadata.

Also disable host.name being added by libbeat. This field was overwritten by
the winlog.computer_name so it didn't serve any purpose to have libbeat set it.

Relates elastic#13920
@andrewkroh andrewkroh force-pushed the feature/winlogbeat-host-forwarded branch from 14beac3 to 5ff2233 Compare May 4, 2020 14:19
leehinman
leehinman approved these changes May 4, 2020
View reviewed changes
Copy link
Contributor

@leehinman leehinman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@andrewkroh andrewkroh merged commit f80f82c into elastic:master May 4, 2020
andrewkroh added a commit to andrewkroh/beats that referenced this pull request May 4, 2020
@andrewkroh
Skip add_host_metadata for forwarded event logs (elastic#18153)
45d26fb 
Update config examples to use the "forwarded" tag to skip adding host metadata.

Also disable host.name being added by libbeat. This field was overwritten by
the winlog.computer_name so it didn't serve any purpose to have libbeat set it.

Relates elastic#13920

(cherry picked from commit f80f82c)
@andrewkroh andrewkroh mentioned this pull request May 4, 2020
Merged
5 tasks
andrewkroh added a commit that referenced this pull request May 4, 2020
@andrewkroh
Skip add_host_metadata for forwarded event logs (#18153) (#18183)
68b04ea 
Update config examples to use the "forwarded" tag to skip adding host metadata.

Also disable host.name being added by libbeat. This field was overwritten by
the winlog.computer_name so it didn't serve any purpose to have libbeat set it.

Relates #13920

(cherry picked from commit f80f82c)
@andrewkroh andrewkroh mentioned this pull request May 5, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leehinman leehinman leehinman approved these changes

Assignees
No one assigned
Labels
enhancement review v7.8.0 Winlogbeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@andrewkroh @elasticmachine @leehinman @andresrc