From 31902ab24c305140f9200a30a844d728fe5e20d2 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Tue, 26 May 2020 19:01:18 -0400 Subject: [PATCH] Disable host.* fields by default for iptables module For the iptables module when data is forwarded to Filebeat from another host/device you don't want Filebeat to add `host`. So by default this modules add a `forwarded` tag to events. If you configure the module to not include the `forwarded` tag (e.g. `var.tags: [my_tag]`) then Filebeat will add the `host.*` fields. Relates: #13920 --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/modules/iptables.asciidoc | 6 ++++ .../module/iptables/_meta/docs.asciidoc | 6 ++++ .../module/iptables/log/config/input.yml | 3 +- .../filebeat/module/iptables/log/manifest.yml | 2 +- .../iptables/log/test/geo.log-expected.json | 3 +- .../iptables/log/test/icmp.log-expected.json | 3 +- .../log/test/iptables.log-expected.json | 30 +++++++++++------ .../iptables/log/test/ipv6.log-expected.json | 33 ++++++++++++------- .../log/test/ubiquiti.log-expected.json | 15 ++++++--- 10 files changed, 72 insertions(+), 30 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 91c108dc815e..cdccd0567983 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -33,6 +33,7 @@ happened. {issue}13920[13920] {pull}18223[18223] - With the default configuration the cef and panw modules will no longer send the `host` field. You can revert this change by configuring tags for the module and omitting `forwarded` from the list. {issue}13920[13920] {pull}18223[18223] +* iptables {pull}18756[18756] *Heartbeat* diff --git a/filebeat/docs/modules/iptables.asciidoc b/filebeat/docs/modules/iptables.asciidoc index 9858d0d7fcd3..9d16daa6d7a8 100644 --- a/filebeat/docs/modules/iptables.asciidoc +++ b/filebeat/docs/modules/iptables.asciidoc @@ -61,6 +61,12 @@ The UDP port to listen for syslog traffic. Defaults to `9001` NOTE: Ports below 1024 require Filebeat to run as root. +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[iptables, forwarded]`. + include::../include/timezone-support.asciidoc[] [float] diff --git a/x-pack/filebeat/module/iptables/_meta/docs.asciidoc b/x-pack/filebeat/module/iptables/_meta/docs.asciidoc index f95425b71488..dd7239f2a38e 100644 --- a/x-pack/filebeat/module/iptables/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/iptables/_meta/docs.asciidoc @@ -56,6 +56,12 @@ The UDP port to listen for syslog traffic. Defaults to `9001` NOTE: Ports below 1024 require Filebeat to run as root. +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[iptables, forwarded]`. + include::../include/timezone-support.asciidoc[] [float] diff --git a/x-pack/filebeat/module/iptables/log/config/input.yml b/x-pack/filebeat/module/iptables/log/config/input.yml index 02488b0e1ce4..6183661122a5 100644 --- a/x-pack/filebeat/module/iptables/log/config/input.yml +++ b/x-pack/filebeat/module/iptables/log/config/input.yml @@ -15,7 +15,8 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - add_locale: ~ diff --git a/x-pack/filebeat/module/iptables/log/manifest.yml b/x-pack/filebeat/module/iptables/log/manifest.yml index b93377397b9f..fdd976f7fa88 100644 --- a/x-pack/filebeat/module/iptables/log/manifest.yml +++ b/x-pack/filebeat/module/iptables/log/manifest.yml @@ -5,7 +5,7 @@ var: default: - /var/log/iptables.log - name: tags - default: [iptables] + default: [iptables, forwarded] - name: syslog_host default: localhost - name: syslog_port diff --git a/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json b/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json index 19f0b2a7143d..40bbac9e3f53 100644 --- a/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/geo.log-expected.json @@ -61,7 +61,8 @@ "source.mac": "90:10:65:29:b6:2a", "source.port": 38842, "tags": [ - "iptables" + "iptables", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/iptables/log/test/icmp.log-expected.json b/x-pack/filebeat/module/iptables/log/test/icmp.log-expected.json index fc5e515461cb..5115298200fd 100644 --- a/x-pack/filebeat/module/iptables/log/test/icmp.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/icmp.log-expected.json @@ -37,7 +37,8 @@ "source.ip": "192.0.2.71", "source.mac": "90:10:18:5a:89:2a", "tags": [ - "iptables" + "iptables", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/iptables/log/test/iptables.log-expected.json b/x-pack/filebeat/module/iptables/log/test/iptables.log-expected.json index 5589e8dc6027..1ce4df25bc98 100644 --- a/x-pack/filebeat/module/iptables/log/test/iptables.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/iptables.log-expected.json @@ -45,7 +45,8 @@ "source.mac": "90:10:9e:ec:2c:71", "source.port": 17805, "tags": [ - "iptables" + "iptables", + "forwarded" ] }, { @@ -91,7 +92,8 @@ "source.mac": "90:10:76:e0:e2:d5", "source.port": 47091, "tags": [ - "iptables" + "iptables", + "forwarded" ] }, { @@ -140,7 +142,8 @@ "source.mac": "90:10:9e:ec:2c:71", "source.port": 59319, "tags": [ - "iptables" + "iptables", + "forwarded" ] }, { @@ -189,7 +192,8 @@ "source.mac": "90:10:9e:ec:2c:71", "source.port": 44181, "tags": [ - "iptables" + "iptables", + "forwarded" ] }, { @@ -238,7 +242,8 @@ "source.mac": "90:10:76:e0:e2:d5", "source.port": 64358, "tags": [ - "iptables" + "iptables", + "forwarded" ] }, { @@ -284,7 +289,8 @@ "source.mac": "90:10:9e:ec:2c:71", "source.port": 58830, "tags": [ - "iptables" + "iptables", + "forwarded" ] }, { @@ -333,7 +339,8 @@ "source.mac": "90:10:76:e0:e2:d5", "source.port": 51985, "tags": [ - "iptables" + "iptables", + "forwarded" ] }, { @@ -382,7 +389,8 @@ "source.mac": "90:10:76:e0:e2:d5", "source.port": 4099, "tags": [ - "iptables" + "iptables", + "forwarded" ] }, { @@ -428,7 +436,8 @@ "source.mac": "90:10:9e:ec:2c:71", "source.port": 59287, "tags": [ - "iptables" + "iptables", + "forwarded" ] }, { @@ -474,7 +483,8 @@ "source.mac": "90:10:76:e0:e2:d5", "source.port": 53296, "tags": [ - "iptables" + "iptables", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/iptables/log/test/ipv6.log-expected.json b/x-pack/filebeat/module/iptables/log/test/ipv6.log-expected.json index 8bed25072d70..7c4880433aa2 100644 --- a/x-pack/filebeat/module/iptables/log/test/ipv6.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/ipv6.log-expected.json @@ -34,7 +34,8 @@ "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ - "iptables" + "iptables", + "forwarded" ] }, { @@ -72,7 +73,8 @@ "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ - "iptables" + "iptables", + "forwarded" ] }, { @@ -110,7 +112,8 @@ "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ - "iptables" + "iptables", + "forwarded" ] }, { @@ -148,7 +151,8 @@ "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ - "iptables" + "iptables", + "forwarded" ] }, { @@ -186,7 +190,8 @@ "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ - "iptables" + "iptables", + "forwarded" ] }, { @@ -224,7 +229,8 @@ "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ - "iptables" + "iptables", + "forwarded" ] }, { @@ -262,7 +268,8 @@ "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ - "iptables" + "iptables", + "forwarded" ] }, { @@ -300,7 +307,8 @@ "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ - "iptables" + "iptables", + "forwarded" ] }, { @@ -338,7 +346,8 @@ "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ - "iptables" + "iptables", + "forwarded" ] }, { @@ -376,7 +385,8 @@ "service.type": "iptables", "source.ip": "2001:0db8:0000:0000:0000:0000:0000:0001", "tags": [ - "iptables" + "iptables", + "forwarded" ] }, { @@ -416,7 +426,8 @@ "source.ip": "fe80:0000:0000:0000:0084:88ff:feae:790a", "source.mac": "90:10:aa:bb:cc:dd", "tags": [ - "iptables" + "iptables", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/iptables/log/test/ubiquiti.log-expected.json b/x-pack/filebeat/module/iptables/log/test/ubiquiti.log-expected.json index 486a34c850f9..739961f7f222 100644 --- a/x-pack/filebeat/module/iptables/log/test/ubiquiti.log-expected.json +++ b/x-pack/filebeat/module/iptables/log/test/ubiquiti.log-expected.json @@ -44,7 +44,8 @@ "source.mac": "90:10:73:ba:d6:77", "source.port": 48689, "tags": [ - "iptables" + "iptables", + "forwarded" ] }, { @@ -100,7 +101,8 @@ "source.mac": "90:10:24:67:f4:89", "source.port": 43189, "tags": [ - "iptables" + "iptables", + "forwarded" ] }, { @@ -159,7 +161,8 @@ "source.mac": "90:10:65:29:b6:2a", "source.port": 50093, "tags": [ - "iptables" + "iptables", + "forwarded" ] }, { @@ -214,7 +217,8 @@ "source.mac": "90:10:65:29:b6:2a", "source.port": 50093, "tags": [ - "iptables" + "iptables", + "forwarded" ] }, { @@ -269,7 +273,8 @@ "source.mac": "90:10:65:29:b6:2a", "source.port": 50093, "tags": [ - "iptables" + "iptables", + "forwarded" ] } ] \ No newline at end of file