From 0a6df6340a7f4de4f3b720e4d00b219d4249add6 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Wed, 10 Jun 2020 11:30:22 -0400 Subject: [PATCH] Allow host.* fields to be disabled in Zeek module If `forwarded` as configured as a tag (e.g. `var.tags: [forwarded]`) for the Zeek module then Filebeat will not add `host` fields to events. This is for use cases where Zeek is analyzing forwarded data (like from a network tap or mirror port). Relates: #13920 --- CHANGELOG.next.asciidoc | 1 + .../module/zeek/capture_loss/config/capture_loss.yml | 3 ++- x-pack/filebeat/module/zeek/connection/config/connection.yml | 3 ++- x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml | 3 ++- x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml | 3 ++- x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml | 3 ++- x-pack/filebeat/module/zeek/dns/config/dns.yml | 3 ++- x-pack/filebeat/module/zeek/dpd/config/dpd.yml | 3 ++- x-pack/filebeat/module/zeek/files/config/files.yml | 3 ++- x-pack/filebeat/module/zeek/ftp/config/ftp.yml | 3 ++- x-pack/filebeat/module/zeek/http/config/http.yml | 5 +++-- x-pack/filebeat/module/zeek/intel/config/intel.yml | 3 ++- x-pack/filebeat/module/zeek/irc/config/irc.yml | 3 ++- x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml | 3 ++- x-pack/filebeat/module/zeek/modbus/config/modbus.yml | 3 ++- x-pack/filebeat/module/zeek/mysql/config/mysql.yml | 3 ++- x-pack/filebeat/module/zeek/notice/config/notice.yml | 3 ++- x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml | 3 ++- x-pack/filebeat/module/zeek/ocsp/config/ocsp.yml | 3 ++- x-pack/filebeat/module/zeek/pe/config/pe.yml | 3 ++- x-pack/filebeat/module/zeek/radius/config/radius.yml | 3 ++- x-pack/filebeat/module/zeek/rdp/config/rdp.yml | 3 ++- x-pack/filebeat/module/zeek/rfb/config/rfb.yml | 3 ++- x-pack/filebeat/module/zeek/sip/config/sip.yml | 3 ++- x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml | 3 ++- x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml | 3 ++- .../filebeat/module/zeek/smb_mapping/config/smb_mapping.yml | 3 ++- x-pack/filebeat/module/zeek/smtp/config/smtp.yml | 3 ++- x-pack/filebeat/module/zeek/snmp/config/snmp.yml | 3 ++- x-pack/filebeat/module/zeek/socks/config/socks.yml | 3 ++- x-pack/filebeat/module/zeek/ssh/config/ssh.yml | 3 ++- x-pack/filebeat/module/zeek/ssl/config/ssl.yml | 3 ++- x-pack/filebeat/module/zeek/stats/config/stats.yml | 3 ++- x-pack/filebeat/module/zeek/syslog/config/syslog.yml | 3 ++- x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml | 3 ++- x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml | 3 ++- x-pack/filebeat/module/zeek/weird/config/weird.yml | 3 ++- x-pack/filebeat/module/zeek/x509/config/x509.yml | 3 ++- 38 files changed, 76 insertions(+), 38 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 09d610d3182..178873aea4c 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -42,6 +42,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d * iptables {pull}18756[18756] * Checkpoint {pull}18754[18754] * Netflow {pull}19087[19087] +* Zeek {pull}19113[19113] (`forwarded` tag is not included by default) - Preserve case of http.request.method. ECS prior to 1.6 specified normalizing to lowercase, which lost information. Affects filesets: apache/access, elasticsearch/audit, iis/access, iis/error, nginx/access, nginx/ingress_controller, aws/elb, suricata/eve, zeek/http. {issue}18154[18154] {pull}18359[18359] - Adds check on `` config option value for the azure input `resource_manager_endpoint`. {pull}18890[18890] - Okta module now requires objects instead of JSON strings for the `http_headers`, `http_request_body`, `pagination`, `rate_limit`, and `ssl` variables. {pull}18953[18953] diff --git a/x-pack/filebeat/module/zeek/capture_loss/config/capture_loss.yml b/x-pack/filebeat/module/zeek/capture_loss/config/capture_loss.yml index 474e4d94ffa..6b6fcf216f2 100644 --- a/x-pack/filebeat/module/zeek/capture_loss/config/capture_loss.yml +++ b/x-pack/filebeat/module/zeek/capture_loss/config/capture_loss.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/connection/config/connection.yml b/x-pack/filebeat/module/zeek/connection/config/connection.yml index 2fd07156cd8..b13737a882d 100644 --- a/x-pack/filebeat/module/zeek/connection/config/connection.yml +++ b/x-pack/filebeat/module/zeek/connection/config/connection.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml b/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml index 4ee5d46f72a..e99deb6c68f 100644 --- a/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml +++ b/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml b/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml index cba0c8ccf17..e0eb1831b77 100644 --- a/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml +++ b/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml b/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml index 6bed5fbef2d..33890a55071 100644 --- a/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml +++ b/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/dns/config/dns.yml b/x-pack/filebeat/module/zeek/dns/config/dns.yml index 9a137ca2d9f..a6457935937 100644 --- a/x-pack/filebeat/module/zeek/dns/config/dns.yml +++ b/x-pack/filebeat/module/zeek/dns/config/dns.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - rename: diff --git a/x-pack/filebeat/module/zeek/dpd/config/dpd.yml b/x-pack/filebeat/module/zeek/dpd/config/dpd.yml index d4b8abc101a..49e69972ef6 100644 --- a/x-pack/filebeat/module/zeek/dpd/config/dpd.yml +++ b/x-pack/filebeat/module/zeek/dpd/config/dpd.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/files/config/files.yml b/x-pack/filebeat/module/zeek/files/config/files.yml index 413ccb7959b..9f2046e7822 100644 --- a/x-pack/filebeat/module/zeek/files/config/files.yml +++ b/x-pack/filebeat/module/zeek/files/config/files.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/ftp/config/ftp.yml b/x-pack/filebeat/module/zeek/ftp/config/ftp.yml index cd380c29057..9be20cbd85b 100644 --- a/x-pack/filebeat/module/zeek/ftp/config/ftp.yml +++ b/x-pack/filebeat/module/zeek/ftp/config/ftp.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/http/config/http.yml b/x-pack/filebeat/module/zeek/http/config/http.yml index 38f7241b314..6f517c69320 100644 --- a/x-pack/filebeat/module/zeek/http/config/http.yml +++ b/x-pack/filebeat/module/zeek/http/config/http.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false @@ -62,7 +63,7 @@ processors: - from: "zeek.http.password" to: "url.password" - + - from: "zeek.http.user_agent" to: "user_agent.original" diff --git a/x-pack/filebeat/module/zeek/intel/config/intel.yml b/x-pack/filebeat/module/zeek/intel/config/intel.yml index cb52e756362..9293393192f 100644 --- a/x-pack/filebeat/module/zeek/intel/config/intel.yml +++ b/x-pack/filebeat/module/zeek/intel/config/intel.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - rename: diff --git a/x-pack/filebeat/module/zeek/irc/config/irc.yml b/x-pack/filebeat/module/zeek/irc/config/irc.yml index 0b6991603a9..5125e82fac2 100644 --- a/x-pack/filebeat/module/zeek/irc/config/irc.yml +++ b/x-pack/filebeat/module/zeek/irc/config/irc.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml b/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml index 5a03d269d8e..79b6b6c94c0 100644 --- a/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml +++ b/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/modbus/config/modbus.yml b/x-pack/filebeat/module/zeek/modbus/config/modbus.yml index 923177268c6..c6a6c3bf9e1 100644 --- a/x-pack/filebeat/module/zeek/modbus/config/modbus.yml +++ b/x-pack/filebeat/module/zeek/modbus/config/modbus.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/mysql/config/mysql.yml b/x-pack/filebeat/module/zeek/mysql/config/mysql.yml index da2b4b02d92..b3fd2c5484f 100644 --- a/x-pack/filebeat/module/zeek/mysql/config/mysql.yml +++ b/x-pack/filebeat/module/zeek/mysql/config/mysql.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/notice/config/notice.yml b/x-pack/filebeat/module/zeek/notice/config/notice.yml index 3bf628c0029..71eef51d512 100644 --- a/x-pack/filebeat/module/zeek/notice/config/notice.yml +++ b/x-pack/filebeat/module/zeek/notice/config/notice.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml b/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml index 07b4960364a..dcf1cb46f6f 100644 --- a/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml +++ b/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/ocsp/config/ocsp.yml b/x-pack/filebeat/module/zeek/ocsp/config/ocsp.yml index f2355d34ad8..874a0fde6d9 100644 --- a/x-pack/filebeat/module/zeek/ocsp/config/ocsp.yml +++ b/x-pack/filebeat/module/zeek/ocsp/config/ocsp.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/pe/config/pe.yml b/x-pack/filebeat/module/zeek/pe/config/pe.yml index e6464ba8601..3df430d7dc9 100644 --- a/x-pack/filebeat/module/zeek/pe/config/pe.yml +++ b/x-pack/filebeat/module/zeek/pe/config/pe.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/radius/config/radius.yml b/x-pack/filebeat/module/zeek/radius/config/radius.yml index b80a2177a04..d133dbc014c 100644 --- a/x-pack/filebeat/module/zeek/radius/config/radius.yml +++ b/x-pack/filebeat/module/zeek/radius/config/radius.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/rdp/config/rdp.yml b/x-pack/filebeat/module/zeek/rdp/config/rdp.yml index fad5d1f4234..1ea1c28520c 100644 --- a/x-pack/filebeat/module/zeek/rdp/config/rdp.yml +++ b/x-pack/filebeat/module/zeek/rdp/config/rdp.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/rfb/config/rfb.yml b/x-pack/filebeat/module/zeek/rfb/config/rfb.yml index aa0f303e28e..d0eade39d0e 100644 --- a/x-pack/filebeat/module/zeek/rfb/config/rfb.yml +++ b/x-pack/filebeat/module/zeek/rfb/config/rfb.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/sip/config/sip.yml b/x-pack/filebeat/module/zeek/sip/config/sip.yml index c289ff7103b..7355ba353c7 100644 --- a/x-pack/filebeat/module/zeek/sip/config/sip.yml +++ b/x-pack/filebeat/module/zeek/sip/config/sip.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml b/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml index b613880302f..693c439454a 100644 --- a/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml +++ b/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml b/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml index 7c188a39f4d..16fb3d36964 100644 --- a/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml +++ b/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml b/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml index ca6ffa00ada..168458ba1d0 100644 --- a/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml +++ b/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/smtp/config/smtp.yml b/x-pack/filebeat/module/zeek/smtp/config/smtp.yml index 6ec75151295..acc02bf91df 100644 --- a/x-pack/filebeat/module/zeek/smtp/config/smtp.yml +++ b/x-pack/filebeat/module/zeek/smtp/config/smtp.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/snmp/config/snmp.yml b/x-pack/filebeat/module/zeek/snmp/config/snmp.yml index f3a670a9d2d..684ecd01d06 100644 --- a/x-pack/filebeat/module/zeek/snmp/config/snmp.yml +++ b/x-pack/filebeat/module/zeek/snmp/config/snmp.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/socks/config/socks.yml b/x-pack/filebeat/module/zeek/socks/config/socks.yml index 4d3060ae657..9ce64d99076 100644 --- a/x-pack/filebeat/module/zeek/socks/config/socks.yml +++ b/x-pack/filebeat/module/zeek/socks/config/socks.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/ssh/config/ssh.yml b/x-pack/filebeat/module/zeek/ssh/config/ssh.yml index 5657816c73a..453c6b0fae5 100644 --- a/x-pack/filebeat/module/zeek/ssh/config/ssh.yml +++ b/x-pack/filebeat/module/zeek/ssh/config/ssh.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/ssl/config/ssl.yml b/x-pack/filebeat/module/zeek/ssl/config/ssl.yml index 74336b8428c..e140ba94e2c 100644 --- a/x-pack/filebeat/module/zeek/ssl/config/ssl.yml +++ b/x-pack/filebeat/module/zeek/ssl/config/ssl.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/stats/config/stats.yml b/x-pack/filebeat/module/zeek/stats/config/stats.yml index ff8ca3cf95e..cdf243f7a45 100644 --- a/x-pack/filebeat/module/zeek/stats/config/stats.yml +++ b/x-pack/filebeat/module/zeek/stats/config/stats.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/syslog/config/syslog.yml b/x-pack/filebeat/module/zeek/syslog/config/syslog.yml index 662968b502e..16c6ebb6187 100644 --- a/x-pack/filebeat/module/zeek/syslog/config/syslog.yml +++ b/x-pack/filebeat/module/zeek/syslog/config/syslog.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml b/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml index fc1c4b7230f..13a2a37cc69 100644 --- a/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml +++ b/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml b/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml index 8781fa6dcd6..ac636e9e7c0 100644 --- a/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml +++ b/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/weird/config/weird.yml b/x-pack/filebeat/module/zeek/weird/config/weird.yml index 9631d283de4..5807f95927b 100644 --- a/x-pack/filebeat/module/zeek/weird/config/weird.yml +++ b/x-pack/filebeat/module/zeek/weird/config/weird.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false diff --git a/x-pack/filebeat/module/zeek/x509/config/x509.yml b/x-pack/filebeat/module/zeek/x509/config/x509.yml index cb70bd594e7..34ab8fc651f 100644 --- a/x-pack/filebeat/module/zeek/x509/config/x509.yml +++ b/x-pack/filebeat/module/zeek/x509/config/x509.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} json.keys_under_root: false