Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a disable_host option to Filebeat inputs #18159

Merged
merged 3 commits into from
May 4, 2020
Merged

Add a disable_host option to Filebeat inputs #18159

merged 3 commits into from
May 4, 2020

Conversation

andrewkroh
Copy link
Member

@andrewkroh andrewkroh commented May 3, 2020
edited
Loading

What does this PR do?

This adds a configuration option publisher_pipeline.disable_host to disable the addition
of host.name in events. By default Filebeat adds host.name to all events and we want
to be able to disable this for data sources that do not originate on the host (like cloud logs).

Relates #13920

Why is it important?

ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. For some data sources Filebeat does not know that actual host and it should not use its own host name in these events. This gives a way to turn this off.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

Run Filebeat and verify that the output does not have host.name.

---
filebeat.inputs:
- paths: test.log
   publisher_pipeline.disable_host: true
output.console.pretty: true

Use cases

This will be used by several modules:

  • aws
  • azure
  • googlecloud
  • misp
  • o365
  • okta
  • panw
  • suricata (depends on whether it monitors a network tap or local host traffic)
  • zeek (depends on whether it monitors a network tap or local host traffic)

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label May 3, 2020
@andrewkroh andrewkroh marked this pull request as ready for review May 3, 2020 19:00
@andrewkroh andrewkroh requested a review from urso May 3, 2020 19:00
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@andrewkroh andrewkroh mentioned this pull request May 3, 2020
Closed
6 tasks
@elasticmachine
Copy link
Collaborator

elasticmachine commented May 3, 2020
edited
Loading

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview stats

Expand to view the summary

Build stats

Test stats 🧪

Test Results
Failed 0
Passed 7691
Skipped 1210
Total 8901

Steps errors

Expand to view the steps failures

  • Name: Make -C generator/_templates/metricbeat test

    • Description: make -C generator/_templates/metricbeat test

    • Result: FAILURE

    • Duration: 2 min 27 sec<

    • Start Time: 2020-05-04T14:48:05.293+0000

  • Name: Make -C generator/_templates/beat test

    • Description: make -C generator/_templates/beat test

    • Result: FAILURE

    • Duration: 1 min 51 sec<

    • Start Time: 2020-05-04T14:58:00.644+0000

  • Name: Make -C generator/_templates/metricbeat test

    • Description: make -C generator/_templates/metricbeat test

    • Result: FAILURE

    • Duration: 1 min 17 sec<

    • Start Time: 2020-05-04T15:01:07.617+0000

  • Name: Make -C generator/_templates/beat test

    • Description: make -C generator/_templates/beat test

    • Result: FAILURE

    • Duration: 2 min 38 sec<

    • Start Time: 2020-05-04T15:27:39.921+0000

@andresrc andresrc removed the needs_team Indicates that the issue/PR needs a Team:* label label May 4, 2020
@urso
Copy link

urso commented May 4, 2020

The change LGTM. The default filebeat configuration contains add_host_metadata. This means we will always have host set, right?

urso
urso reviewed May 4, 2020
View reviewed changes
CHANGELOG.next.asciidoc Outdated Show resolved Hide resolved
@andrewkroh
Copy link
Member Author

andrewkroh commented May 4, 2020
edited
Loading

This means we will always have host set, right?

Yes, I'm thinking to update the example config to show how put a condition on the add_host_metadata to skip based on some condition. This is the reason I opened #18148.

@andrewkroh
Add a disable_host option to Filebeat inputs
31102b5 
This adds a configuration option `publisher_pipeline.disable_host` to disable the addition
of `host.name` in events. By default Filebeat adds `host.name` to all events and we want
to be able to disable this for data sources that do not originate on the host (like cloud logs).

Relates elastic#13920
@andrewkroh
Update changelog
2f4c846
@andrewkroh andrewkroh force-pushed the feature/filebeat/publisher-pipeline-disable-host branch from 7fcdd77 to 2f4c846 Compare May 4, 2020 13:57
@andrewkroh andrewkroh merged commit 6ea21a9 into elastic:master May 4, 2020
@andrewkroh andrewkroh mentioned this pull request May 4, 2020
Merged
6 tasks
andrewkroh added a commit to andrewkroh/beats that referenced this pull request May 4, 2020
@andrewkroh
Add a disable_host option to Filebeat inputs (elastic#18159)
7abf29c 
This adds a configuration option `publisher_pipeline.disable_host` to disable the addition
of `host.name` in events. By default Filebeat adds `host.name` to all events and we want
to be able to disable this for data sources that do not originate on the host (like cloud logs).

Relates elastic#13920

(cherry picked from commit 6ea21a9)
This was referenced May 5, 2020
Merged
Open
andrewkroh added a commit that referenced this pull request May 5, 2020
@andrewkroh
Add a disable_host option to Filebeat inputs (#18159) (#18188)
84078fb 
This adds a configuration option `publisher_pipeline.disable_host` to disable the addition
of `host.name` in events. By default Filebeat adds `host.name` to all events and we want
to be able to disable this for data sources that do not originate on the host (like cloud logs).

Relates #13920

(cherry picked from commit 6ea21a9)
@andrewkroh andrewkroh mentioned this pull request Jun 9, 2020
Merged
6 tasks
@msluther msluther mentioned this pull request Mar 3, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@urso urso urso left review comments

@adriansr adriansr adriansr approved these changes

Assignees
No one assigned
Labels
enhancement Filebeat Filebeat libbeat review v7.8.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@andrewkroh @elasticmachine @urso @adriansr @andresrc