From c76d2c1f7a40c8e606b3b4b44ba24c596fa9a080 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Wed, 29 Jul 2020 15:17:29 -0400 Subject: [PATCH] Add forwarded tag example to packetbeat.yml (#19209) (#20309) Add an example to packetbeat.yml of using the `forwarded` tag to disable `host` metadata fields when processing network data from network tap or mirror port. Relates #13920 (cherry picked from commit 28cb6132147ad28e68ec25e29fc3a387248689a5) --- CHANGELOG.next.asciidoc | 3 +++ packetbeat/_meta/config/general.yml.tmpl | 15 +++++++++++++++ packetbeat/_meta/config/processors.yml.tmpl | 12 ++++++++++++ packetbeat/packetbeat.yml | 18 +++++++++++------- 4 files changed, 41 insertions(+), 7 deletions(-) create mode 100644 packetbeat/_meta/config/general.yml.tmpl create mode 100644 packetbeat/_meta/config/processors.yml.tmpl diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 55b0faf71e3..c06066ef3aa 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -689,6 +689,9 @@ field. You can revert this change by configuring tags for the module and omittin *Packetbeat* +- Add an example to packetbeat.yml of using the `forwarded` tag to disable + `host` metadata fields when processing network data from network tap or mirror + port. {pull}19209[19209] - Add ECS fields for x509 certs, event categorization, and related IP info. {pull}19167[19167] - Add 100-continue support {issue}15830[15830] {pull}19349[19349] diff --git a/packetbeat/_meta/config/general.yml.tmpl b/packetbeat/_meta/config/general.yml.tmpl new file mode 100644 index 00000000000..94a0affbbc3 --- /dev/null +++ b/packetbeat/_meta/config/general.yml.tmpl @@ -0,0 +1,15 @@ +{{header "General"}} + +# The name of the shipper that publishes the network data. It can be used to group +# all the transactions sent by a single shipper in the web interface. +#name: + +# A list of tags to include in every event. In the default configuration file +# the forwarded tag causes Packetbeat to not add any host fields. If you are +# monitoring a network tap or mirror port then add the forwarded tag. +#tags: [forwarded] + +# Optional fields that you can specify to add additional information to the +# output. +#fields: +# env: staging diff --git a/packetbeat/_meta/config/processors.yml.tmpl b/packetbeat/_meta/config/processors.yml.tmpl new file mode 100644 index 00000000000..d2cadbe46b1 --- /dev/null +++ b/packetbeat/_meta/config/processors.yml.tmpl @@ -0,0 +1,12 @@ +{{header "Processors"}} + +processors: + - # Add forwarded to tags when processing data from a network tap or mirror. + if.contains.tags: forwarded + then: + - drop_fields: + fields: [host] + else: + - add_host_metadata: ~ + - add_cloud_metadata: ~ + - add_docker_metadata: ~ diff --git a/packetbeat/packetbeat.yml b/packetbeat/packetbeat.yml index c162650c6a1..53f87d73003 100644 --- a/packetbeat/packetbeat.yml +++ b/packetbeat/packetbeat.yml @@ -114,9 +114,10 @@ setup.template.settings: # all the transactions sent by a single shipper in the web interface. #name: -# The tags of the shipper are included in their own field with each -# transaction published. -#tags: ["service-X", "web-tier"] +# A list of tags to include in every event. In the default configuration file +# the forwarded tag causes Packetbeat to not add any host fields. If you are +# monitoring a network tap or mirror port then add the forwarded tag. +#tags: [forwarded] # Optional fields that you can specify to add additional information to the # output. @@ -199,14 +200,17 @@ output.elasticsearch: # ================================= Processors ================================= -# Configure processors to enhance or manipulate events generated by the beat. - processors: - - add_host_metadata: ~ + - # Add forwarded to tags when processing data from a network tap or mirror. + if.contains.tags: forwarded + then: + - drop_fields: + fields: [host] + else: + - add_host_metadata: ~ - add_cloud_metadata: ~ - add_docker_metadata: ~ - # ================================== Logging =================================== # Sets log level. The default log level is info.