From f055de97303ef4951b0f57de364029a6baaab241 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Mon, 15 Jun 2020 19:53:33 -0400 Subject: [PATCH] Add forwarded tag example to packetbeat.yml Add an example to packetbeat.yml of using the `forwarded` tag to disable `host` metadata fields when processing network data from network tap or mirror port. Relates #13920 --- CHANGELOG.next.asciidoc | 4 ++++ packetbeat/_meta/config/general.yml.tmpl | 15 +++++++++++++++ packetbeat/_meta/config/processors.yml.tmpl | 12 ++++++++++++ packetbeat/packetbeat.yml | 18 +++++++++++------- 4 files changed, 42 insertions(+), 7 deletions(-) create mode 100644 packetbeat/_meta/config/general.yml.tmpl create mode 100644 packetbeat/_meta/config/processors.yml.tmpl diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 72a24160d8a..a8fc5d1b890 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -488,6 +488,10 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Packetbeat* +- Add an example to packetbeat.yml of using the `forwarded` tag to disable + `host` metadata fields when processing network data from network tap or mirror + port. {pull}19209[19209] + *Functionbeat* diff --git a/packetbeat/_meta/config/general.yml.tmpl b/packetbeat/_meta/config/general.yml.tmpl new file mode 100644 index 00000000000..94a0affbbc3 --- /dev/null +++ b/packetbeat/_meta/config/general.yml.tmpl @@ -0,0 +1,15 @@ +{{header "General"}} + +# The name of the shipper that publishes the network data. It can be used to group +# all the transactions sent by a single shipper in the web interface. +#name: + +# A list of tags to include in every event. In the default configuration file +# the forwarded tag causes Packetbeat to not add any host fields. If you are +# monitoring a network tap or mirror port then add the forwarded tag. +#tags: [forwarded] + +# Optional fields that you can specify to add additional information to the +# output. +#fields: +# env: staging diff --git a/packetbeat/_meta/config/processors.yml.tmpl b/packetbeat/_meta/config/processors.yml.tmpl new file mode 100644 index 00000000000..d2cadbe46b1 --- /dev/null +++ b/packetbeat/_meta/config/processors.yml.tmpl @@ -0,0 +1,12 @@ +{{header "Processors"}} + +processors: + - # Add forwarded to tags when processing data from a network tap or mirror. + if.contains.tags: forwarded + then: + - drop_fields: + fields: [host] + else: + - add_host_metadata: ~ + - add_cloud_metadata: ~ + - add_docker_metadata: ~ diff --git a/packetbeat/packetbeat.yml b/packetbeat/packetbeat.yml index 66e1bc85991..704241e90c9 100644 --- a/packetbeat/packetbeat.yml +++ b/packetbeat/packetbeat.yml @@ -114,9 +114,10 @@ setup.template.settings: # all the transactions sent by a single shipper in the web interface. #name: -# The tags of the shipper are included in their own field with each -# transaction published. -#tags: ["service-X", "web-tier"] +# A list of tags to include in every event. In the default configuration file +# the forwarded tag causes Packetbeat to not add any host fields. If you are +# monitoring a network tap or mirror port then add the forwarded tag. +#tags: [forwarded] # Optional fields that you can specify to add additional information to the # output. @@ -199,14 +200,17 @@ output.elasticsearch: # ================================= Processors ================================= -# Configure processors to enhance or manipulate events generated by the beat. - processors: - - add_host_metadata: ~ + - # Add forwarded to tags when processing data from a network tap or mirror. + if.contains.tags: forwarded + then: + - drop_fields: + fields: [host] + else: + - add_host_metadata: ~ - add_cloud_metadata: ~ - add_docker_metadata: ~ - # ================================== Logging =================================== # Sets log level. The default log level is info.