diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index b0ea043ca905..f7cdddc0f4ac 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -42,6 +42,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d * iptables {pull}18756[18756] * Checkpoint {pull}18754[18754] * Netflow {pull}19087[19087] +* Suricata {pull}19107[19107] (`forwarded` tag is not included by default) - Preserve case of http.request.method. ECS prior to 1.6 specified normalizing to lowercase, which lost information. Affects filesets: apache/access, elasticsearch/audit, iis/access, iis/error, nginx/access, nginx/ingress_controller, aws/elb, suricata/eve, zeek/http. {issue}18154[18154] {pull}18359[18359] - Adds check on `` config option value for the azure input `resource_manager_endpoint`. {pull}18890[18890] - Okta module now requires objects instead of JSON strings for the `http_headers`, `http_request_body`, `pagination`, `rate_limit`, and `ssl` variables. {pull}18953[18953] diff --git a/filebeat/docs/modules/suricata.asciidoc b/filebeat/docs/modules/suricata.asciidoc index 067fa6935122..0e7348b291da 100644 --- a/filebeat/docs/modules/suricata.asciidoc +++ b/filebeat/docs/modules/suricata.asciidoc @@ -45,6 +45,12 @@ include::../include/config-option-intro.asciidoc[] include::../include/var-paths.asciidoc[] +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + [float] === Example dashboard diff --git a/x-pack/filebeat/module/suricata/_meta/docs.asciidoc b/x-pack/filebeat/module/suricata/_meta/docs.asciidoc index 4cdff6aa3d23..08d5feb61cb2 100644 --- a/x-pack/filebeat/module/suricata/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/suricata/_meta/docs.asciidoc @@ -40,6 +40,12 @@ include::../include/config-option-intro.asciidoc[] include::../include/var-paths.asciidoc[] +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[suricata]`. + [float] === Example dashboard diff --git a/x-pack/filebeat/module/suricata/eve/config/eve.yml b/x-pack/filebeat/module/suricata/eve/config/eve.yml index 67ebcf13d4bd..700c8db17e98 100644 --- a/x-pack/filebeat/module/suricata/eve/config/eve.yml +++ b/x-pack/filebeat/module/suricata/eve/config/eve.yml @@ -4,7 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - rename: diff --git a/x-pack/filebeat/module/suricata/eve/manifest.yml b/x-pack/filebeat/module/suricata/eve/manifest.yml index 804dc96bed94..99efdd65ed40 100644 --- a/x-pack/filebeat/module/suricata/eve/manifest.yml +++ b/x-pack/filebeat/module/suricata/eve/manifest.yml @@ -13,8 +13,6 @@ var: - name: community_id default: true - # - name: nested_ecs - # default: false ingest_pipeline: ingest/pipeline.yml input: config/eve.yml