Add forwarded tag example to packetbeat.yml (elastic#19209)

Add an example to packetbeat.yml of using the `forwarded` tag to disable `host` metadata fields when processing network data from network tap or mirror port. Relates elastic#13920 (cherry picked from commit 28cb613)
andrewkroh · Jul 29, 2020 · 70a2860 · 70a2860
1 parent eef3581
commit 70a2860
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 7 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -689,6 +689,9 @@ field. You can revert this change by configuring tags for the module and omittin
 
 *Packetbeat*
 
+- Add an example to packetbeat.yml of using the `forwarded` tag to disable
+  `host` metadata fields when processing network data from network tap or mirror
+  port. {pull}19209[19209]
 - Add ECS fields for x509 certs, event categorization, and related IP info. {pull}19167[19167]
 - Add 100-continue support {issue}15830[15830] {pull}19349[19349]
 

diff --git a/packetbeat/_meta/config/general.yml.tmpl b/packetbeat/_meta/config/general.yml.tmpl
@@ -0,0 +1,15 @@
+{{header "General"}}
+
+# The name of the shipper that publishes the network data. It can be used to group
+# all the transactions sent by a single shipper in the web interface.
+#name:
+
+# A list of tags to include in every event. In the default configuration file
+# the forwarded tag causes Packetbeat to not add any host fields. If you are
+# monitoring a network tap or mirror port then add the forwarded tag.
+#tags: [forwarded]
+
+# Optional fields that you can specify to add additional information to the
+# output.
+#fields:
+#  env: staging
diff --git a/packetbeat/_meta/config/processors.yml.tmpl b/packetbeat/_meta/config/processors.yml.tmpl
@@ -0,0 +1,12 @@
+{{header "Processors"}}
+
+processors:
+  - # Add forwarded to tags when processing data from a network tap or mirror.
+    if.contains.tags: forwarded
+    then:
+      - drop_fields:
+          fields: [host]
+    else:
+      - add_host_metadata: ~
+  - add_cloud_metadata: ~
+  - add_docker_metadata: ~
diff --git a/packetbeat/packetbeat.yml b/packetbeat/packetbeat.yml
@@ -114,9 +114,10 @@ setup.template.settings:
 # all the transactions sent by a single shipper in the web interface.
 #name:
 
-# The tags of the shipper are included in their own field with each
-# transaction published.
-#tags: ["service-X", "web-tier"]
+# A list of tags to include in every event. In the default configuration file
+# the forwarded tag causes Packetbeat to not add any host fields. If you are
+# monitoring a network tap or mirror port then add the forwarded tag.
+#tags: [forwarded]
 
 # Optional fields that you can specify to add additional information to the
 # output.
@@ -199,14 +200,17 @@ output.elasticsearch:
 
 # ================================= Processors =================================
 
-# Configure processors to enhance or manipulate events generated by the beat.
-
 processors:
-  - add_host_metadata: ~
+  - # Add forwarded to tags when processing data from a network tap or mirror.
+    if.contains.tags: forwarded
+    then:
+      - drop_fields:
+          fields: [host]
+    else:
+      - add_host_metadata: ~
   - add_cloud_metadata: ~
   - add_docker_metadata: ~
 
-
 # ================================== Logging ===================================
 
 # Sets log level. The default log level is info.