Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Winlogbeat] Skip add_host_metadata for forwarded event logs #18153

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add Kerberos support to Elasticsearch output. {pull}17927[17927]
- Add support for fixed length extraction in `dissect` processor. {pull}17191[17191]
- Set `agent.name` to the hostname by default. {issue}16377[16377] {pull}18000[18000]
- Add config example of how to skip the `add_host_metadata` processor when forwarding logs. {issue}13920[13920] {pull}18153[18153]

*Auditbeat*

Expand Down
1 change: 1 addition & 0 deletions dev-tools/mage/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,7 @@ func Config(types ConfigFileType, args ConfigFileParams, targetDir string) error
"UseDockerMetadataProcessor": true,
"UseKubernetesMetadataProcessor": false,
"ExcludeDashboards": false,
"UseProcessorsTemplate": false,
}
for k, v := range args.ExtraVars {
params[k] = v
Expand Down
3 changes: 2 additions & 1 deletion libbeat/_meta/config.yml.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,7 @@ output.elasticsearch:
#ssl.key: "/etc/pki/client/cert.key"
{{end}}
#================================ Processors =====================================
{{if .UseProcessorsTemplate}}{{template "processors.yml.tmpl" .}}{{else -}}
{{if not .UseObserverProcessor}}
# Configure processors to enhance or manipulate events generated by the beat.

Expand All @@ -112,7 +113,7 @@ processors:
#name: us-east-1a
# Lat, Lon "
#location: "37.926868, -78.024902"
{{end}}
{{end}}{{end}}
#================================ Logging =====================================

# Sets log level. The default log level is info.
Expand Down
17 changes: 5 additions & 12 deletions winlogbeat/_meta/beat.yml.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -2,18 +2,11 @@
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
{{if .Reference}}
# Set to true to publish fields with null values in events.
#keep_null: false
{{end}}

- name: System
{{if .Reference}}
# Set to true to publish fields with null values in events.
#keep_null: false
{{end}}

- name: Security
{{if .Reference}}
# Set to true to publish fields with null values in events.
#keep_null: false
{{end}}

- name: ForwardedEvents
tags: [forwarded]
{{if not .Reference}}{{ template "elasticsearch_settings" . }}{{end}}
6 changes: 6 additions & 0 deletions winlogbeat/_meta/common.yml.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -34,3 +34,9 @@ setup.template.settings:
#index.codec: best_compression
#_source.enabled: false
{{end -}}
{{define "processors.yml.tmpl"}}
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
{{end -}}
7 changes: 6 additions & 1 deletion winlogbeat/cmd/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ package cmd
import (
"github.com/elastic/beats/v7/libbeat/cmd"
"github.com/elastic/beats/v7/libbeat/cmd/instance"
"github.com/elastic/beats/v7/libbeat/publisher/processing"
"github.com/elastic/beats/v7/winlogbeat/beater"

// Register fields.
Expand All @@ -35,4 +36,8 @@ import (
var Name = "winlogbeat"

// RootCmd to handle beats cli
var RootCmd = cmd.GenRootCmdWithSettings(beater.New, instance.Settings{Name: Name, HasDashboards: true})
var RootCmd = cmd.GenRootCmdWithSettings(beater.New, instance.Settings{
Name: Name,
HasDashboards: true,
Processing: processing.MakeDefaultSupport(true, processing.WithECS, processing.WithAgentMeta()),
})
3 changes: 2 additions & 1 deletion winlogbeat/scripts/mage/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,8 @@ func configFileParams() devtools.ConfigFileParams {
devtools.LibbeatDir("_meta/config.docker.yml"),
},
ExtraVars: map[string]interface{}{
"GOOS": "windows",
"GOOS": "windows",
"UseProcessorsTemplate": true,
},
}
}
11 changes: 2 additions & 9 deletions winlogbeat/winlogbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,19 +26,12 @@ winlogbeat.event_logs:
- name: Application
ignore_older: 72h

# Set to true to publish fields with null values in events.
#keep_null: false

- name: System

# Set to true to publish fields with null values in events.
#keep_null: false

- name: Security

# Set to true to publish fields with null values in events.
#keep_null: false

- name: ForwardedEvents
tags: [forwarded]


#================================ General ======================================
Expand Down
8 changes: 4 additions & 4 deletions winlogbeat/winlogbeat.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ winlogbeat.event_logs:

- name: Security

- name: ForwardedEvents
tags: [forwarded]
#==================== Elasticsearch template settings ==========================

setup.template.settings:
Expand Down Expand Up @@ -125,12 +127,10 @@ output.elasticsearch:

#================================ Processors =====================================

# Configure processors to enhance or manipulate events generated by the beat.

processors:
- add_host_metadata: ~
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~

#================================ Logging =====================================

Expand Down
14 changes: 14 additions & 0 deletions x-pack/winlogbeat/_meta/beat.yml.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,18 @@ winlogbeat.event_logs:
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

- name: ForwardedEvents
tags: [forwarded]
processors:
- script:
when.equals.winlog.channel: Security
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- script:
when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
lang: javascript
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

{{if not .Reference}}{{ template "elasticsearch_settings" . }}{{end}}
14 changes: 14 additions & 0 deletions x-pack/winlogbeat/winlogbeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,20 @@ winlogbeat.event_logs:
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

- name: ForwardedEvents
tags: [forwarded]
processors:
- script:
when.equals.winlog.channel: Security
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- script:
when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
lang: javascript
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js



#================================ General ======================================
Expand Down
20 changes: 16 additions & 4 deletions x-pack/winlogbeat/winlogbeat.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,20 @@ winlogbeat.event_logs:
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

- name: ForwardedEvents
tags: [forwarded]
processors:
- script:
when.equals.winlog.channel: Security
lang: javascript
id: security
file: ${path.home}/module/security/config/winlogbeat-security.js
- script:
when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
lang: javascript
id: sysmon
file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

#==================== Elasticsearch template settings ==========================

setup.template.settings:
Expand Down Expand Up @@ -137,12 +151,10 @@ output.elasticsearch:

#================================ Processors =====================================

# Configure processors to enhance or manipulate events generated by the beat.

processors:
- add_host_metadata: ~
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~

#================================ Logging =====================================

Expand Down