Skip to content

Commit

Permalink
Disable host.* fields by default for CrowdStrike module (elastic#19132)
Browse files Browse the repository at this point in the history
For the CrowdStrike module when data is forwarded to Filebeat from another host/device you don't want Filebeat to add `host`. So by default this modules add a `forwarded` tag to events. If you configure the module to not include the `forwarded` tag (e.g. `var.tags: [my_tag]`) then Filebeat will add the `host.*` fields.

Relates: elastic#13920
  • Loading branch information
andrewkroh authored and melchiormoulin committed Oct 14, 2020
1 parent fa12c0a commit 712c91d
Show file tree
Hide file tree
Showing 5 changed files with 466 additions and 389 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
* CEF {pull}18223[18223]
* PANW {pull}18223[18223]
* Cisco {pull}18753[18753]
* CrowdStrike {pull}19132[19132]
* iptables {pull}18756[18756]
* Checkpoint {pull}18754[18754]
* Netflow {pull}19087[19087]
Expand Down
3 changes: 3 additions & 0 deletions x-pack/filebeat/module/crowdstrike/falcon/config/falcon.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ multiline.match: after
multiline.max_lines: 5000
multiline.timeout: 10

tags: {{.tags | tojson}}
publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}

processors:
- script:
lang: javascript
Expand Down
2 changes: 2 additions & 0 deletions x-pack/filebeat/module/crowdstrike/falcon/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,5 +4,7 @@ var:
- name: paths
default:
- /var/log/crowdstrike/falconhoseclient/output
- name: tags
default: [forwarded]

input: config/falcon.yml
Loading

0 comments on commit 712c91d

Please sign in to comment.