Filebeat Nginx module - add nginx.ingress_controller.upstream.ip to related.ip #34645

leweafan · 2023-02-22T14:25:57Z

Describe the enhancement:

Add nginx.ingress_controller.upstream.ip to related.ip
Missing ip in related.ip affects security issues discovery cause you can't be sure that all event' ip indeed present in related.ip.

According to ECS field description:

All of the IPs seen on your event.

Describe a specific use case for the enhancement or feature:

In an example below nginx.ingress_controller.upstream.ip 10.10.10.10 not added to related.ip.

POST /_ingest/pipeline/filebeat-8.6.1-nginx-ingress_controller-pipeline/_simulate
{
  "docs": [
    {
      "_source": {
        "@timestamp": "2023-02-22T12:51:14.333",
        "message" : "11.11.11.11 - - [22/Feb/2023:17:08:50 +0300] \"POST /test/one/api/v2/request HTTP/1.1\" 200 262 \"-\" \"Go-http-client/1.1\" 0 0.080 [test] [] 10.10.10.10:443 - 0.080 200 0"
      }
    }
  ]
}

{
  "docs": [
    {
      "doc": {
        "_index": "_index",
        "_id": "_id",
        "_version": "-3",
        "_source": {
          "@timestamp": "2023-02-22T14:08:50.000Z",
          "nginx": {
            "ingress_controller": {
              "upstream": {
                "alternative_name": "",
                "port": 443,
                "response": {
                  "status_code": 200,
                  "time_list": [
                    "0.080"
                  ],
                  "status_code_list": [
                    "200"
                  ],
                  "time": 0.08
                },
                "ip": "10.10.10.10",
                "name": "test"
              },
              "upstream_address_list": [
                "10.10.10.10:443"
              ],
              "http": {
                "request": {
                  "length": 0,
                  "id": "0",
                  "time": 0.08
                }
              },
              "remote_ip_list": [
                "11.11.11.11"
              ]
            }
          },
          "related": {
            "ip": [
              "11.11.11.11"
            ]
          },
          "http": {
            "request": {
              "method": "POST",
              "id": "0"
            },
            "response": {
              "status_code": 200,
              "body": {
                "bytes": 262
              }
            },
            "version": "1.1"
          },
          "source": {
            "address": "11.11.11.11",
            "ip": "11.11.11.11"
          },
          "event": {
            "ingested": "2023-02-22T14:20:01.380133844Z",
            "original": """11.11.11.11 - - [22/Feb/2023:17:08:50 +0300] "POST /test/one/api/v2/request HTTP/1.1" 200 262 "-" "Go-http-client/1.1" 0 0.080 [test] [] 10.10.10.10:443 - 0.080 200 0""",
            "created": "2023-02-22T12:51:14.333",
            "kind": "event",
            "category": [
              "web"
            ],
            "type": [
              "info"
            ],
            "outcome": "success"
          },
          "user_agent": {
            "original": "Go-http-client/1.1",
            "name": "Go-http-client",
            "device": {
              "name": "Other"
            },
            "version": "1.1"
          },
          "url": {
            "path": "/test/one/api/v2/request",
            "original": "/test/one/api/v2/request"
          },
          "tags": [
            "_geoip_database_unavailable_GeoLite2-City.mmdb",
            "_geoip_database_unavailable_GeoLite2-ASN.mmdb"
          ]
        },
        "_ingest": {
          "timestamp": "2023-02-22T14:20:01.380133844Z"
        }
      }
    }
  ]
}

The text was updated successfully, but these errors were encountered:

* Add nginx.ingress_controller.upstream.ip to related.ip (#34645) * Added pull id * Added "allow_duplicates: false" * Added "allow_duplicates: false" for all related.ip appends --------- Co-authored-by: Giuseppe Santoro <giuseppe.santoro@elastic.co>

botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Feb 22, 2023

leweafan added a commit to leweafan/beats that referenced this issue Feb 26, 2023

Add nginx.ingress_controller.upstream.ip to related.ip (elastic#34645)

3bc072f

leweafan mentioned this issue Feb 26, 2023

Add nginx.ingress_controller.upstream.ip to related.ip (#34645) #34672

Merged

6 tasks

tetianakravchenko added the Team:Cloudnative-Monitoring Label for the Cloud Native Monitoring team label Feb 27, 2023

botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Feb 27, 2023

gsantoro closed this as completed in #34672 Feb 28, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Filebeat Nginx module - add nginx.ingress_controller.upstream.ip to related.ip #34645

Filebeat Nginx module - add nginx.ingress_controller.upstream.ip to related.ip #34645

leweafan commented Feb 22, 2023

Filebeat Nginx module - add nginx.ingress_controller.upstream.ip to related.ip #34645

Filebeat Nginx module - add nginx.ingress_controller.upstream.ip to related.ip #34645

Comments

leweafan commented Feb 22, 2023