Disable host.* fields by default for Fortinet module

[andrewkroh]

What does this PR do?

For the Fortinet module when data is forwarded to Filebeat from another host/device (this is most of the time) you don't want Filebeat to add host. So by default this modules add a forwarded tag to events. If you configure the module to not include the forwarded tag (e.g. var.tags: [my_tag]) then Filebeat will add the host.* fields.

Why is it important?

We want Filebeat to follow Elastic Common Schema. And setting host with the correct value is part of that. By setting (or not setting host) we can better interpret events. Without this change the Filebeat host is being attributed as the source of Checkpoint firewall events.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• [ ] I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

• Relates: Setting host.* in Beats that forward data #13920

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[elasticmachine]

💔 Tests Failed

Expand to view the summary

Build stats

• Build Cause: [Pull request #19133 updated]

• Start Time: 2020-06-12T17:51:49.692+0000

• Duration: 57 min 35 sec

Test stats 🧪

Test	Results
Failed	1
Passed	3938
Skipped	672
Total	4611

Test errors

Expand to view the tests failures

• Name: Build and Test / Filebeat Mac OS X / test_clean_removed_with_clean_inactive – test_registrar.Test
  • Age: 1
  • Duration: 0.892
  • Error Details:
    -------------------- >> begin captured stdout << ---------------------
    registry size: 2
    registry size after remove: 2

--------------------- >> end captured stdout << ----------------------

Steps errors

Expand to view the steps failures

• Name: Mage build unitTest

  • Description: mage build unitTest

  • Duration: 7 min 42 sec

  • Start Time: 2020-06-12T18:14:04.826+0000

  • log

• Name: Recursively delete the current directory from the workspace

  • Description: script returned exit code 1

  • Duration: 0 min 12 sec

  • Start Time: 2020-06-12T18:22:06.011+0000

  • log

Log output

Expand to view the last 100 lines of log output

[2020-06-12T18:47:49.157Z] 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[2020-06-12T18:47:49.157Z] 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[2020-06-12T18:47:49.157Z] 	at java.lang.Thread.run(Thread.java:748)
[2020-06-12T18:47:49.157Z] No artifacts found that match the file pattern "**/build/TEST*.out". Configuration error?
[2020-06-12T18:47:49.574Z] + curl -sSLo codecov https://codecov.io/bash
[2020-06-12T18:47:49.845Z] + FILE=auditbeat/build/coverage/full.cov
[2020-06-12T18:47:49.845Z] + [ -f auditbeat/build/coverage/full.cov ]
[2020-06-12T18:47:49.845Z] + FILE=filebeat/build/coverage/full.cov
[2020-06-12T18:47:49.845Z] + [ -f filebeat/build/coverage/full.cov ]
[2020-06-12T18:47:49.845Z] + bash codecov -f filebeat/build/coverage/full.cov
[2020-06-12T18:47:49.845Z] 
[2020-06-12T18:47:49.845Z]   _____          _
[2020-06-12T18:47:49.845Z]  / ____|        | |
[2020-06-12T18:47:49.845Z] | |     ___   __| | ___  ___ _____   __
[2020-06-12T18:47:49.845Z] | |    / _ \ / _` |/ _ \/ __/ _ \ \ / /
[2020-06-12T18:47:49.845Z] | |___| (_) | (_| |  __/ (_| (_) \ V /
[2020-06-12T18:47:49.845Z]  \_____\___/ \__,_|\___|\___\___/ \_/
[2020-06-12T18:47:49.845Z]                               Bash-20200602-f809a24
[2020-06-12T18:47:49.845Z] 
[2020-06-12T18:47:49.845Z] 
[2020-06-12T18:47:49.845Z] ==> Jenkins CI detected.
[2020-06-12T18:47:49.845Z]     project root: .
[2020-06-12T18:47:49.845Z]     Fixing merge commit SHA
[2020-06-12T18:47:49.845Z]     Yaml found at: codecov.yml
[2020-06-12T18:47:49.845Z]     -> Found 1 reports
[2020-06-12T18:47:49.845Z] ==> Detecting git/mercurial file structure
[2020-06-12T18:47:50.110Z] ==> Reading reports
[2020-06-12T18:47:50.111Z]     + filebeat/build/coverage/full.cov bytes=261361
[2020-06-12T18:47:50.111Z] ==> Appending adjustments
[2020-06-12T18:47:50.111Z]     https://docs.codecov.io/docs/fixing-reports
[2020-06-12T18:48:00.328Z]     + Found adjustments
[2020-06-12T18:48:00.328Z] ==> Gzipping contents
[2020-06-12T18:48:00.328Z] ==> Uploading reports
[2020-06-12T18:48:00.328Z]     url: https://codecov.io
[2020-06-12T18:48:00.328Z]     query: branch=PR-19133&commit=59b133e9e994c15abbbdd65300e3a5a97af09af4&build=3&build_url=https%3A%2F%2Fbeats-ci.elastic.co%2Fjob%2FBeats%2Fjob%2Fbeats-beats-mbp%2Fjob%2FPR-19133%2F3%2F&name=&tag=&slug=elastic%2Fbeats&service=jenkins&flags=&pr=19133&job=
[2020-06-12T18:48:00.328Z]     -> Pinging Codecov
[2020-06-12T18:48:00.328Z] https://codecov.io/upload/v4?package=bash-20200602-f809a24&token=secret&branch=PR-19133&commit=59b133e9e994c15abbbdd65300e3a5a97af09af4&build=3&build_url=https%3A%2F%2Fbeats-ci.elastic.co%2Fjob%2FBeats%2Fjob%2Fbeats-beats-mbp%2Fjob%2FPR-19133%2F3%2F&name=&tag=&slug=elastic%2Fbeats&service=jenkins&flags=&pr=19133&job=
[2020-06-12T18:48:00.590Z] HTTP 400
[2020-06-12T18:48:00.590Z] Please provide the repository token to upload reports via `-t :repository-token`
[2020-06-12T18:48:00.590Z] + FILE=heartbeat/build/coverage/full.cov
[2020-06-12T18:48:00.590Z] + [ -f heartbeat/build/coverage/full.cov ]
[2020-06-12T18:48:00.590Z] + FILE=libbeat/build/coverage/full.cov
[2020-06-12T18:48:00.590Z] + [ -f libbeat/build/coverage/full.cov ]
[2020-06-12T18:48:00.591Z] + FILE=metricbeat/build/coverage/full.cov
[2020-06-12T18:48:00.591Z] + [ -f metricbeat/build/coverage/full.cov ]
[2020-06-12T18:48:00.591Z] + FILE=packetbeat/build/coverage/full.cov
[2020-06-12T18:48:00.591Z] + [ -f packetbeat/build/coverage/full.cov ]
[2020-06-12T18:48:00.591Z] + FILE=winlogbeat/build/coverage/full.cov
[2020-06-12T18:48:00.591Z] + [ -f winlogbeat/build/coverage/full.cov ]
[2020-06-12T18:48:00.591Z] + FILE=journalbeat/build/coverage/full.cov
[2020-06-12T18:48:00.591Z] + [ -f journalbeat/build/coverage/full.cov ]
[2020-06-12T18:48:02.274Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19133/src/github.com/elastic/beats
[2020-06-12T18:48:02.584Z] + find . -type f -name TEST*.xml -path */build/* -delete
[2020-06-12T18:48:02.596Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19133/src/github.com/elastic/beats/Lint
[2020-06-12T18:48:02.678Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19133/src/github.com/elastic/beats/Filebeat-x-pack-Mac-OS-X
[2020-06-12T18:48:02.754Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19133/src/github.com/elastic/beats/Filebeat-Mac-OS-X
[2020-06-12T18:48:02.830Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19133/src/github.com/elastic/beats/Filebeat-x-pack-Windows
[2020-06-12T18:48:02.907Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19133/src/github.com/elastic/beats/Filebeat-Windows
[2020-06-12T18:48:02.982Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19133/src/github.com/elastic/beats/Filebeat-x-pack
[2020-06-12T18:48:03.063Z] Running in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19133/src/github.com/elastic/beats/Filebeat-oss
[2020-06-12T18:48:03.422Z] + cat
[2020-06-12T18:48:03.423Z] + /usr/local/bin/runbld ./runbld-script
[2020-06-12T18:48:03.423Z] Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
[2020-06-12T18:48:10.011Z] runbld>>> runbld started
[2020-06-12T18:48:10.011Z] runbld>>> 1.6.11/a66728ff8f4356963772e6e6d2069392fa06acbe
[2020-06-12T18:48:10.952Z] runbld>>> The following profiles matched the job 'Beats/beats-beats-mbp/PR-19133' in order of occurrence in the config (last value wins).
[2020-06-12T18:48:12.332Z] runbld>>> Debug logging enabled.
[2020-06-12T18:48:12.332Z] runbld>>> Storing result
[2020-06-12T18:48:12.332Z] runbld>>> Store result: created {:total 2, :successful 2, :failed 0} 1
[2020-06-12T18:48:12.332Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200612184812-E450F52F
[2020-06-12T18:48:12.332Z] runbld>>> Adding system facts.
[2020-06-12T18:48:13.272Z] runbld>>> Adding vcs info for the latest commit:  639426b222b2839f5706be1ad7108624ab98b7e3
[2020-06-12T18:48:13.532Z] runbld>>> >>>>>>>>>>>> SCRIPT EXECUTION BEGIN >>>>>>>>>>>>
[2020-06-12T18:48:13.532Z] runbld>>> Adding /usr/lib/jvm/java-8-openjdk-amd64/bin to the path.
[2020-06-12T18:48:13.532Z] Processing JUnit reports with runbld...
[2020-06-12T18:48:13.532Z] + echo 'Processing JUnit reports with runbld...'
[2020-06-12T18:48:13.792Z] runbld>>> <<<<<<<<<<<< SCRIPT EXECUTION END <<<<<<<<<<<<
[2020-06-12T18:48:13.792Z] runbld>>> DURATION: 18ms
[2020-06-12T18:48:13.792Z] runbld>>> STDOUT: 40 bytes
[2020-06-12T18:48:13.792Z] runbld>>> STDERR: 49 bytes
[2020-06-12T18:48:13.792Z] runbld>>> WRAPPED PROCESS: SUCCESS (0)
[2020-06-12T18:48:13.792Z] runbld>>> Searching for build metadata in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19133/src/github.com/elastic/beats
[2020-06-12T18:48:15.173Z] runbld>>> Storing build metadata: 
[2020-06-12T18:48:15.173Z] runbld>>> Adding test report.
[2020-06-12T18:48:15.173Z] runbld>>> Searching for junit test output files with the pattern: TEST-.*\.xml$ in: /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19133/src/github.com/elastic/beats
[2020-06-12T18:48:16.159Z] runbld>>> Found 13 test output files
[2020-06-12T18:48:17.551Z] runbld>>> Test output logs contained: Errors: 0 Failures: 1 Tests: 4611 Skipped: 648
[2020-06-12T18:48:17.551Z] runbld>>> Storing result
[2020-06-12T18:48:17.551Z] runbld>>> FAILURES: 1
[2020-06-12T18:48:18.119Z] runbld>>> Store result: updated {:total 2, :successful 2, :failed 0} 2
[2020-06-12T18:48:18.119Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1587637540455/t/20200612184812-E450F52F
[2020-06-12T18:48:18.120Z] runbld>>> Email notification disabled by environment variable.
[2020-06-12T18:48:18.120Z] runbld>>> Slack notification disabled by environment variable.
[2020-06-12T18:48:23.617Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats-beats-mbp_PR-19133
[2020-06-12T18:48:23.719Z] [INFO] getVaultSecret: Getting secrets
[2020-06-12T18:48:23.790Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-06-12T18:48:24.547Z] + chmod 755 generate-build-data.sh
[2020-06-12T18:48:24.547Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-19133/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-19133/runs/3 FAILURE 3394595
[2020-06-12T18:48:24.547Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-19133/runs/3/steps/?limit=10000 -o steps-info.json
[2020-06-12T18:48:25.458Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats-beats-mbp/PR-19133/runs/3/tests/?status=FAILED -o tests-errors.json

[fredtj]

hi and thanks for this. not sure if it helps, but it is currently failing for me with the following error:

Exiting: Error getting config for fileset fortinet/firewall: Error interpreting the template of the input: Error parsing template
: template: text:23: function "tojson" not defined

[andrewkroh]

It won't work unless your testing with Filebeat from master or the 7.x branch.

[P1llus]

Don't know if you want my comment as well, but LGTM :)