From 3bc072f1256a03dd6e107124eb113b68b6f4568e Mon Sep 17 00:00:00 2001 From: leweafan Date: Sun, 26 Feb 2023 14:46:46 +0300 Subject: [PATCH 1/4] Add nginx.ingress_controller.upstream.ip to related.ip (#34645) --- CHANGELOG.next.asciidoc | 1 + .../ingress_controller/ingest/pipeline.yml | 4 ++ .../test/test.log-expected.json | 68 ++++++++++++------- 3 files changed, 50 insertions(+), 23 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index da0ffd929e6..54262f29316 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -218,6 +218,7 @@ automatic splitting at root level, if root level element is an array. {pull}3415 - Add support for Okta debug attributes, `risk_reasons`, `risk_behaviors` and `factor`. {issue}33677[33677] {pull}34508[34508] - Fill okta.request.ip_chain.* as a flattened object in Okta module. {pull}34621[34621] - Fixed GCS log format issues. {pull}34659[34659] +- Add nginx.ingress_controller.upstream.ip to related.ip {issue}34645[34645] *Auditbeat* diff --git a/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml b/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml index 4e682c0261e..934f1febba0 100644 --- a/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml +++ b/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml @@ -295,6 +295,10 @@ processors: field: related.ip value: "{{destination.ip}}" if: "ctx?.destination?.ip != null" + - append: + field: related.ip + value: "{{nginx.ingress_controller.upstream.ip}}" + if: "ctx?.nginx?.ingress_controller?.upstream?.ip != null" - append: field: related.user value: "{{user.name}}" diff --git a/filebeat/module/nginx/ingress_controller/test/test.log-expected.json b/filebeat/module/nginx/ingress_controller/test/test.log-expected.json index 16aa75c2838..77a2918fd02 100644 --- a/filebeat/module/nginx/ingress_controller/test/test.log-expected.json +++ b/filebeat/module/nginx/ingress_controller/test/test.log-expected.json @@ -47,7 +47,8 @@ "172.17.0.5:8080" ], "related.ip": [ - "192.168.64.1" + "192.168.64.1", + "172.17.0.5" ], "service.type": "nginx", "source.address": "192.168.64.1", @@ -107,7 +108,8 @@ "172.17.0.5:8080" ], "related.ip": [ - "192.168.64.1" + "192.168.64.1", + "172.17.0.5" ], "service.type": "nginx", "source.address": "192.168.64.1", @@ -167,7 +169,8 @@ "172.17.0.5:8080" ], "related.ip": [ - "192.168.64.1" + "192.168.64.1", + "172.17.0.5" ], "service.type": "nginx", "source.address": "192.168.64.1", @@ -227,7 +230,8 @@ "172.17.0.5:8080" ], "related.ip": [ - "192.168.64.1" + "192.168.64.1", + "172.17.0.5" ], "service.type": "nginx", "source.address": "192.168.64.1", @@ -365,7 +369,8 @@ "172.17.0.5:8080" ], "related.ip": [ - "192.168.64.1" + "192.168.64.1", + "172.17.0.5" ], "service.type": "nginx", "source.address": "192.168.64.1", @@ -425,7 +430,8 @@ "172.17.0.5:8080" ], "related.ip": [ - "192.168.64.1" + "192.168.64.1", + "172.17.0.5" ], "service.type": "nginx", "source.address": "192.168.64.1", @@ -489,7 +495,8 @@ "172.17.0.5:8080" ], "related.ip": [ - "192.168.64.1" + "192.168.64.1", + "172.17.0.5" ], "service.type": "nginx", "source.address": "192.168.64.1", @@ -553,7 +560,8 @@ "172.17.0.6:8080" ], "related.ip": [ - "192.168.64.1" + "192.168.64.1", + "172.17.0.6" ], "service.type": "nginx", "source.address": "192.168.64.1", @@ -617,7 +625,8 @@ "172.17.0.5:8080" ], "related.ip": [ - "192.168.64.1" + "192.168.64.1", + "172.17.0.5" ], "service.type": "nginx", "source.address": "192.168.64.1", @@ -681,7 +690,8 @@ "172.17.0.5:8080" ], "related.ip": [ - "192.168.64.1" + "192.168.64.1", + "172.17.0.5" ], "service.type": "nginx", "source.address": "192.168.64.1", @@ -745,7 +755,8 @@ "172.17.0.5:8080" ], "related.ip": [ - "192.168.64.1" + "192.168.64.1", + "172.17.0.5" ], "service.type": "nginx", "source.address": "192.168.64.1", @@ -809,7 +820,8 @@ "172.17.0.5:8080" ], "related.ip": [ - "192.168.64.1" + "192.168.64.1", + "172.17.0.5" ], "service.type": "nginx", "source.address": "192.168.64.1", @@ -872,7 +884,8 @@ "172.17.0.5:8080" ], "related.ip": [ - "192.168.64.1" + "192.168.64.1", + "172.17.0.5" ], "service.type": "nginx", "source.address": "192.168.64.1", @@ -936,7 +949,8 @@ "172.17.0.5:8080" ], "related.ip": [ - "192.168.64.1" + "192.168.64.1", + "172.17.0.5" ], "service.type": "nginx", "source.address": "192.168.64.1", @@ -1000,7 +1014,8 @@ "172.17.0.6:8080" ], "related.ip": [ - "192.168.64.1" + "192.168.64.1", + "172.17.0.6" ], "service.type": "nginx", "source.address": "192.168.64.1", @@ -1064,7 +1079,8 @@ "172.17.0.5:8080" ], "related.ip": [ - "192.168.64.1" + "192.168.64.1", + "172.17.0.5" ], "service.type": "nginx", "source.address": "192.168.64.1", @@ -1128,7 +1144,8 @@ "172.17.0.5:8080" ], "related.ip": [ - "192.168.64.1" + "192.168.64.1", + "172.17.0.5" ], "service.type": "nginx", "source.address": "192.168.64.1", @@ -1189,7 +1206,8 @@ "172.17.0.6:8080" ], "related.ip": [ - "192.168.64.1" + "192.168.64.1", + "172.17.0.6" ], "service.type": "nginx", "source.address": "192.168.64.1", @@ -1252,7 +1270,8 @@ "172.17.0.5:8080" ], "related.ip": [ - "192.168.64.1" + "192.168.64.1", + "172.17.0.5" ], "service.type": "nginx", "source.address": "192.168.64.1", @@ -1316,7 +1335,8 @@ "172.17.0.6:8080" ], "related.ip": [ - "192.168.64.1" + "192.168.64.1", + "172.17.0.6" ], "service.type": "nginx", "source.address": "192.168.64.1", @@ -1383,7 +1403,8 @@ "172.17.0.7:8080" ], "related.ip": [ - "192.168.64.14" + "192.168.64.14", + "172.17.0.7" ], "service.type": "nginx", "source.address": "192.168.64.14", @@ -1450,7 +1471,8 @@ "172.17.0.7:8080" ], "related.ip": [ - "192.168.64.14" + "192.168.64.14", + "172.17.0.7" ], "service.type": "nginx", "source.address": "192.168.64.14", @@ -1681,4 +1703,4 @@ "user_agent.os.version": "10.15.7", "user_agent.version": "104.0.0.0" } -] \ No newline at end of file +] From dc43edc0d809c9e6a9ec03b93ee6843f6866c247 Mon Sep 17 00:00:00 2001 From: Alexander A Date: Sun, 26 Feb 2023 15:22:38 +0300 Subject: [PATCH 2/4] Added pull id --- CHANGELOG.next.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 54262f29316..8448bdce731 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -218,7 +218,7 @@ automatic splitting at root level, if root level element is an array. {pull}3415 - Add support for Okta debug attributes, `risk_reasons`, `risk_behaviors` and `factor`. {issue}33677[33677] {pull}34508[34508] - Fill okta.request.ip_chain.* as a flattened object in Okta module. {pull}34621[34621] - Fixed GCS log format issues. {pull}34659[34659] -- Add nginx.ingress_controller.upstream.ip to related.ip {issue}34645[34645] +- Add nginx.ingress_controller.upstream.ip to related.ip {issue}34645[34645] {pull}34672[34672] *Auditbeat* From 75d5b7aba7ccaffb4fdbed5aacdcedf98455d339 Mon Sep 17 00:00:00 2001 From: Alexander A Date: Mon, 27 Feb 2023 20:10:22 +0300 Subject: [PATCH 3/4] Added "allow_duplicates: false" --- filebeat/module/nginx/ingress_controller/ingest/pipeline.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml b/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml index 934f1febba0..076e7a59e42 100644 --- a/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml +++ b/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml @@ -299,6 +299,7 @@ processors: field: related.ip value: "{{nginx.ingress_controller.upstream.ip}}" if: "ctx?.nginx?.ingress_controller?.upstream?.ip != null" + allow_duplicates: false - append: field: related.user value: "{{user.name}}" From b6f8a9771f3a2455475949cde6695724757c5cf0 Mon Sep 17 00:00:00 2001 From: Alexander A Date: Mon, 27 Feb 2023 20:53:49 +0300 Subject: [PATCH 4/4] Added "allow_duplicates: false" for all related.ip appends --- filebeat/module/nginx/ingress_controller/ingest/pipeline.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml b/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml index 076e7a59e42..ca000547e90 100644 --- a/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml +++ b/filebeat/module/nginx/ingress_controller/ingest/pipeline.yml @@ -291,10 +291,12 @@ processors: field: related.ip value: "{{source.ip}}" if: "ctx?.source?.ip != null" + allow_duplicates: false - append: field: related.ip value: "{{destination.ip}}" if: "ctx?.destination?.ip != null" + allow_duplicates: false - append: field: related.ip value: "{{nginx.ingress_controller.upstream.ip}}"