Pass-thru other panw.panos log types (elastic#19375)

This removes the drop processor from the ingest node pipeline that drops events other than THREAT and TRAFFIC. This way we can retain the other log data but don't necessarily handle the parsing of it. Closes elastic#16815
melchiormoulin · Oct 14, 2020 · 03718c7 · 03718c7
1 parent 9dd0008
commit 03718c7
Show file tree

Hide file tree

Showing 3 changed files with 661 additions and 2 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -414,6 +414,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Explicitly set ECS version in all Filebeat modules. {pull}19198[19198]
 - Add new mode to multiline reader to aggregate constant number of lines {pull}18352[18352]
 - Add automatic retries and exponential backoff to httpjson input. {pull}18956[18956]
+- Changed the panw module to pass through (rather than drop) message types other than threat and traffic. {issue}16815[16815] {pull}19375[19375]
 - Add support for timezone offsets and `Z` to decode_cef timestamp parser. {pull}19346[19346]
 - Improve ECS categorization field mappings in traefik module. {issue}16183[16183] {pull}19379[19379]
 

diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
@@ -197,8 +197,6 @@ processors:
        - intrusion_detection
        - network
      if: 'ctx?._temp_?.message_type == "THREAT"'
- - drop:
-     if: 'ctx?.event?.category == null'
  - append:
      field: event.type
      value: allowed