Skip to content

Commit

Permalink
Disable host.* fields by default for Fortinet module (elastic#19133)
Browse files Browse the repository at this point in the history
For the Checkpoint module when data is forwarded to Fortinet from another host/device (this is most of the time) you don't want Filebeat to add `host`. So by default this modules add a `forwarded` tag to events. If you configure the module to not include the `forwarded` tag (e.g. `var.tags: [my_tag]`) then Filebeat will add the `host.*` fields.

Relates: elastic#13920
  • Loading branch information
andrewkroh authored and melchiormoulin committed Oct 14, 2020
1 parent 985de89 commit f0569a0
Show file tree
Hide file tree
Showing 6 changed files with 69 additions and 29 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
* PANW {pull}18223[18223]
* Cisco {pull}18753[18753]
* CrowdStrike {pull}19132[19132]
* Fortinet {pull}19133[19133]
* iptables {pull}18756[18756]
* Checkpoint {pull}18754[18754]
* Netflow {pull}19087[19087]
Expand Down
6 changes: 6 additions & 0 deletions filebeat/docs/modules/fortinet.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,12 @@ Set to 0.0.0.0 to bind to all available interfaces.

The port to listen for syslog traffic. Defaults to 9004.

*`var.tags`*::

A list of tags to include in events. Including `forwarded` indicates that the
events did not originate on this host and causes `host.name` to not be added to
events. Defaults to `[fortinet-firewall, forwarded]`.

[float]
==== Fortinet ECS fields

Expand Down
6 changes: 6 additions & 0 deletions x-pack/filebeat/module/fortinet/_meta/docs.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,12 @@ Set to 0.0.0.0 to bind to all available interfaces.

The port to listen for syslog traffic. Defaults to 9004.

*`var.tags`*::

A list of tags to include in events. Including `forwarded` indicates that the
events did not originate on this host and causes `host.name` to not be added to
events. Defaults to `[fortinet-firewall, forwarded]`.

[float]
==== Fortinet ECS fields

Expand Down
3 changes: 2 additions & 1 deletion x-pack/filebeat/module/fortinet/firewall/config/firewall.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,8 @@ exclude_files: [".gz$"]

{{ end }}

tags: {{.tags}}
tags: {{.tags | tojson}}
publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}

processors:
- add_locale: ~
4 changes: 2 additions & 2 deletions x-pack/filebeat/module/fortinet/firewall/manifest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ var:
- name: syslog_host
default: localhost
- name: tags
default: [fortinet-firewall]
default: [fortinet-firewall, forwarded]
- name: syslog_port
default: 9004
- name: input
Expand All @@ -16,4 +16,4 @@ ingest_pipeline:
- ingest/utm.yml
- ingest/traffic.yml

input: config/firewall.yml
input: config/firewall.yml
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,8 @@
"source.user.group.name": "elasticgroup",
"source.user.name": "elasticuser",
"tags": [
"fortinet-firewall"
"fortinet-firewall",
"forwarded"
],
"url.domain": "elastic.co",
"url.path": "/config/"
Expand Down Expand Up @@ -142,7 +143,8 @@
"source.user.group.name": "elasticgroup",
"source.user.name": "elasticuser",
"tags": [
"fortinet-firewall"
"fortinet-firewall",
"forwarded"
],
"url.domain": "elastic.co",
"url.path": "/"
Expand Down Expand Up @@ -214,7 +216,8 @@
"source.user.group.name": "elasticgroup",
"source.user.name": "elasticuser",
"tags": [
"fortinet-firewall"
"fortinet-firewall",
"forwarded"
],
"tls.client.server_name": "test.elastic.co",
"url.domain": "elastic.co",
Expand Down Expand Up @@ -283,7 +286,8 @@
"source.ip": "192.168.2.1",
"source.port": 53430,
"tags": [
"fortinet-firewall"
"fortinet-firewall",
"forwarded"
]
},
{
Expand Down Expand Up @@ -353,7 +357,8 @@
"source.user.group.name": "elasticgroup",
"source.user.name": "elasticuser",
"tags": [
"fortinet-firewall"
"fortinet-firewall",
"forwarded"
],
"url.domain": "elastic.no",
"url.path": "/"
Expand Down Expand Up @@ -421,7 +426,8 @@
"source.ip": "192.168.2.1",
"source.port": 54438,
"tags": [
"fortinet-firewall"
"fortinet-firewall",
"forwarded"
]
},
{
Expand Down Expand Up @@ -480,7 +486,8 @@
"source.ip": "192.168.2.1",
"source.port": 54788,
"tags": [
"fortinet-firewall"
"fortinet-firewall",
"forwarded"
]
},
{
Expand Down Expand Up @@ -544,7 +551,8 @@
"source.user.group.name": "elasticgroup2",
"source.user.name": "elasticuser2",
"tags": [
"fortinet-firewall"
"fortinet-firewall",
"forwarded"
]
},
{
Expand Down Expand Up @@ -589,7 +597,8 @@
"source.ip": "10.10.10.10",
"source.user.name": "elasticouser",
"tags": [
"fortinet-firewall"
"fortinet-firewall",
"forwarded"
]
},
{
Expand Down Expand Up @@ -652,7 +661,8 @@
"source.ip": "8.8.8.8",
"source.port": 500,
"tags": [
"fortinet-firewall"
"fortinet-firewall",
"forwarded"
]
},
{
Expand Down Expand Up @@ -719,7 +729,8 @@
"source.ip": "9.9.9.9",
"source.port": 500,
"tags": [
"fortinet-firewall"
"fortinet-firewall",
"forwarded"
]
},
{
Expand Down Expand Up @@ -763,7 +774,8 @@
"rule.description": "System performance statistics",
"service.type": "fortinet",
"tags": [
"fortinet-firewall"
"fortinet-firewall",
"forwarded"
]
},
{
Expand Down Expand Up @@ -809,7 +821,8 @@
"source.ip": "10.10.10.10",
"source.user.name": "elastiiiuser",
"tags": [
"fortinet-firewall"
"fortinet-firewall",
"forwarded"
]
},
{
Expand Down Expand Up @@ -874,7 +887,8 @@
"source.ip": "7.6.3.4",
"source.port": 500,
"tags": [
"fortinet-firewall"
"fortinet-firewall",
"forwarded"
]
},
{
Expand Down Expand Up @@ -902,7 +916,8 @@
"rule.description": "FortiSandbox AV database updated",
"service.type": "fortinet",
"tags": [
"fortinet-firewall"
"fortinet-firewall",
"forwarded"
]
},
{
Expand Down Expand Up @@ -942,7 +957,8 @@
"service.type": "fortinet",
"source.user.name": "elastico",
"tags": [
"fortinet-firewall"
"fortinet-firewall",
"forwarded"
]
},
{
Expand Down Expand Up @@ -990,7 +1006,8 @@
"rule.description": "SSL VPN new connection",
"service.type": "fortinet",
"tags": [
"fortinet-firewall"
"fortinet-firewall",
"forwarded"
]
},
{
Expand Down Expand Up @@ -1044,7 +1061,8 @@
"source.user.group.name": "somegroup",
"source.user.name": "someuser",
"tags": [
"fortinet-firewall"
"fortinet-firewall",
"forwarded"
]
},
{
Expand Down Expand Up @@ -1089,7 +1107,8 @@
"source.ip": "192.168.1.1",
"source.user.name": "elasticadmin",
"tags": [
"fortinet-firewall"
"fortinet-firewall",
"forwarded"
]
},
{
Expand Down Expand Up @@ -1118,7 +1137,8 @@
"rule.description": "FortiCloud server connected",
"service.type": "fortinet",
"tags": [
"fortinet-firewall"
"fortinet-firewall",
"forwarded"
]
},
{
Expand Down Expand Up @@ -1148,7 +1168,8 @@
"rule.description": "FortiCloud server disconnected",
"service.type": "fortinet",
"tags": [
"fortinet-firewall"
"fortinet-firewall",
"forwarded"
]
},
{
Expand Down Expand Up @@ -1215,7 +1236,8 @@
"source.ip": "192.168.1.6",
"source.port": 53438,
"tags": [
"fortinet-firewall"
"fortinet-firewall",
"forwarded"
]
},
{
Expand Down Expand Up @@ -1302,7 +1324,8 @@
"source.packets": 723417,
"source.port": 6000,
"tags": [
"fortinet-firewall"
"fortinet-firewall",
"forwarded"
]
},
{
Expand Down Expand Up @@ -1377,7 +1400,8 @@
"source.ip": "2001:4860:4860::8888",
"source.packets": 4,
"tags": [
"fortinet-firewall"
"fortinet-firewall",
"forwarded"
]
},
{
Expand Down Expand Up @@ -1452,7 +1476,8 @@
"source.ip": "9.7.7.7",
"source.packets": 0,
"tags": [
"fortinet-firewall"
"fortinet-firewall",
"forwarded"
]
},
{
Expand Down Expand Up @@ -1518,7 +1543,8 @@
"source.port": 62493,
"source.user.name": "elasticsuper",
"tags": [
"fortinet-firewall"
"fortinet-firewall",
"forwarded"
]
}
]

0 comments on commit f0569a0

Please sign in to comment.