From 4a907d2d98d5d0c6d16287b87596f7514597ada3 Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Tue, 29 Jan 2019 16:49:27 -0500 Subject: [PATCH 1/2] Ensure source.address is always populated by the nginx module --- filebeat/module/nginx/access/ingest/default.json | 7 +++++++ filebeat/module/nginx/access/test/test.log-expected.json | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/filebeat/module/nginx/access/ingest/default.json b/filebeat/module/nginx/access/ingest/default.json index cb2752df216..058135efdc8 100644 --- a/filebeat/module/nginx/access/ingest/default.json +++ b/filebeat/module/nginx/access/ingest/default.json @@ -49,6 +49,13 @@ } } }, + { + "convert": { + "field": "source.ip", + "target_field": "source.address", + "type": "string" + } + }, { "remove": { "field": "message" diff --git a/filebeat/module/nginx/access/test/test.log-expected.json b/filebeat/module/nginx/access/test/test.log-expected.json index e5cfc798da2..8e8dff7e7de 100644 --- a/filebeat/module/nginx/access/test/test.log-expected.json +++ b/filebeat/module/nginx/access/test/test.log-expected.json @@ -18,6 +18,7 @@ "127.0.0.1" ], "service.type": "nginx", + "source.address": "10.0.0.2", "source.ip": "10.0.0.2", "url.original": "/ocelot", "user.name": "-", @@ -48,6 +49,7 @@ "172.17.0.1" ], "service.type": "nginx", + "source.address": "172.17.0.1", "source.ip": "172.17.0.1", "url.original": "/stringpatch", "user.name": "-", @@ -79,6 +81,7 @@ "85.181.35.98" ], "service.type": "nginx", + "source.address": "85.181.35.98", "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", @@ -116,6 +119,7 @@ "85.181.35.98" ], "service.type": "nginx", + "source.address": "85.181.35.98", "source.geo.city_name": "Berlin", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "DE", @@ -157,6 +161,7 @@ "10.2.1.185" ], "service.type": "nginx", + "source.address": "199.96.1.1", "source.geo.city_name": "Springfield", "source.geo.continent_name": "North America", "source.geo.country_iso_code": "US", @@ -192,6 +197,7 @@ "10.2.2.121" ], "service.type": "nginx", + "source.address": "2a03:0000:10ff:f00f:0000:0000:0:8000", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "PT", "source.geo.location.lat": 39.5, @@ -222,6 +228,7 @@ "127.0.0.1" ], "service.type": "nginx", + "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "user.name": "-", "user_agent.device": "Other", From 6708beec52c3b6a85578c036e4d694df6a5229bd Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Tue, 29 Jan 2019 21:04:52 -0500 Subject: [PATCH 2/2] Changelog entry --- CHANGELOG.next.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 029824c74ae..6f12484b1b9 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -134,6 +134,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Make elasticsearch/audit fileset be more lenient in parsing node name. {issue}10035[10035] {pull}10135[10135] - Fix bad bytes count in `docker` input when filtering by stream. {pull}10211[10211] - Fixed data types for roles and indices fields in `elasticsearch/audit` fileset {pull}10307[10307] +- Ensure `source.address` is always populated by the nginx module (ECS). {pull}10418[10418] *Heartbeat*