Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[filebeat][okta] drop fields processor not working with okta module #37542

Closed
nitesh8860 opened this issue Jan 4, 2024 · 4 comments
Closed

[filebeat][okta] drop fields processor not working with okta module #37542

nitesh8860 opened this issue Jan 4, 2024 · 4 comments
Labels
Filebeat Filebeat question Team:Security-Service Integrations Security Service Integrations Team

Comments

@nitesh8860
Copy link

I am using Okta module for filebeat with ECK operator, logs are getting fetched and shipped to elasticsearch properly, but i am also trying to drop some fields before shipping them, it is still sending all the fields, this can be a mistake in my config also which i am pasting below. Please help on this issue

  • Version: 8.3.3
  • Operating System: OCI Linux 8
  • Steps to Reproduce:
    Filebeat config
apiVersion: beat.k8s.elastic.co/v1beta1
kind: Beat
metadata:
  name: filebeat-okta
  namespace: elastic
spec:
  type: filebeat
  version: 8.3.3
  config:
    filebeat.modules:
      - module: okta
        enabled: true
        system:
          var.url: ##########
          var.api_key: ###########
          var.keep_original_message: false
    processors:
      - drop_fields:
          fields:
            [
              "agent.ephemeral_id",
              "agent.id",
              "agent.name",
              "agent.type",
              "agent.version",
              "client.as.number",
              "client.as.organization.name",
              "client.as.organization.name.text",
              "client.domain",
              "client.geo.city_name",
              "client.geo.location.lat",
              "client.geo.location.lon",
              "client.geo.region_name",
              "client.user.id",
              "client.user.full_name",
              "client.user.full_name.text",
              "client.user.name.text",
              ]

image
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jan 4, 2024
@nitesh8860
Copy link
Author

Hello team, any help on this ?

@ebeahan ebeahan added the Team:Security-Service Integrations Security Service Integrations Team label Jan 31, 2024
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jan 31, 2024
@nitesh8860
Copy link
Author

Hello, any help on this one ?

@andrewkroh
Copy link
Member

Filebeat modules use Elasticsearch Ingest Node to apply most of the transformations to the events1. So it is likely that the field names that you are referencing do not come into existence until the data passes through Elasticsearch. The pipelines it uses is here.

One option to customize the behavior would be to add a final_pipeline to your filebeat data stream that performs the additional transformations that you want.

Another option would be to modify the included pipelines to do what you want.

Footnotes

  1. https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-modules-overview.html

@andrewkroh andrewkroh closed this as not planned Won't fix, can't repro, duplicate, stale Feb 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Filebeat Filebeat question Team:Security-Service Integrations Security Service Integrations Team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@andrewkroh @ebeahan @nitesh8860 @elasticmachine