Inject Beat specific default processors (#34149)

michalpristas · web-flow · commit 75ebd50e5d6a · 2022-12-30T18:36:01.000+01:00
diff --git a/x-pack/auditbeat/cmd/root.go b/x-pack/auditbeat/cmd/root.go
@@ -14,6 +14,7 @@ import (
 	"github.com/elastic/beats/v7/x-pack/libbeat/management"
 	"github.com/elastic/elastic-agent-client/v7/pkg/client"
 	"github.com/elastic/elastic-agent-client/v7/pkg/proto"
+	"github.com/elastic/elastic-agent-libs/mapstr"
 
 	// Register Auditbeat x-pack modules.
 	_ "github.com/elastic/beats/v7/x-pack/auditbeat/include"
@@ -29,7 +30,8 @@ var RootCmd *cmd.BeatsRootCmd
 // auditbeatCfg is a callback registered with central management to perform any needed config transformations
 // before agent configs are sent to a beat
 func auditbeatCfg(rawIn *proto.UnitExpectedConfig, agentInfo *client.AgentInfo) ([]*reload.ConfigWithMeta, error) {
-	modules, err := management.CreateInputsFromStreams(rawIn, "logs", agentInfo)
+	procs := defaultProcessors()
+	modules, err := management.CreateInputsFromStreams(rawIn, "logs", agentInfo, procs...)
 	if err != nil {
 		return nil, fmt.Errorf("error creating input list from raw expected config: %w", err)
 	}
@@ -57,3 +59,15 @@ func init() {
 	settings.ElasticLicensed = true
 	RootCmd = auditbeatcmd.Initialize(settings)
 }
+
+func defaultProcessors() []mapstr.M {
+	// 	processors:
+	//   - add_host_metadata: ~
+	//   - add_cloud_metadata: ~
+	//   - add_docker_metadata: ~
+	return []mapstr.M{
+		{"add_host_metadata": nil},
+		{"add_cloud_metadata": nil},
+		{"add_docker_metadata": nil},
+	}
+}
diff --git a/x-pack/filebeat/cmd/agent.go b/x-pack/filebeat/cmd/agent.go
@@ -11,10 +11,12 @@ import (
 	"github.com/elastic/beats/v7/x-pack/libbeat/management"
 	"github.com/elastic/elastic-agent-client/v7/pkg/client"
 	"github.com/elastic/elastic-agent-client/v7/pkg/proto"
+	"github.com/elastic/elastic-agent-libs/mapstr"
 )
 
 func filebeatCfg(rawIn *proto.UnitExpectedConfig, agentInfo *client.AgentInfo) ([]*reload.ConfigWithMeta, error) {
-	modules, err := management.CreateInputsFromStreams(rawIn, "logs", agentInfo)
+	procs := defaultProcessors()
+	modules, err := management.CreateInputsFromStreams(rawIn, "logs", agentInfo, procs...)
 	if err != nil {
 		return nil, fmt.Errorf("error creating input list from raw expected config: %w", err)
 	}
@@ -35,3 +37,22 @@ func filebeatCfg(rawIn *proto.UnitExpectedConfig, agentInfo *client.AgentInfo) (
 
 	return configList, nil
 }
+
+func defaultProcessors() []mapstr.M {
+	// processors:
+	// - add_host_metadata:
+	// 	when.not.contains.tags: forwarded
+	// - add_cloud_metadata: ~
+	// - add_docker_metadata: ~
+	// - add_kubernetes_metadata: ~
+	return []mapstr.M{
+		{
+			"add_host_metadata": mapstr.M{
+				"when.not.contains.tags": "forwarded",
+			},
+		},
+		{"add_cloud_metadata": nil},
+		{"add_docker_metadata": nil},
+		{"add_kubernetes_metadata": nil},
+	}
+}
diff --git a/x-pack/libbeat/management/generate.go b/x-pack/libbeat/management/generate.go
@@ -67,7 +67,7 @@ func (r *TransformRegister) Transform(cfg *proto.UnitExpectedConfig, agentInfo *
 // CreateInputsFromStreams breaks down the raw Expected config into an array of individual inputs/modules from the Streams values
 // that can later be formatted into the reloader's ConfigWithMetaData and sent to an indvidual beat/
 // This also performs the basic task of inserting module-level add_field processors into the inputs/modules.
-func CreateInputsFromStreams(raw *proto.UnitExpectedConfig, inputType string, agentInfo *client.AgentInfo) ([]map[string]interface{}, error) {
+func CreateInputsFromStreams(raw *proto.UnitExpectedConfig, inputType string, agentInfo *client.AgentInfo, defaultProcessors ...mapstr.M) ([]map[string]interface{}, error) {
 	// should this be an error?
 	if raw.GetStreams() == nil {
 		return []map[string]interface{}{}, nil
@@ -94,7 +94,7 @@ func CreateInputsFromStreams(raw *proto.UnitExpectedConfig, inputType string, ag
 		}
 
 		// 3. stream processors
-		streamSource, err = injectStreamProcessors(raw, inputType, stream, streamSource)
+		streamSource, err = injectStreamProcessors(raw, inputType, stream, streamSource, defaultProcessors)
 		if err != nil {
 			return nil, fmt.Errorf("Error injecting stream processors: %w", err)
 		}
@@ -181,13 +181,20 @@ func injectIndexStream(dataStreamType string, expected *proto.UnitExpectedConfig
 
 //injectStreamProcessors is an emulation of the InjectStreamProcessorRule AST code
 // this adds a variety of processors for metadata related to the dataset and input config.
-func injectStreamProcessors(expected *proto.UnitExpectedConfig, dataStreamType string, streamExpected *proto.Stream, stream map[string]interface{}) (map[string]interface{}, error) {
+func injectStreamProcessors(expected *proto.UnitExpectedConfig, dataStreamType string, streamExpected *proto.Stream, stream map[string]interface{}, defaultProcessors []mapstr.M) (map[string]interface{}, error) {
 	//1. start by "repairing" config to add any missing fields
 	// logic from datastreamTypeFromInputNode
 	procInputType, procInputDataset, procInputNamespace := metadataFromDatastreamValues(dataStreamType, expected, streamExpected)
 
 	var processors = []interface{}{}
 
+	for _, p := range defaultProcessors {
+		if len(p) == 0 {
+			continue
+		}
+		processors = append(processors, p)
+	}
+
 	// In V1, AST injects input_id at the input level and not the stream level,
 	// for reasons I can't understand, as it just ends up shuffling it around
 	// to individual metricsets anyway, at least on metricbeat
diff --git a/x-pack/metricbeat/cmd/agent.go b/x-pack/metricbeat/cmd/agent.go
@@ -12,10 +12,12 @@ import (
 	"github.com/elastic/beats/v7/x-pack/libbeat/management"
 	"github.com/elastic/elastic-agent-client/v7/pkg/client"
 	"github.com/elastic/elastic-agent-client/v7/pkg/proto"
+	"github.com/elastic/elastic-agent-libs/mapstr"
 )
 
 func metricbeatCfg(rawIn *proto.UnitExpectedConfig, agentInfo *client.AgentInfo) ([]*reload.ConfigWithMeta, error) {
-	modules, err := management.CreateInputsFromStreams(rawIn, "metrics", agentInfo)
+	procs := defaultProcessors()
+	modules, err := management.CreateInputsFromStreams(rawIn, "metrics", agentInfo, procs...)
 	if err != nil {
 		return nil, fmt.Errorf("error creating input list from raw expected config: %w", err)
 	}
@@ -36,3 +38,17 @@ func metricbeatCfg(rawIn *proto.UnitExpectedConfig, agentInfo *client.AgentInfo)
 
 	return configList, nil
 }
+
+func defaultProcessors() []mapstr.M {
+	// processors:
+	//   - add_host_metadata: ~
+	//   - add_cloud_metadata: ~
+	//   - add_docker_metadata: ~
+	//   - add_kubernetes_metadata: ~
+	return []mapstr.M{
+		{"add_host_metadata": nil},
+		{"add_cloud_metadata": nil},
+		{"add_docker_metadata": nil},
+		{"add_kubernetes_metadata": nil},
+	}
+}
diff --git a/x-pack/osquerybeat/cmd/root.go b/x-pack/osquerybeat/cmd/root.go
@@ -81,7 +81,8 @@ func osquerybeatCfg(rawIn *proto.UnitExpectedConfig, agentInfo *client.AgentInfo
 	}
 	rawIn.Streams = streams
 
-	modules, err := management.CreateInputsFromStreams(rawIn, "osquery", agentInfo)
+	procs := defaultProcessors()
+	modules, err := management.CreateInputsFromStreams(rawIn, "osquery", agentInfo, procs...)
 	if err != nil {
 		return nil, fmt.Errorf("error creating input list from raw expected config: %w", err)
 	}
@@ -96,3 +97,13 @@ func osquerybeatCfg(rawIn *proto.UnitExpectedConfig, agentInfo *client.AgentInfo
 	}
 	return configList, nil
 }
+
+func defaultProcessors() []mapstr.M {
+	// 	processors:
+	//   - add_host_metadata: ~
+	//   - add_cloud_metadata: ~
+	return []mapstr.M{
+		{"add_host_metadata": nil},
+		{"add_cloud_metadata": nil},
+	}
+}
diff --git a/x-pack/packetbeat/cmd/root.go b/x-pack/packetbeat/cmd/root.go
@@ -14,6 +14,7 @@ import (
 	"github.com/elastic/elastic-agent-client/v7/pkg/client"
 	"github.com/elastic/elastic-agent-client/v7/pkg/proto"
 	conf "github.com/elastic/elastic-agent-libs/config"
+	"github.com/elastic/elastic-agent-libs/mapstr"
 
 	_ "github.com/elastic/beats/v7/x-pack/libbeat/include"
 
@@ -31,7 +32,8 @@ var RootCmd *cmd.BeatsRootCmd
 // configuration generated from a raw Elastic Agent config
 func packetbeatCfg(rawIn *proto.UnitExpectedConfig, agentInfo *client.AgentInfo) ([]*reload.ConfigWithMeta, error) {
 	//grab and properly format the input streams
-	inputStreams, err := management.CreateInputsFromStreams(rawIn, "logs", agentInfo)
+	procs := defaultProcessors()
+	inputStreams, err := management.CreateInputsFromStreams(rawIn, "logs", agentInfo, procs...)
 	if err != nil {
 		return nil, fmt.Errorf("error generating new stream config: %w", err)
 	}
@@ -57,3 +59,53 @@ func init() {
 	settings.ElasticLicensed = true
 	RootCmd = packetbeatCmd.Initialize(settings)
 }
+
+func defaultProcessors() []mapstr.M {
+	// 	processors:
+	//   - # Add forwarded to tags when processing data from a network tap or mirror.
+	//     if.contains.tags: forwarded
+	//     then:
+	//       - drop_fields:
+	//           fields: [host]
+	//     else:
+	//       - add_host_metadata: ~
+	//   - add_cloud_metadata: ~
+	//   - add_docker_metadata: ~
+	//   - detect_mime_type:
+	//       field: http.request.body.content
+	//       target: http.request.mime_type
+	//   - detect_mime_type:
+	//       field: http.response.body.content
+	//       target: http.response.mime_type
+	return []mapstr.M{
+		{
+			"if.contains.tags": "forwarded",
+			"then": []interface{}{
+				mapstr.M{
+					"drop_fields": mapstr.M{
+						"fields": []interface{}{"host"},
+					},
+				},
+			},
+			"else": []interface{}{
+				mapstr.M{
+					"add_host_metadata": nil,
+				},
+			},
+		},
+		{"add_cloud_metadata": nil},
+		{"add_docker_metadata": nil},
+		{
+			"detect_mime_type": mapstr.M{
+				"field":  "http.request.body.content",
+				"target": "http.request.mime_type",
+			},
+		},
+		{
+			"detect_mime_type": mapstr.M{
+				"field":  "http.response.body.content",
+				"target": "http.response.mime_type",
+			},
+		},
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -81,7 +81,8 @@ func osquerybeatCfg(rawIn proto.UnitExpectedConfig, agentInfo client.AgentInfo`
`81`	`81`	`}`
`82`	`82`	`rawIn.Streams = streams`
`83`	`83`
`84`		`- modules, err := management.CreateInputsFromStreams(rawIn, "osquery", agentInfo)`
	`84`	`+ procs := defaultProcessors()`
	`85`	`+ modules, err := management.CreateInputsFromStreams(rawIn, "osquery", agentInfo, procs...)`
`85`	`86`	`if err != nil {`
`86`	`87`	`return nil, fmt.Errorf("error creating input list from raw expected config: %w", err)`
`87`	`88`	`}`
`@@ -96,3 +97,13 @@ func osquerybeatCfg(rawIn proto.UnitExpectedConfig, agentInfo client.AgentInfo`
`96`	`97`	`}`
`97`	`98`	`return configList, nil`
`98`	`99`	`}`
	`100`	`+`
	`101`	`+func defaultProcessors() []mapstr.M {`
	`102`	`+ // processors:`
	`103`	`+ // - add_host_metadata: ~`
	`104`	`+ // - add_cloud_metadata: ~`
	`105`	`+ return []mapstr.M{`
	`106`	`+ {"add_host_metadata": nil},`
	`107`	`+ {"add_cloud_metadata": nil},`
	`108`	`+ }`
	`109`	`+}`