elastic
diff --git a/‎CHANGELOG.next.asciidoc‎
Lines changed: 30 additions & 0 deletions b/‎CHANGELOG.next.asciidoc‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl‎
Lines changed: 4 additions & 0 deletions b/‎filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎filebeat/filebeat.reference.yml‎
Lines changed: 4 additions & 0 deletions b/‎filebeat/filebeat.reference.yml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎filebeat/fileset/fileset.go‎
Lines changed: 5 additions & 2 deletions b/‎filebeat/fileset/fileset.go‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎filebeat/input/filestream/fswatch.go‎
Lines changed: 23 additions & 1 deletion b/‎filebeat/input/filestream/fswatch.go‎
Lines changed: 23 additions & 1 deletion
diff --git a/‎filebeat/input/filestream/fswatch_test.go‎
Lines changed: 9 additions & 0 deletions b/‎filebeat/input/filestream/fswatch_test.go‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎filebeat/input/filestream/fswatch_test_non_windows.go‎
Lines changed: 34 additions & 8 deletions b/‎filebeat/input/filestream/fswatch_test_non_windows.go‎
Lines changed: 34 additions & 8 deletions
diff --git a/‎filebeat/input/filestream/input_integration_test.go‎
Lines changed: 2 additions & 0 deletions b/‎filebeat/input/filestream/input_integration_test.go‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎generator/_templates/beat/{beat}/tools/tools.go‎
Lines changed: 2 additions & 0 deletions b/‎generator/_templates/beat/{beat}/tools/tools.go‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎generator/_templates/metricbeat/{beat}/tools/tools.go‎
Lines changed: 2 additions & 0 deletions b/‎generator/_templates/metricbeat/{beat}/tools/tools.go‎
Lines changed: 2 additions & 0 deletions
@@ -165,6 +165,35 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - system/package: Fix an error that can occur while trying to persist package metadata. {issue}18536[18536] {pull}18887[18887]
 - system/socket: Fix dataset using 100% CPU and becoming unresponsive in some scenarios. {pull}19033[19033] {pull}19764[19764]
 - system/socket: Fixed tracking of long-running connections. {pull}19033[19033]
+- system/package: Fix librpm loading on Fedora 31/32. {pull}NNNN[NNNN]
+- file_integrity: Create fsnotify watcher only when starting file_integrity module {pull}19505[19505]
+- auditd: Fix spelling of anomaly in `event.category`.
+- auditd: Fix typo in `event.action` of `removed-user-role-from`. {pull}19300[19300]
+- auditd: Fix typo in `event.action` of `used-suspicious-link`. {pull}19300[19300]
+- system/socket: Fix kprobe grouping to allow running more than one instance. {pull}20325[20325]
+- system/socket: Fixed a crash due to concurrent map read and write. {issue}21192[21192] {pull}21690[21690]
+- file_integrity: stop monitoring excluded paths {issue}21278[21278] {pull}21282[21282]
+- auditd: Fix an error condition causing a lot of `audit_send_reply` kernel threads being created. {pull}22673[22673]
+- system/socket: Fixed start failure when run under config reloader. {issue}20851[20851] {pull}21693[21693]
+- system/socket: Having some CPUs unavailable to Auditbeat could cause startup errors or event loss. {pull}22827[22827]
+- Note incompatibility of system/socket on ARM. {pull}23381[23381]
+
+*Filebeat*
+
+- Fix mapping of fortinet.firewall.mem as integer. {pull}19335[19335]
+- Ensure all zeek timestamps include millisecond precision. {issue}14599[14599] {pull}16766[16766]
+- Fix s3 input hanging with GetObjectRequest API call by adding context_timeout config. {issue}15502[15502] {pull}15590[15590]
+- Add shared_credential_file to cloudtrail config {issue}15652[15652] {pull}15656[15656]
+- Fix typos in zeek notice fileset config file. {issue}15764[15764] {pull}15765[15765]
+- Fix mapping error when zeek weird logs do not contain IP addresses. {pull}15906[15906]
+- Improve `elasticsearch/audit` fileset to handle timestamps correctly. {pull}15942[15942]
+- Prevent Elasticsearch from spewing log warnings about redundant wildcards when setting up ingest pipelines for the `elasticsearch` module. {issue}15840[15840] {pull}15900[15900]
+- Fix mapping error for cloudtrail additionalEventData field {pull}16088[16088]
+- Fix a connection error in httpjson input. {pull}16123[16123]
+- Fix integer overflow in S3 offsets when collecting very large files. {pull}22523[22523]
+- Fix CredentialsJSON unpacking for `gcp-pubsub` and `httpjson` inputs. {pull}23277[23277]
+- Strip Azure Eventhub connection string in debug logs. {pulll}25066[25066]
+- Fix o365 module config when client_secret contains special characters. {issue}25058[25058]
 
 *Filebeat*
 
@@ -558,6 +587,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Handle datastreams for fleet. {pull}24223[24223]
 - Add --sandbox option for browser monitor. {pull}24172[24172]
 - Support additional 'root' fields from synthetics. {pull}24770[24770]
+- Browser zip_url source type. {pull}24714[24714]
 
 *Heartbeat*
 
 
@@ -281,6 +281,10 @@ filebeat.inputs:
   # are matching any regular expression from the list. By default, no files are dropped.
   #prospector.scanner.exclude_files: ['.gz$']
 
+  # Include files. A list of regular expressions to match. Filebeat keeps only the files that
+  # are matching any regular expression from the list. By default, no files are dropped.
+  #prospector.scanner.include_files: ['/var/log/.*']
+
   # Expand "**" patterns into regular glob patterns.
   #prospector.scanner.recursive_glob: true
 
 
@@ -688,6 +688,10 @@ filebeat.inputs:
   # are matching any regular expression from the list. By default, no files are dropped.
   #prospector.scanner.exclude_files: ['.gz$']
 
+  # Include files. A list of regular expressions to match. Filebeat keeps only the files that
+  # are matching any regular expression from the list. By default, no files are dropped.
+  #prospector.scanner.include_files: ['/var/log/.*']
+
   # Expand "**" patterns into regular glob patterns.
   #prospector.scanner.recursive_glob: true
 
 
@@ -307,8 +307,11 @@ func getTemplateFunctions(vars map[string]interface{}) (template.FuncMap, error)
 			return false
 		},
 		"tojson": func(v interface{}) (string, error) {
-			bytes, err := json.Marshal(v)
-			return string(bytes), err
+			var buf strings.Builder
+			enc := json.NewEncoder(&buf)
+			enc.SetEscapeHTML(false)
+			err := enc.Encode(v)
+			return buf.String(), err
 		},
 		"IngestPipeline": func(shortID string) string {
 			return formatPipelineID(
 
@@ -51,6 +51,7 @@ type watcherFactory func(paths []string, cfg *common.Config) (loginp.FSWatcher,
 type fileScanner struct {
 	paths         []string
 	excludedFiles []match.Matcher
+	includedFiles []match.Matcher
 	symlinks      bool
 
 	log *logp.Logger
@@ -234,6 +235,7 @@ func (w *fileWatcher) GetFiles() map[string]os.FileInfo {
 
 type fileScannerConfig struct {
 	ExcludedFiles []match.Matcher `config:"exclude_files"`
+	IncludedFiles []match.Matcher `config:"include_files"`
 	Symlinks      bool            `config:"symlinks"`
 	RecursiveGlob bool            `config:"recursive_glob"`
 }
@@ -249,6 +251,7 @@ func newFileScanner(paths []string, cfg fileScannerConfig) (loginp.FSScanner, er
 	fs := fileScanner{
 		paths:         paths,
 		excludedFiles: cfg.ExcludedFiles,
+		includedFiles: cfg.IncludedFiles,
 		symlinks:      cfg.Symlinks,
 		log:           logp.NewLogger(scannerName),
 	}
@@ -337,7 +340,7 @@ func (s *fileScanner) GetFiles() map[string]os.FileInfo {
 }
 
 func (s *fileScanner) shouldSkipFile(file string) bool {
-	if s.isFileExcluded(file) {
+	if s.isFileExcluded(file) || !s.isFileIncluded(file) {
 		s.log.Debugf("Exclude file: %s", file)
 		return true
 	}
@@ -359,6 +362,18 @@ func (s *fileScanner) shouldSkipFile(file string) bool {
 		return true
 	}
 
+	originalFile, err := filepath.EvalSymlinks(file)
+	if err != nil {
+		s.log.Debugf("finding path to original file has failed %s: %+v", file, err)
+		return true
+	}
+	// Check if original file is included to make sure we are not reading from
+	// unwanted files.
+	if s.isFileExcluded(originalFile) || !s.isFileIncluded(originalFile) {
+		s.log.Debugf("Exclude original file: %s", file)
+		return true
+	}
+
 	return false
 }
 
@@ -384,6 +399,13 @@ func (s *fileScanner) isFileExcluded(file string) bool {
 	return len(s.excludedFiles) > 0 && s.matchAny(s.excludedFiles, file)
 }
 
+func (s *fileScanner) isFileIncluded(file string) bool {
+	if len(s.includedFiles) == 0 {
+		return true
+	}
+	return s.matchAny(s.includedFiles, file)
+}
+
 // matchAny checks if the text matches any of the regular expressions
 func (s *fileScanner) matchAny(matchers []match.Matcher, text string) bool {
 	for _, m := range matchers {
 
@@ -52,6 +52,7 @@ func TestFileScanner(t *testing.T) {
 	testCases := map[string]struct {
 		paths         []string
 		excludedFiles []match.Matcher
+		includedFiles []match.Matcher
 		symlinks      bool
 		expectedFiles []string
 	}{
@@ -66,6 +67,13 @@ func TestFileScanner(t *testing.T) {
 			},
 			expectedFiles: []string{includedFilePath},
 		},
+		"only include included_files": {
+			paths: []string{excludedFilePath, includedFilePath},
+			includedFiles: []match.Matcher{
+				match.MustCompile(includedFileName),
+			},
+			expectedFiles: []string{includedFilePath},
+		},
 		"skip directories": {
 			paths:         []string{filepath.Join(tmpDir, directoryPath)},
 			expectedFiles: []string{},
@@ -78,6 +86,7 @@ func TestFileScanner(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			cfg := fileScannerConfig{
 				ExcludedFiles: test.excludedFiles,
+				IncludedFiles: test.includedFiles,
 				Symlinks:      test.symlinks,
 				RecursiveGlob: false,
 			}
 
@@ -24,6 +24,7 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"strconv"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -44,13 +45,14 @@ func TestFileScannerSymlinks(t *testing.T) {
 	testCases := map[string]struct {
 		paths         []string
 		excludedFiles []match.Matcher
+		includedFiles []match.Matcher
 		symlinks      bool
 		expectedFiles []string
 	}{
 		// covers test_input.py/test_skip_symlinks
 		"skip symlinks": {
 			paths: []string{
-				filepath.Join(tmpDir, "symlink_to_included_file"),
+				filepath.Join(tmpDir, "symlink_to_0"),
 				filepath.Join(tmpDir, "included_file"),
 			},
 			symlinks: false,
@@ -60,22 +62,37 @@ func TestFileScannerSymlinks(t *testing.T) {
 		},
 		"return a file once if symlinks are enabled": {
 			paths: []string{
-				filepath.Join(tmpDir, "symlink_to_included_file"),
+				filepath.Join(tmpDir, "symlink_to_0"),
 				filepath.Join(tmpDir, "included_file"),
 			},
 			symlinks: true,
 			expectedFiles: []string{
 				mustAbsPath(filepath.Join(tmpDir, "included_file")),
 			},
 		},
+		"do not return symlink if original file is not allowed": {
+			paths: []string{
+				filepath.Join(tmpDir, "symlink_to_1"),
+				filepath.Join(tmpDir, "included_file"),
+			},
+			excludedFiles: []match.Matcher{
+				match.MustCompile("original_" + excludedFileName),
+			},
+			symlinks: true,
+			expectedFiles: []string{
+				mustAbsPath(filepath.Join(tmpDir, "included_file")),
+			},
+		},
 	}
 
-	err := os.Symlink(
-		mustAbsPath(filepath.Join(tmpDir, "included_file")),
-		mustAbsPath(filepath.Join(tmpDir, "symlink_to_included_file")),
-	)
-	if err != nil {
-		t.Fatal(err)
+	for i, filename := range []string{"included_file", "excluded_file"} {
+		err := os.Symlink(
+			mustAbsPath(filepath.Join(tmpDir, "original_"+filename)),
+			mustAbsPath(filepath.Join(tmpDir, "symlink_to_"+strconv.Itoa(i))),
+		)
+		if err != nil {
+			t.Fatal(err)
+		}
 	}
 
 	for name, test := range testCases {
@@ -84,6 +101,7 @@ func TestFileScannerSymlinks(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			cfg := fileScannerConfig{
 				ExcludedFiles: test.excludedFiles,
+				IncludedFiles: test.includedFiles,
 				Symlinks:      true,
 				RecursiveGlob: false,
 			}
@@ -150,3 +168,11 @@ func TestFileWatcherRenamedFile(t *testing.T) {
 	assert.Equal(t, testPath, evt.OldPath)
 	assert.Equal(t, renamedPath, evt.NewPath)
 }
+
+func mustAbsPath(filename string) string {
+	abspath, err := filepath.Abs(filename)
+	if err != nil {
+		panic(err)
+	}
+	return abspath
+}
@@ -860,6 +860,8 @@ func TestFilestreamSymlinkRemoved(t *testing.T) {
 
 // test_truncate from test_harvester.py
 func TestFilestreamTruncate(t *testing.T) {
+	t.Skip("Flaky test: https://github.com/elastic/beats/issues/25217")
+
 	env := newInputTestingEnvironment(t)
 
 	testlogName := "test.log"
 
@@ -5,9 +5,11 @@
 package tools
 
 import (
+	_ "github.com/magefile/mage"
 	_ "github.com/pierrre/gotestcover"
 	_ "github.com/tsg/go-daemon"
 	_ "golang.org/x/tools/cmd/goimports"
+	_ "gotest.tools/gotestsum/cmd"
 
 	_ "github.com/mitchellh/gox"
 	_ "golang.org/x/lint/golint"
 
@@ -5,9 +5,11 @@
 package tools
 
 import (
+	_ "github.com/magefile/mage"
 	_ "github.com/pierrre/gotestcover"
 	_ "github.com/tsg/go-daemon"
 	_ "golang.org/x/tools/cmd/goimports"
+	_ "gotest.tools/gotestsum/cmd"
 
 	_ "github.com/mitchellh/gox"
 	_ "golang.org/x/lint/golint"