Can't drop field in checkpoint filebeat module

krystian · December 19, 2023, 2:08pm

I want drop field in checkpoint filebeat module. I try write in "filelds" rule_name and rule.name and prefix it "checkpoint" but it doesn't work. Please somebody help me.
filebeat.yml

processors:
  - drop_fields:
      fields: [ "rule_name" ]

logfile

{"log.level":"debug","@timestamp":"2023-12-19T13:58:52.194Z","log.logger":"processors","log.origin":{"file.name":"processing/processors.go","file.line":136},"message":"Fail to apply processor global{drop_fields={\"Fields\":[\"rule_name\"],\"RegexpFields\":[],\"IgnoreMissing\":false}}: failed to drop field [rule_name], error: key not found","service.name":"filebeat","ecs.version":"1.6.0"}
{"log.level":"debug","@timestamp":"2023-12-19T13:58:52.195Z","log.logger":"processors","log.origin":{"file.name":"processing/processors.go","file.line":213},"message":"Publish event: {\n  \"@timestamp\": \"2023-12-19T13:58:52.194Z\",\n  \"@metadata\": {\n    \"beat\": \"filebeat\",\n    \"type\": \"_doc\",\n    \"version\": \"8.11.3\",\n    \"truncated\": false,\n    \"pipeline\": \"filebeat-8.11.3-checkpoint-firewall-pipeline\"\n  },\n  \"agent\": {\n    \"type\": \"filebeat\",\n    \"version\": \"8.11.3\",\n    \"ephemeral_id\": \"fdb63023-be42-417c-81ab-68fc7ef43f3c\",\n    \"id\": \"781eb65e-e468-45cd-9d6d-2473c69d334b\",\n    \"name\": \"rsyslog-server\"\n  },\n  \"message\": \"<134>1 2023-12-19T13:58:50Z FWM CheckPoint 14102 - [action:\\\"Accept\\\"; conn_direction:\\\"Internal\\\"; flags:\\\"4606214\\\"; ifdir:\\\"inbound\\\"; ifname:\\\"eth3-01.121\\\"; logid:\\\"0\\\"; loguid:\\\"{0x20712d84,0xd822359e,0xe4142bc1,0x17e8a7a6}\\\"; origin:\\\"192.168.11.2\\\"; originsicname:\\\"CN=fw-a,O=FWM..739ad9\\\"; sequencenum:\\\"989\\\"; time:\\\"1702994330\\\"; version:\\\"5\\\"; __policy_id_tag:\\\"product=VPN-1 & FireWall-1[db_tag={001C300F-01DD-0448-8647-09601F173D30};mgmt=FWM;date=1702974939;policy_name=Emperia\\\\]\\\"; dst:\\\"10.20.57.121\\\"; log_delay:\\\"1702994330\\\"; layer_name:\\\"Emperia Security\\\"; layer_name:\\\"App_URL\\\"; layer_uuid:\\\"563d79c2-6291-4eff-b1b5-e2568fd9858c\\\"; layer_uuid:\\\"6e30b814-3cee-4e04-8f07-6812e20b9c7c\\\"; match_id:\\\"26\\\"; match_id:\\\"33554431\\\"; parent_rule:\\\"0\\\"; parent_rule:\\\"0\\\"; rule_action:\\\"Accept\\\"; rule_action:\\\"Accept\\\"; rule_name:\\\"Implicit Cleanup\\\"; rule_uid:\\\"d6885c0c-3bcf-4aee-8d8d-68901511bd3f\\\"; product:\\\"VPN-1 & FireWall-1\\\"; proto:\\\"6\\\"; s_port:\\\"52788\\\"; service:\\\"10050\\\"; service_id:\\\"tcp_10050\\\"; src:\\\"10.10.11.155\\\"]\\n\",\n  \"event\": {\n    \"module\": \"checkpoint\",\n    \"timezone\": \"+00:00\",\n    \"dataset\": \"checkpoint.firewall\"\n  },\n  \"ecs\": {\n    \"version\": \"8.0.0\"\n  },\n  \"service\": {\n    \"type\": \"checkpoint\"\n  },\n  \"input\": {\n    \"type\": \"udp\"\n  },\n  \"log\": {\n    \"source\": {\n      \"address\": \"192.168.11.10:57393\"\n    }\n  },\n  \"tags\": [\n    \"checkpoint-firewall\",\n    \"forwarded\"\n  ],\n  \"fileset\": {\n    \"name\": \"firewall\"\n  }\n}","service.name":"filebeat","ecs.version":"1.6.0"}

JSON in elasticsearch

{
    "_index": "checkpoint-fw-2023.12.19",
    "_type": "_doc",
    "_id": "diNfgowBRSiKqRmmz5Bc",
    "_score": 1,
    "_source": {
      "checkpoint": {
        "conn_direction": "Internal",
        "rule_action": [
          "Accept",
          "Accept"
        ],
        "match_id": [
          "26",
          "33554431"
        ],
        "parent_rule": [
          "0",
          "0"
        ],
        "log_delay": "1702994330",
        "logid": "0"
      },
      "server": {
        "port": 10050,
        "ip": "10.20.57.121"
      },
      "agent": {
        "name": "rsyslog-server",
        "id": "781eb65e-e468-45cd-9d6d-2473c69d334b",
        "type": "filebeat",
        "ephemeral_id": "fdb63023-be42-417c-81ab-68fc7ef43f3c",
        "version": "8.11.3"
      },
      "log": {
        "source": {
          "address": "192.168.11.10:57393"
        }
      },
      "destination": {
        "port": 10050,
        "ip": "10.20.57.121"
      },
      "rule": {
        "name": "Implicit Cleanup",
        "uuid": "d6885c0c-3bcf-4aee-8d8d-68901511bd3f"
      },
      "source": {
        "port": 52788,
        "ip": "10.10.11.155"
      },
      "network": {
        "application": "tcp_10050",
        "name": [
          "Emperia Security",
          "App_URL"
        ],
        "transport": "tcp",
        "iana_number": "6",
        "direction": "inbound"
      },
      "observer": {
        "ingress": {
          "interface": {
            "name": "eth3-01.121"
          }
        },
        "product": "VPN-1 & FireWall-1",
        "vendor": "Checkpoint",
        "name": "192.168.11.2",
        "type": "firewall"
      },
      "ecs": {
        "version": "8.0.0"
      },
      "related": {
        "ip": [
          "10.10.11.155",
          "10.20.57.121"
        ]
      },
      "client": {
        "port": 52788,
        "ip": "10.10.11.155"
      },
      "event": {
        "sequence": 989,
        "ingested": "2023-12-19T13:59:26.16440153Z",
        "timezone": "UTC",
        "created": "2023-12-19T13:58:52.194Z",
        "kind": "event",
        "module": "checkpoint",
        "action": "Accept",
        "id": "{0x20712d84,0xd822359e,0xe4142bc1,0x17e8a7a6}",
        "category": [
          "network"
        ],
        "dataset": "checkpoint.firewall"
      },
      "fileset": {
        "name": "firewall"
      },
      "tags": [
        "checkpoint-firewall",
        "forwarded"
      ],
      "input": {
        "type": "udp"
      },
      "@timestamp": "2023-12-19T13:58:50.000Z",
      "service": {
        "type": "checkpoint"
      }
    },
    "fields": {
      "agent.version.keyword": [
        "8.11.3"
      ],
      "rule.uuid.keyword": [
        "d6885c0c-3bcf-4aee-8d8d-68901511bd3f"
      ],
      "event.category": [
        "network"
      ],
      "checkpoint.rule_action": [
        "Accept",
        "Accept"
      ],
      "server.ip.keyword": [
        "10.20.57.121"
      ],
      "event.category.keyword": [
        "network"
      ],
      "event.dataset.keyword": [
        "checkpoint.firewall"
      ],
      "server.ip": [
        "10.20.57.121"
      ],
      "observer.ingress.interface.name": [
        "eth3-01.121"
      ],
      "observer.type.keyword": [
        "firewall"
      ],
      "service.type": [
        "checkpoint"
      ],
      "observer.vendor": [
        "Checkpoint"
      ],
      "ecs.version.keyword": [
        "8.0.0"
      ],
      "related.ip.keyword": [
        "10.10.11.155",
        "10.20.57.121"
      ],
      "event.kind.keyword": [
        "event"
      ],
      "source.ip": [
        "10.10.11.155"
      ],
      "event.action.keyword": [
        "Accept"
      ],
      "agent.name": [
        "rsyslog-server"
      ],
      "event.kind": [
        "event"
      ],
      "rule.name.keyword": [
        "Implicit Cleanup"
      ],
      "rule.name": [
        "Implicit Cleanup"
      ],
      "checkpoint.logid.keyword": [
        "0"
      ],
      "agent.id.keyword": [
        "781eb65e-e468-45cd-9d6d-2473c69d334b"
      ],
      "fileset.name": [
        "firewall"
      ],
      "input.type": [
        "udp"
      ],
      "client.ip": [
        "10.10.11.155"
      ],
      "network.iana_number.keyword": [
        "6"
      ],
      "tags": [
        "checkpoint-firewall",
        "forwarded"
      ],
      "checkpoint.parent_rule": [
        "0",
        "0"
      ],
      "fileset.name.keyword": [
        "firewall"
      ],
      "destination.ip.keyword": [
        "10.20.57.121"
      ],
      "event.id.keyword": [
        "{0x20712d84,0xd822359e,0xe4142bc1,0x17e8a7a6}"
      ],
      "source.port": [
        52788
      ],
      "agent.id": [
        "781eb65e-e468-45cd-9d6d-2473c69d334b"
      ],
      "client.port": [
        52788
      ],
      "ecs.version": [
        "8.0.0"
      ],
      "observer.type": [
        "firewall"
      ],
      "log.source.address": [
        "192.168.11.10:57393"
      ],
      "event.created": [
        "2023-12-19T13:58:52.194Z"
      ],
      "event.module.keyword": [
        "checkpoint"
      ],
      "network.iana_number": [
        "6"
      ],
      "agent.version": [
        "8.11.3"
      ],
      "observer.product.keyword": [
        "VPN-1 & FireWall-1"
      ],
      "source.ip.keyword": [
        "10.10.11.155"
      ],
      "client.ip.keyword": [
        "10.10.11.155"
      ],
      "checkpoint.match_id.keyword": [
        "26",
        "33554431"
      ],
      "event.timezone.keyword": [
        "UTC"
      ],
      "observer.vendor.keyword": [
        "Checkpoint"
      ],
      "service.type.keyword": [
        "checkpoint"
      ],
      "input.type.keyword": [
        "udp"
      ],
      "destination.port": [
        10050
      ],
      "observer.name": [
        "192.168.11.2"
      ],
      "tags.keyword": [
        "checkpoint-firewall",
        "forwarded"
      ],
      "checkpoint.conn_direction": [
        "Internal"
      ],
      "checkpoint.log_delay.keyword": [
        "1702994330"
      ],
      "event.sequence": [
        989
      ],
      "checkpoint.logid": [
        "0"
      ],
      "agent.type": [
        "filebeat"
      ],
      "observer.name.keyword": [
        "192.168.11.2"
      ],
      "checkpoint.parent_rule.keyword": [
        "0",
        "0"
      ],
      "checkpoint.rule_action.keyword": [
        "Accept",
        "Accept"
      ],
      "event.module": [
        "checkpoint"
      ],
      "checkpoint.conn_direction.keyword": [
        "Internal"
      ],
      "related.ip": [
        "10.10.11.155",
        "10.20.57.121"
      ],
      "network.application": [
        "tcp_10050"
      ],
      "network.application.keyword": [
        "tcp_10050"
      ],
      "server.port": [
        10050
      ],
      "observer.product": [
        "VPN-1 & FireWall-1"
      ],
      "network.direction": [
        "inbound"
      ],
      "event.timezone": [
        "UTC"
      ],
      "agent.type.keyword": [
        "filebeat"
      ],
      "network.direction.keyword": [
        "inbound"
      ],
      "agent.ephemeral_id.keyword": [
        "fdb63023-be42-417c-81ab-68fc7ef43f3c"
      ],
      "checkpoint.log_delay": [
        "1702994330"
      ],
      "agent.name.keyword": [
        "rsyslog-server"
      ],
      "network.name": [
        "Emperia Security",
        "App_URL"
      ],
      "network.transport.keyword": [
        "tcp"
      ],
      "destination.ip": [
        "10.20.57.121"
      ],
      "network.transport": [
        "tcp"
      ],
      "observer.ingress.interface.name.keyword": [
        "eth3-01.121"
      ],
      "rule.uuid": [
        "d6885c0c-3bcf-4aee-8d8d-68901511bd3f"
      ],
      "event.ingested": [
        "2023-12-19T13:59:26.164Z"
      ],
      "event.action": [
        "Accept"
      ],
      "checkpoint.match_id": [
        "26",
        "33554431"
      ],
      "@timestamp": [
        "2023-12-19T13:58:50.000Z"
      ],
      "network.name.keyword": [
        "Emperia Security",
        "App_URL"
      ],
      "agent.ephemeral_id": [
        "fdb63023-be42-417c-81ab-68fc7ef43f3c"
      ],
      "log.source.address.keyword": [
        "192.168.11.10:57393"
      ],
      "event.id": [
        "{0x20712d84,0xd822359e,0xe4142bc1,0x17e8a7a6}"
      ],
      "event.dataset": [
        "checkpoint.firewall"
      ]
    }
  }

yago82 · January 13, 2024, 9:48am

Hi,

you can use an ingest pipeline and you use Dot expander processor | Elasticsearch Guide [8.11] | Elastic

and then the drop?

regards

Regards

strawgate · January 22, 2024, 11:38pm

Yeah I believe the parsing is actually done in the ingest pipeline and so the field doesn't actually exist when the beat processor is running.

Using an ingest pipeline to drop the field is your best bet for sure.

system · February 20, 2024, 1:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.