Filebeat Nginx module - add nginx.ingress_controller.upstream.ip to related.ip #34645
Closed
Description
Describe the enhancement:
Add nginx.ingress_controller.upstream.ip to related.ip
Missing ip in related.ip affects security issues discovery cause you can't be sure that all event' ip indeed present in related.ip.
According to ECS field description:
All of the IPs seen on your event.
Describe a specific use case for the enhancement or feature:
In an example below nginx.ingress_controller.upstream.ip 10.10.10.10 not added to related.ip.
POST /_ingest/pipeline/filebeat-8.6.1-nginx-ingress_controller-pipeline/_simulate
{
"docs": [
{
"_source": {
"@timestamp": "2023-02-22T12:51:14.333",
"message" : "11.11.11.11 - - [22/Feb/2023:17:08:50 +0300] \"POST /test/one/api/v2/request HTTP/1.1\" 200 262 \"-\" \"Go-http-client/1.1\" 0 0.080 [test] [] 10.10.10.10:443 - 0.080 200 0"
}
}
]
}
{
"docs": [
{
"doc": {
"_index": "_index",
"_id": "_id",
"_version": "-3",
"_source": {
"@timestamp": "2023-02-22T14:08:50.000Z",
"nginx": {
"ingress_controller": {
"upstream": {
"alternative_name": "",
"port": 443,
"response": {
"status_code": 200,
"time_list": [
"0.080"
],
"status_code_list": [
"200"
],
"time": 0.08
},
"ip": "10.10.10.10",
"name": "test"
},
"upstream_address_list": [
"10.10.10.10:443"
],
"http": {
"request": {
"length": 0,
"id": "0",
"time": 0.08
}
},
"remote_ip_list": [
"11.11.11.11"
]
}
},
"related": {
"ip": [
"11.11.11.11"
]
},
"http": {
"request": {
"method": "POST",
"id": "0"
},
"response": {
"status_code": 200,
"body": {
"bytes": 262
}
},
"version": "1.1"
},
"source": {
"address": "11.11.11.11",
"ip": "11.11.11.11"
},
"event": {
"ingested": "2023-02-22T14:20:01.380133844Z",
"original": """11.11.11.11 - - [22/Feb/2023:17:08:50 +0300] "POST /test/one/api/v2/request HTTP/1.1" 200 262 "-" "Go-http-client/1.1" 0 0.080 [test] [] 10.10.10.10:443 - 0.080 200 0""",
"created": "2023-02-22T12:51:14.333",
"kind": "event",
"category": [
"web"
],
"type": [
"info"
],
"outcome": "success"
},
"user_agent": {
"original": "Go-http-client/1.1",
"name": "Go-http-client",
"device": {
"name": "Other"
},
"version": "1.1"
},
"url": {
"path": "/test/one/api/v2/request",
"original": "/test/one/api/v2/request"
},
"tags": [
"_geoip_database_unavailable_GeoLite2-City.mmdb",
"_geoip_database_unavailable_GeoLite2-ASN.mmdb"
]
},
"_ingest": {
"timestamp": "2023-02-22T14:20:01.380133844Z"
}
}
}
]
}