Filebeat: Have filesets disabled unless explicitly configured

[adriansr]

What does this PR do?

This changes fileset loading so that only filesets that are explicitly defined in the configuration are enabled.

Why is it important?

Until now, an enabled module will have all its filesets enabled unless they are explicitly disabled, which makes for a bad user experience for modules that contain a lot of filesets.

This will break existing configurations where a module is enabled without explicitly enabling any fileset. For example the following configuration suggested by our docs:

The following example shows a configuration that runs the nginx,mysql, and system modules:

filebeat.modules:
- module: nginx
- module: mysql
- module: system

This is updated to:

filebeat.modules:
- module: nginx
  access:
  error:
- module: mysql
  slowlog:
- module: system
  auth:

To alert users when a broken configuration like this is detected, the following warning log will be emitted:

2021-08-20T13:10:34.587+0200 INFO beater/filebeat.go:113 Enabled modules/filesets: nginx (), mysql (), system (auth), ()
2021-08-20T13:10:34.587+0200 WARN beater/filebeat.go:124 Module nginx is enabled but has no enabled filesets
2021-08-20T13:10:34.587+0200 WARN beater/filebeat.go:124 Module mysql is enabled but has no enabled filesets

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• [ ] I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

Closes #17256
Related to #11943

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

Pinging @elastic/integrations (Team:Integrations)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2021-09-13T17:07:41.090+0000

• Duration: 103 min 15 sec

• Commit: f90f9fa

Test stats 🧪

Test	Results
Failed	0
Passed	15302
Skipped	2314
Total	17616

Trends 🧪

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test	Results
Failed	0
Passed	15302
Skipped	2314
Total	17616

[jsoriano]

I love this change, but it can be breaking in some cases. Does this change target 8.0, or you propose to backport it for 7.x?

[adriansr]

@jsoriano this targets 8.0

[adriansr]

/test

[aspacca]

@adriansr
what's the plan for the files on modules.d?
they currently contain all the filesets, usually enabled, and all the available var.* to configure the fileset.

[kaiyan-sheng]

Thank you @adriansr for working on this change! With this change, do we still require enabled: false for all disabled filesets? Maybe we should add a test with enabled: false as well? For example:

filebeat.modules:
- module: nginx
  access:
    enabled: false
  error:
    enabled: false

[adriansr]

@aspacca that's a good question.

I've been going through the default configurations and applied the following:

• For heavy modules with a lot of independent filesets (i.e. cisco), made all disabled by default.
• For modules with "active" filesets which query an external API and usually require auth configuration, made them disabled by default (i.e. threatintel).
• If one fileset needs to be disabled by default, make all the module's filesets disabled.

This results in the following modules having all filesets disabled in their default config:

• azure: Queries an external API (1 fileset).
• cisco: Heavy module which is unlikely an user will need more than one or two filesets enabled (7 filesets).
• fortinet: Heavy module which is unlikely an user will need more than one or two filesets enabled (4 filesets).
• gcp: Queries external API (3 filesets).
• google_workspace: Queries external API (6 filesets).
• googlecloud: Queries external API (3 filesets).
• gsuite: Queries external API (6 filesets).
• juniper: Heavy module which is unlikely an user will need more than one or two filesets enabled (3 filesets).
• microsoft: Queries external API (3 filesets).
• misp: Queries external API (1 fileset).
• o365: Queries external API (1 fileset).
• okta: Queries external API (1 fileset).
• snyk: Queries external API (2 filesets).
• threatintel: Queries external API (8 filesets).

All other modules keep their filesets enabled by default.

Maybe this is too confusing and we should make everything disabled by default?

/cc @andrewkroh @kaiyan-sheng

[aspacca]

@adriansr

I would rather disabled everything by default (unless part of module enabled by default): I see that if users are enabling a module probably they have to configure it and marking the related filesets as enabled as a part of the configuration

That's mainly because an enabled fileset that's not properly configured, while not breaking Filebeat (preventing it to start for example) will probably produces some logs about the misconfiguration that could be confusing for the users: see #27612 for an use case we just found

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b fb_disable_filesets upstream/fb_disable_filesets
git merge upstream/master
git push upstream fb_disable_filesets

[adriansr]

I've removed the changes to the default configuration files and will follow up with a separate PR that changes all modules' configurations to enabled: false.

[aspacca]

due to https://github.com/elastic/beats/pull/27526/files#diff-515d023121b7ec77d64c2a0cfcfe3dc6f9b46e19166e71ac34e5f5cf74fddfe6L74-L76 we could have a case where fcfg.Enabled = nil and the fileset was not skipped.
now fcfc comes from defined filesets: https://github.com/elastic/beats/pull/27526/files#diff-515d023121b7ec77d64c2a0cfcfe3dc6f9b46e19166e71ac34e5f5cf74fddfe6R72, but still it can be the case that enabled: false is not defined.
I'd change this to if fcfg.Enabled == nil || !(*fcfg.Enabled)

what do you think @adriansr ?

[adriansr]

This PR maintains the current behavior of the enabled flag: If it's not defined, it defaults to true. So enabled==nil || *enabled is the true check, and enabled!=nil && !(*enabled) is the false check.

[aspacca]

got it @adriansr, but what do you think about changing this behaviour?

cc @exekias this is related to what we discussed in #27612

We could address in another PR in case, just opening the discussion

[adriansr]

The problem with this change is that it introduces another breaking change, and will potentially break existing configurations for our users. Also it makes configuring filesets from the command line more complicated as it forces users to always include an enabled flag -M mymodule.mydataset.enabled=true.

[aspacca]

I understand your concern, it is actually a breaking change.

The problem I see in enabling by default if not explicitly disabled is that we miss the chance to enforce stricter validation on filesets where there is not a default not failing config (see #27612 ).
In the specific case there's no option to either prevent filebeat from starting if we introduce the validation, or let it start with a misconfigured explicitly enabled fileset that will stop as input.

Also what we have as current behaviour is the possibility of filesets starting and stopping because "implicitly" enabled and not properly configured, producing noisy logs that could be confusing.

Hard choice to take, indeed

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b fb_disable_filesets upstream/fb_disable_filesets
git merge upstream/master
git push upstream fb_disable_filesets

[adriansr]

/test