[Filebeat] Filebeat Processors - Make User Agent Processor Available To Filebeat

[mr1716]

Hey all, and thanks for all of the work with this wonderful software.

The request is to make the existing ElasticSearch User Agent Processor available to native Filebeat input processing.

There is already the URL Decode processor in Filebeat and adding a user agent processor would help keep things consistent, plus be extremely useful and potentially speed up processing.

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

[mr1716]

@mtojek Thanks for adding a label. Would it also be worth adding the enhancement and Filebeat labels in addition to the existing label?

[mr1716]

Just for additional context, this is one of the more popular elastic processors seen in Filebeat Pipelines, so it will be great to get this ported into Filebeat. It is seen in 31 modules, out of 70 modules in Filebeat, which puts it at 44.285% of the modules.

[mr1716]

@jlind23 is there any sense that this will get added into a future version of filebeat?? It would be really super helpful to have by default.

[jlind23]

@mr1716 This is definitely something we should look more deeper at. adding @nimarezainia to have his thoughts on this.

[mr1716]

@nimarezainia What are the thoughts of implementing this into Filebeat?

[mr1716]

@jlind23 wanted to circle back to see how this is going.

[jlind23]

@mr1716 unfortunately nothing moved on our end so far as we are working on some other priorities. Getting @nimarezainia attention on it again.

[UcanInfosec]

Hey @jlind23 and @nimarezainia, hope all is well. Are there any updates?

[nimarezainia]

@mr1716 & @UcanInfosec apologies for the delay. I am wondering if you have looked at using Elastic Agent instead of Filebeat for your data collection needs? if that is on your roadmap we can look at making this enhancement there. Please let me know.

[mr1716]

@nimarezainia thanks for taking the time. At this time, it is not possible to move to the general elastic agent. I think that this is something we would want to be added into Filebeat/beats program.

[nimarezainia]

@mr1716 thanks for the info. Just so that we can plan better is there a product feature that is an impediment to this move to the Agent? does it generally satisfy your requirements?

[nimarezainia]

@UcanInfosec apologies at the moment we don't have a targeted release date for this due to other priorities.

[UcanInfosec]

@nimarezainia thanks. I don’t think that moving is an option due to the fact that the existing program works so well. Why change and do additional work when the existing solution already works? What is the benefit to using the agent?

[nimarezainia]

@UcanInfosec that's a good qualitative data I was looking for. Thank you.

I don;t know how many beats you have deployed on each host, the Elastic agent is a single binary that enables many of the functionality that the beats have. Can be deployed as a standalone or using the central management to manage the life-cycle of the agents. Equally giving users the ability to diagnose health of their deployment. The user also has access to other security solutions like SIEM and EDR (to name a few) using the same binary.

I'm bordering on a marketing spiel in a beats repo so I will stop there :-)

[mr1716]

Hey @nimarezainia, how is this progressing? Is there any movement on a due date?

[nimarezainia]

Hi @mr1716, sorry at the moment we are unable to prioritize this development due to other higher priority items on our plate.

[mr1716]

@nimarezainia thanks. This is unfortunate. Will look at using an elastic agent and beats alternative then

[botelastic[bot]]

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

[HakanDmrhn]

Still waiting for the user agent processor :-)