Check Point module - Review the docs/template on how to switch between UDP/TCP

[lucabelluccini]

The Filebeat Check Point module uses this file as "template": https://github.com/elastic/beats/blob/v8.8.2/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml

It seems that the template file is switching between tcp and udp based on the ssl settings presence, which is weird.

{{ if .ssl }}

type: tcp
host: "{{.syslog_host}}:{{.syslog_port}}"
ssl: {{ .ssl | tojson }}

{{ else if eq .input "syslog" }}
...

Meaning that if we use:

- module: checkpoint
  firewall:
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9001
    var.ssl.enabled: false

We can switch to tcp. Proof:

{"log.level":"info","@timestamp":"2023-07-11T18:30:32.159+0200","log.logger":"input.tcp","log.origin":{"file.name":"tcp/input.go","file.line":105},"message":"Starting TCP input","service.name":"filebeat","address":"0.0.0.0:9001","ecs.version":"1.6.0"}

It's weird though we have such template. Wouldn't it be better to explicitly call out the protocol to be used?

By the way, it is also tricky now to switch to a "good" behavior as users might have already started using the module...

Also, a general suggestion would be to prefix the ssl settings with var in the examples of the doc.

FYI @P1llus

(On integrations side https://github.com/elastic/integrations/blob/main/packages/checkpoint/data_stream/firewall/manifest.yml#L4 it seems explicitly set as input: tcp / udp / logfile - so all good).

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)