Open lucabelluccini opened 1 year ago
The Filebeat Check Point module uses this file as "template": https://github.com/elastic/beats/blob/v8.8.2/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml
It seems that the template file is switching between tcp and udp based on the ssl settings presence, which is weird.
tcp
udp
ssl
{{ if .ssl }} type: tcp host: "{{.syslog_host}}:{{.syslog_port}}" ssl: {{ .ssl | tojson }} {{ else if eq .input "syslog" }} ...
Meaning that if we use:
- module: checkpoint firewall: var.syslog_host: 0.0.0.0 var.syslog_port: 9001 var.ssl.enabled: false
We can switch to tcp. Proof:
{"log.level":"info","@timestamp":"2023-07-11T18:30:32.159+0200","log.logger":"input.tcp","log.origin":{"file.name":"tcp/input.go","file.line":105},"message":"Starting TCP input","service.name":"filebeat","address":"0.0.0.0:9001","ecs.version":"1.6.0"}
It's weird though we have such template. Wouldn't it be better to explicitly call out the protocol to be used?
By the way, it is also tricky now to switch to a "good" behavior as users might have already started using the module...
Also, a general suggestion would be to prefix the ssl settings with var in the examples of the doc.
var
FYI @P1llus
(On integrations side https://github.com/elastic/integrations/blob/main/packages/checkpoint/data_stream/firewall/manifest.yml#L4 it seems explicitly set as input: tcp / udp / logfile - so all good).
input: tcp / udp / logfile
Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)
The Filebeat Check Point module uses this file as "template": https://github.com/elastic/beats/blob/v8.8.2/x-pack/filebeat/module/checkpoint/firewall/config/firewall.yml
It seems that the template file is switching between
tcp
andudp
based on thessl
settings presence, which is weird.Meaning that if we use:
We can switch to
tcp
. Proof:It's weird though we have such template. Wouldn't it be better to explicitly call out the protocol to be used?
By the way, it is also tricky now to switch to a "good" behavior as users might have already started using the module...
Also, a general suggestion would be to prefix the
ssl
settings withvar
in the examples of the doc.FYI @P1llus
(On integrations side https://github.com/elastic/integrations/blob/main/packages/checkpoint/data_stream/firewall/manifest.yml#L4 it seems explicitly set as
input: tcp / udp / logfile
- so all good).