Add correct host info for cloud provider virtual machines (#2126)

Author: kubasobon

_meta/config/processors.yml.tmpl

@@ -3,7 +3,8 @@
 # Configure processors to enhance or manipulate events generated by the beat.
 
 processors:
-  - add_host_metadata: ~
+# in case you run in EKS/Kubernetes environment, you can use the following processor to add node metadata
+# - add_host_metadata: ~
   - add_cloud_metadata: ~
   - add_docker_metadata: ~
   # in case you run in EKS/Kubernetes environment, you can use the following processor to add cluster id

cloudbeat.yml

@@ -117,7 +117,8 @@ output.elasticsearch:
 # Configure processors to enhance or manipulate events generated by the beat.
 
 processors:
-  - add_host_metadata: ~
+# in case you run in EKS/Kubernetes environment, you can use the following processor to add node metadata
+# - add_host_metadata: ~
   - add_cloud_metadata: ~
   - add_docker_metadata: ~
   # in case you run in EKS/Kubernetes environment, you can use the following processor to add cluster id

cmd/root.go

@@ -23,6 +23,7 @@ import (
 	"github.com/elastic/beats/v7/libbeat/cmd"
 	"github.com/elastic/beats/v7/libbeat/cmd/instance"
 	"github.com/elastic/beats/v7/libbeat/common/reload"
+	"github.com/elastic/beats/v7/libbeat/publisher/processing"
 	_ "github.com/elastic/beats/v7/x-pack/libbeat/include"
 	"github.com/elastic/beats/v7/x-pack/libbeat/management"
 	"github.com/elastic/elastic-agent-client/v7/pkg/client"
@@ -36,7 +37,16 @@ import (
 var Name = "cloudbeat"
 
 // RootCmd to handle beats cli
-var RootCmd = cmd.GenRootCmdWithSettings(beater.New, instance.Settings{Name: Name, Version: version.CloudbeatSemanticVersion()})
+var RootCmd = cmd.GenRootCmdWithSettings(
+	beater.New,
+	instance.Settings{
+		Name:    Name,
+		Version: version.CloudbeatSemanticVersion(),
+		// Supply our own processing pipeline. Same as processing.MakeDefaultBeatSupport, but without
+		// `processing.WithHost`.
+		Processing: processing.MakeDefaultSupport(true, nil, processing.WithECS, processing.WithAgentMeta()),
+	},
+)
 
 func cloudbeatCfg(rawIn *proto.UnitExpectedConfig, agentInfo *client.AgentInfo) ([]*reload.ConfigWithMeta, error) {
 	modules, err := management.CreateInputsFromStreams(rawIn, "logs", agentInfo)

deploy/aws/cloudbeat-aws.yml

@@ -47,7 +47,6 @@ output.elasticsearch:
 
 # ================================= Processors =================================
 processors:
-  - add_host_metadata: ~
   - add_cloud_metadata: ~
   - add_docker_metadata: ~
 

deploy/azure/cloudbeat-azure.yml

@@ -49,7 +49,6 @@ output.elasticsearch:
 
 # ================================= Processors =================================
 processors:
-  - add_host_metadata: ~
   - add_cloud_metadata: ~
   - add_docker_metadata: ~
 

deploy/gcp/cloudbeat-gcp.yml

@@ -49,7 +49,6 @@ output.elasticsearch:
 
 # ================================= Processors =================================
 processors:
-  - add_host_metadata: ~
   - add_cloud_metadata: ~
   - add_docker_metadata: ~
 

deploy/kustomize/overlays/cloudbeat-aws/cloudbeat.yml

@@ -48,7 +48,7 @@ output.elasticsearch:
 
 # ================================= Processors =================================
 processors:
-  - add_host_metadata: ~
+  # - add_host_metadata: ~
   - add_cloud_metadata: ~
   - add_docker_metadata: ~
   - add_cluster_id: ~

internal/flavors/posture.go

@@ -64,6 +64,12 @@ func newPostureFromCfg(b *beat.Beat, cfg *config.Config) (*posture, error) {
 		return nil, err
 	}
 
+	err = ensureHostProcessor(log, cfg)
+	if err != nil {
+		cancel()
+		return nil, err
+	}
+
 	client, err := NewClient(b.Publisher, cfg.Processors)
 	if err != nil {
 		cancel()
@@ -108,3 +114,18 @@ func (bt *posture) Stop() {
 
 	bt.cancel()
 }
+
+// ensureAdditionalProcessors modifies cfg.Processors list to ensure 'host'
+// processor is present for K8s and EKS benchmarks.
+func ensureHostProcessor(log *logp.Logger, cfg *config.Config) error {
+	if cfg.Benchmark != config.CIS_EKS && cfg.Benchmark != config.CIS_K8S {
+		return nil
+	}
+	log.Info("Adding host processor config")
+	hostProcessor, err := agentconfig.NewConfigFrom("add_host_metadata: ~")
+	if err != nil {
+		return err
+	}
+	cfg.Processors = append(cfg.Processors, hostProcessor)
+	return nil
+}

internal/resources/fetching/fetchers/azure/assets_fetcher.go

@@ -175,5 +175,30 @@ func (r *AzureResource) GetMetadata() (fetching.ResourceMetadata, error) {
 }
 
 func (r *AzureResource) GetElasticCommonData() (map[string]any, error) {
+	if r.Asset.Type == inventory.VirtualMachineAssetType {
+		m := map[string]any{
+			"host.name": r.Asset.Name,
+		}
+
+		// "host.hostname" = "properties.osProfile.computerName" if it exists
+		osProfileRaw, ok := r.Asset.Properties["osProfile"]
+		if !ok {
+			return m, nil
+		}
+		osProfile, ok := osProfileRaw.(map[string]any)
+		if !ok {
+			return m, nil
+		}
+		computerNameRaw, ok := osProfile["computerName"]
+		if !ok {
+			return m, nil
+		}
+		computerName, ok := computerNameRaw.(string)
+		if !ok {
+			return m, nil
+		}
+		m["host.hostname"] = computerName
+		return m, nil
+	}
 	return nil, nil
 }

internal/resources/fetching/fetchers/azure/assets_fetcher_test.go

@@ -220,7 +220,11 @@ func (s *AzureAssetsFetcherTestSuite) TestFetcher_Fetch() {
 
 			ecs, err := result.GetElasticCommonData()
 			s.Require().NoError(err)
-			s.Empty(ecs)
+			if expected.Type == inventory.VirtualMachineAssetType {
+				s.Contains(ecs, "host.name")
+			} else {
+				s.Empty(ecs)
+			}
 		})
 	}
 }
@@ -266,6 +270,143 @@ func (s *AzureAssetsFetcherTestSuite) TestFetcher_Fetch_Errors() {
 	}, metadata)
 }
 
+func (s *AzureAssetsFetcherTestSuite) TestFetcher_Fetch_VM_Hostname_Empty() {
+	mockAssetGroups := make(map[string][]inventory.AzureAsset)
+	totalMockAssets := 0
+	var flatMockAssets []inventory.AzureAsset
+	for _, assetGroup := range AzureAssetGroups {
+		var mockAssets []inventory.AzureAsset
+		propertyVariations := [](map[string]any){
+			map[string]any{"definitelyNotOsProfile": "nope"},
+			map[string]any{"osProfile": map[string]any{"notComputerName": "nope"}},
+			map[string]any{"osProfile": map[string]any{"computerName": 42}},
+		}
+		for _, properties := range propertyVariations {
+			mockAssets = append(mockAssets,
+				inventory.AzureAsset{
+					Id:             "id",
+					Name:           "name",
+					Location:       "location",
+					Properties:     properties,
+					ResourceGroup:  "rg",
+					SubscriptionId: "subId",
+					TenantId:       "tenantId",
+					Type:           inventory.VirtualMachineAssetType,
+					Sku:            map[string]any{"key": "value"},
+					Identity:       map[string]any{"key": "value"},
+				},
+			)
+		}
+		totalMockAssets += len(mockAssets)
+		mockAssetGroups[assetGroup] = mockAssets
+		flatMockAssets = append(flatMockAssets, mockAssets...)
+	}
+
+	mockProvider := azurelib.NewMockProviderAPI(s.T())
+	mockProvider.EXPECT().GetSubscriptions(mock.Anything, mock.Anything).Return(
+		map[string]governance.Subscription{
+			"subId": {
+				FullyQualifiedID: "subId",
+				ShortID:          "subId",
+				DisplayName:      "subName",
+				ManagementGroup: governance.ManagementGroup{
+					FullyQualifiedID: "mgId",
+					DisplayName:      "mgName",
+				},
+			},
+		}, nil,
+	).Twice()
+	mockProvider.EXPECT().
+		ListDiagnosticSettingsAssetTypes(mock.Anything, cycle.Metadata{}, []string{"subId"}).
+		Return(nil, nil).
+		Once()
+	mockProvider.EXPECT().
+		ListAllAssetTypesByName(mock.Anything, mock.AnythingOfType("string"), mock.AnythingOfType("[]string")).
+		RunAndReturn(func(_ context.Context, assetGroup string, _ []string) ([]inventory.AzureAsset, error) {
+			return mockAssetGroups[assetGroup], nil
+		})
+
+	results, err := s.fetch(mockProvider, totalMockAssets)
+	s.Require().NoError(err)
+	for index, result := range results {
+		expected := flatMockAssets[index]
+		s.Run(expected.Type, func() {
+			s.Equal(expected, result.GetData())
+
+			ecs, err := result.GetElasticCommonData()
+			s.Require().NoError(err)
+			s.Contains(ecs, "host.name")
+			s.NotContains(ecs, "host.hostname", "ECS data should not contain host.hostname for incomplete properties")
+		})
+	}
+}
+
+func (s *AzureAssetsFetcherTestSuite) TestFetcher_Fetch_VM_Hostname_OK() {
+	mockAssetGroups := make(map[string][]inventory.AzureAsset)
+	totalMockAssets := 0
+	var flatMockAssets []inventory.AzureAsset
+	for _, assetGroup := range AzureAssetGroups {
+		var mockAssets []inventory.AzureAsset
+		mockAssets = append(mockAssets,
+			inventory.AzureAsset{
+				Id:             "id",
+				Name:           "name",
+				Location:       "location",
+				Properties:     map[string]any{"osProfile": map[string]any{"computerName": "hostname"}},
+				ResourceGroup:  "rg",
+				SubscriptionId: "subId",
+				TenantId:       "tenantId",
+				Type:           inventory.VirtualMachineAssetType,
+				Sku:            map[string]any{"key": "value"},
+				Identity:       map[string]any{"key": "value"},
+			},
+		)
+		totalMockAssets += len(mockAssets)
+		mockAssetGroups[assetGroup] = mockAssets
+		flatMockAssets = append(flatMockAssets, mockAssets...)
+	}
+
+	mockProvider := azurelib.NewMockProviderAPI(s.T())
+	mockProvider.EXPECT().GetSubscriptions(mock.Anything, mock.Anything).Return(
+		map[string]governance.Subscription{
+			"subId": {
+				FullyQualifiedID: "subId",
+				ShortID:          "subId",
+				DisplayName:      "subName",
+				ManagementGroup: governance.ManagementGroup{
+					FullyQualifiedID: "mgId",
+					DisplayName:      "mgName",
+				},
+			},
+		}, nil,
+	).Twice()
+	mockProvider.EXPECT().
+		ListDiagnosticSettingsAssetTypes(mock.Anything, cycle.Metadata{}, []string{"subId"}).
+		Return(nil, nil).
+		Once()
+	mockProvider.EXPECT().
+		ListAllAssetTypesByName(mock.Anything, mock.AnythingOfType("string"), mock.AnythingOfType("[]string")).
+		RunAndReturn(func(_ context.Context, assetGroup string, _ []string) ([]inventory.AzureAsset, error) {
+			return mockAssetGroups[assetGroup], nil
+		})
+
+	results, err := s.fetch(mockProvider, totalMockAssets)
+	s.Require().NoError(err)
+	for index, result := range results {
+		expected := flatMockAssets[index]
+		s.Run(expected.Type, func() {
+			s.Equal(expected, result.GetData())
+
+			ecs, err := result.GetElasticCommonData()
+			s.Require().NoError(err)
+			s.Contains(ecs, "host.name")
+			s.Equal("name", ecs["host.name"])
+			s.Contains(ecs, "host.hostname")
+			s.Equal("hostname", ecs["host.hostname"])
+		})
+	}
+}
+
 func (s *AzureAssetsFetcherTestSuite) fetch(provider *azurelib.MockProviderAPI, expectedLength int) ([]fetching.ResourceInfo, error) {
 	fetcher := AzureAssetsFetcher{
 		log:        testhelper.NewLogger(s.T()),

internal/resources/fetching/fetchers/gcp/assets_fetcher.go

@@ -148,6 +148,26 @@ func (r *GcpAsset) GetMetadata() (fetching.ResourceMetadata, error) {
 }
 
 func (r *GcpAsset) GetElasticCommonData() (map[string]any, error) {
+	if r.Type == fetching.CloudCompute && r.SubType == inventory.ComputeInstanceAssetType {
+		m := map[string]any{}
+		data := r.ExtendedAsset.Resource.Data
+		if data == nil {
+			return nil, nil
+		}
+		nameField, ok := data.Fields["name"]
+		if ok {
+			if name := nameField.GetStringValue(); name != "" {
+				m["host.name"] = name
+			}
+		}
+		hostnameField, ok := data.Fields["hostname"]
+		if ok {
+			if hostname := hostnameField.GetStringValue(); hostname != "" {
+				m["host.hostname"] = hostname
+			}
+		}
+		return m, nil
+	}
 	return nil, nil
 }
 

internal/resources/fetching/fetchers/gcp/assets_fetcher_test.go

@@ -25,6 +25,7 @@ import (
 	"github.com/samber/lo"
 	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/suite"
+	"google.golang.org/protobuf/types/known/structpb"
 
 	"github.com/elastic/cloudbeat/internal/resources/fetching"
 	"github.com/elastic/cloudbeat/internal/resources/fetching/cycle"
@@ -96,3 +97,56 @@ func (s *GcpAssetsFetcherTestSuite) TestFetcher_Fetch() {
 		s.Equal("orgName", cloudAccountMetadata.OrganizationName)
 	})
 }
+
+func (s *GcpAssetsFetcherTestSuite) TestFetcher_ElasticCommonData() {
+	cases := []struct {
+		resourceData map[string]any
+		expectedECS  map[string]any
+	}{
+		{
+			resourceData: map[string]any{},
+			expectedECS:  map[string]any{},
+		},
+		{
+			resourceData: map[string]any{"name": ""},
+			expectedECS:  map[string]any{},
+		},
+		{
+			resourceData: map[string]any{"name": "henrys-vm"},
+			expectedECS:  map[string]any{"host.name": "henrys-vm"},
+		},
+		{
+			resourceData: map[string]any{"hostname": ""},
+			expectedECS:  map[string]any{},
+		},
+		{
+			resourceData: map[string]any{"hostname": "henrys-vm"},
+			expectedECS:  map[string]any{"host.hostname": "henrys-vm"},
+		},
+		{
+			resourceData: map[string]any{"name": "x", "hostname": "y"},
+			expectedECS:  map[string]any{"host.name": "x", "host.hostname": "y"},
+		},
+	}
+
+	for _, tc := range cases {
+		dataStruct, err := structpb.NewStruct(tc.resourceData)
+		s.Require().NoError(err)
+
+		asset := &GcpAsset{
+			Type:    fetching.CloudCompute,
+			SubType: inventory.ComputeInstanceAssetType,
+			ExtendedAsset: &inventory.ExtendedGcpAsset{
+				Asset: &assetpb.Asset{
+					Resource: &assetpb.Resource{
+						Data: dataStruct,
+					},
+				},
+			},
+		}
+
+		ecs, err := asset.GetElasticCommonData()
+		s.Require().NoError(err)
+		s.Equal(tc.expectedECS, ecs)
+	}
+}