elastic · ChrsMark · Feb 12, 2020 · Feb 7, 2020 · Feb 10, 2020 · Feb 10, 2020
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -110,11 +110,13 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 
 *Filebeat*
+
 - Set event.outcome field based on googlecloud audit log output. {pull}15731[15731]
 - Add dashboard for AWS ELB fileset. {pull}15804[15804]
 - Add dashboard for AWS vpcflow fileset. {pull}16007[16007]
 - Add ECS tls fields to zeek:smtp,rdp,ssl and aws:s3access,elb {issue}15757[15757] {pull}15935[15936]
 - Add custom string mapping to CEF module to support Forcepoint NGFW {issue}14663[14663] {pull}15910[15910]
+- Add ingress nginx controller fileset {pull}16197[16197]
 - move create-[module,fileset,fields] to mage and enable in x-pack/filebeat {pull}15836[15836]
 - Add ECS tls and categorization fields to apache module. {issue}16032[16032] {pull}16121[16121]
 

diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc
@@ -20140,6 +20140,304 @@ alias to: message
 
 --
 
+[float]
+=== ingress_controller
+
+Contains fields for the Ingress Nginx controller access logs.
+
+
+
+*`nginx.ingress_controller.remote_ip_list`*::
++
+--
+An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`.
+
+
+type: array
+
+--
+
+*`nginx.ingress_controller.http.request.length`*::
++
+--
+The request length (including request line, header, and request body)
+
+
+type: long
+
+format: bytes
+
+--
+
+*`nginx.ingress_controller.http.request.time`*::
++
+--
+Time elapsed since the first bytes were read from the client
+
+
+type: double
+
+format: duration
+
+--
+
+*`nginx.ingress_controller.upstream.name`*::
++
+--
+The name of the upstream.
+
+
+type: text
+
+--
+
+*`nginx.ingress_controller.upstream.alternative_name`*::
++
+--
+The name of the alternative upstream.
+
+
+type: text
+
+--
+
+*`nginx.ingress_controller.upstream.response.length`*::
++
+--
+The length of the response obtained from the upstream server
+
+
+type: long
+
+format: bytes
+
+--
+
+*`nginx.ingress_controller.upstream.response.time`*::
++
+--
+The time spent on receiving the response from the upstream server as seconds with millisecond resolution
+
+
+type: double
+
+format: duration
+
+--
+
+*`nginx.ingress_controller.upstream.response.status_code`*::
++
+--
+The status code of the response obtained from the upstream server
+
+
+type: long
+
+--
+
+*`nginx.ingress_controller.http.request.id`*::
++
+--
+The randomly generated ID of the request
+
+
+type: text
+
+--
+
+*`nginx.ingress_controller.upstream.ip`*::
++
+--
+The IP address of the upstream server. If several servers were contacted during request processing, their addresses are separated by commas.
+
+
+type: ip
+
+--
+
+*`nginx.ingress_controller.upstream.port`*::
++
+--
+The port of the upstream server.
+
+
+type: long
+
+--
+
+*`nginx.ingress_controller.body_sent.bytes`*::
++
+--
+type: alias
+
+alias to: http.response.body.bytes
+
+--
+
+*`nginx.ingress_controller.user_name`*::
++
+--
+type: alias
+
+alias to: user.name
+
+--
+
+*`nginx.ingress_controller.method`*::
++
+--
+type: alias
+
+alias to: http.request.method
+
+--
+
+*`nginx.ingress_controller.url`*::
++
+--
+type: alias
+
+alias to: url.original
+
+--
+
+*`nginx.ingress_controller.http_version`*::
++
+--
+type: alias
+
+alias to: http.version
+
+--
+
+*`nginx.ingress_controller.response_code`*::
++
+--
+type: alias
+
+alias to: http.response.status_code
+
+--
+
+*`nginx.ingress_controller.referrer`*::
++
+--
+type: alias
+
+alias to: http.request.referrer
+
+--
+
+*`nginx.ingress_controller.agent`*::
++
+--
+type: alias
+
+alias to: user_agent.original
+
+--
+
+
+*`nginx.ingress_controller.user_agent.device`*::
++
+--
+type: alias
+
+alias to: user_agent.device.name
+
+--
+
+*`nginx.ingress_controller.user_agent.name`*::
++
+--
+type: alias
+
+alias to: user_agent.name
+
+--
+
+*`nginx.ingress_controller.user_agent.os`*::
++
+--
+type: alias
+
+alias to: user_agent.os.full_name
+
+--
+
+*`nginx.ingress_controller.user_agent.os_name`*::
++
+--
+type: alias
+
+alias to: user_agent.os.name
+
+--
+
+*`nginx.ingress_controller.user_agent.original`*::
++
+--
+type: alias
+
+alias to: user_agent.original
+
+--
+
+
+*`nginx.ingress_controller.geoip.continent_name`*::
++
+--
+type: alias
+
+alias to: source.geo.continent_name
+
+--
+
+*`nginx.ingress_controller.geoip.country_iso_code`*::
++
+--
+type: alias
+
+alias to: source.geo.country_iso_code
+
+--
+
+*`nginx.ingress_controller.geoip.location`*::
++
+--
+type: alias
+
+alias to: source.geo.location
+
+--
+
+*`nginx.ingress_controller.geoip.region_name`*::
++
+--
+type: alias
+
+alias to: source.geo.region_name
+
+--
+
+*`nginx.ingress_controller.geoip.city_name`*::
++
+--
+type: alias
+
+alias to: source.geo.city_name
+
+--
+
+*`nginx.ingress_controller.geoip.region_iso_code`*::
++
+--
+type: alias
+
+alias to: source.geo.region_iso_code
+
+--
+
 [[exported-fields-osquery]]
 == Osquery fields
 

diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml
@@ -304,6 +304,14 @@ filebeat.modules:
     # can be added under this section.
     #input:
 
+  # Ingress-nginx controller logs. This is disabled by default. It could be used in Kubernetes environments to parse ingress-nginx logs
+  #ingress_controller:
+  #  enabled: false
+  #
+  #  # Set custom paths for the log files. If left empty,
+  #  # Filebeat will choose the paths depending on your OS.
+  #  #var.paths:
+
 #------------------------------- Osquery Module -------------------------------
 - module: osquery
   result:

diff --git a/filebeat/fileset/modules_test.go b/filebeat/fileset/modules_test.go
@@ -56,7 +56,7 @@ func TestNewModuleRegistry(t *testing.T) {
 
 	expectedModules := map[string][]string{
 		"auditd": {"log"},
-		"nginx":  {"access", "error"},
+		"nginx":  {"access", "error", "ingress_controller"},
 		"mysql":  {"slowlog", "error"},
 		"system": {"syslog", "auth"},
 	}

diff --git a/filebeat/module/nginx/_meta/config.reference.yml b/filebeat/module/nginx/_meta/config.reference.yml
@@ -22,3 +22,11 @@
     # Input configuration (advanced). Any input configuration option
     # can be added under this section.
     #input:
+
+  # Ingress-nginx controller logs. This is disabled by default. It could be used in Kubernetes environments to parse ingress-nginx logs
+  #ingress_controller:
+  #  enabled: false
+  #
+  #  # Set custom paths for the log files. If left empty,
+  #  # Filebeat will choose the paths depending on your OS.
+  #  #var.paths:
diff --git a/filebeat/module/nginx/_meta/config.yml b/filebeat/module/nginx/_meta/config.yml
@@ -14,3 +14,11 @@
     # Set custom paths for the log files. If left empty,
     # Filebeat will choose the paths depending on your OS.
     #var.paths:
+
+  # Ingress-nginx controller logs. This is disabled by default. It could be used in Kubernetes environments to parse ingress-nginx logs
+  ingress_controller:
+    enabled: false
+
+    # Set custom paths for the log files. If left empty,
+    # Filebeat will choose the paths depending on your OS.
+    #var.paths:
diff --git a/filebeat/module/nginx/fields.go b/filebeat/module/nginx/fields.go