Disable host.* fields by default for Cisco module (elastic#18753)

For the Cisco module when data is forwarded to Filebeat from another host/device (this is most of the time) you don't want Filebeat to add `host`. So by default this modules add a `forwarded` tag to events. If you configure the module to not include the `forwarded` tag (e.g. `var.tags: [my_tag]`) then Filebeat will add the `host.*` fields.

Relates: elastic#13920
(cherry picked from commit 047a35b)

Author: andrewkroh

CHANGELOG.next.asciidoc

@@ -38,6 +38,10 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Improve ECS field mappings in panw module.  event.outcome now only contains success/failure per ECS specification. {issue}16025[16025] {pull}17910[17910]
 - Improve ECS categorization field mappings for nginx module. http.request.referrer only populated when nginx sets a value {issue}16174[16174] {pull}17844[17844]
 - Improve ECS field mappings in santa module. move hash.sha256 to process.hash.sha256 & move certificate fields to santa.certificate . {issue}16180[16180] {pull}17982[17982]
+- With the default configuration the following modules will no longer send the `host`
+  field. You can revert this change by configuring tags for the module and omitting
+  `forwarded` from the list. {issue}13920[13920]
+* Cisco {pull}18753[18753]
 - Preserve case of http.request.method.  ECS prior to 1.6 specified normalizing to lowercase, which lost information. Affects filesets: apache/access, elasticsearch/audit, iis/access, iis/error, nginx/access, nginx/ingress_controller, aws/elb, suricata/eve, zeek/http. {issue}18154[18154] {pull}18359[18359]
 
 *Heartbeat*

filebeat/docs/modules/cisco.asciidoc

@@ -104,6 +104,12 @@ Set to 0.0.0.0 to bind to all available interfaces.
 
 The UDP port to listen for syslog traffic. Defaults to 9001.
 
+*`var.tags`*::
+
+A list of tags to include in events. Including `forwarded` indicates that the
+events did not originate on this host and causes `host.name` to not be added to
+events. Defaults to `[cisco-asa, forwarded]`.
+
 :has-dashboards!:
 
 :fileset_ex!:
@@ -246,6 +252,12 @@ Set to 0.0.0.0 to bind to all available interfaces.
 
 The UDP port to listen for syslog traffic. Defaults to 9003.
 
+*`var.tags`*::
+
+A list of tags to include in events. Including `forwarded` indicates that the
+events did not originate on this host and causes `host.name` to not be added to
+events. Defaults to `[cisco-ftd, forwarded]`.
+
 :has-dashboards!:
 
 :fileset_ex!:
@@ -277,6 +289,12 @@ Set to 0.0.0.0 to bind to all available interfaces.
 
 The UDP port to listen for syslog traffic. Defaults to 9002.
 
+*`var.tags`*::
+
+A list of tags to include in events. Including `forwarded` indicates that the
+events did not originate on this host and causes `host.name` to not be added to
+events. Defaults to `[cisco-ios, forwarded]`.
+
 include::../include/timezone-support.asciidoc[]
 
 :has-dashboards!:
@@ -287,10 +305,10 @@ include::../include/timezone-support.asciidoc[]
 [[dynamic-script-compilations]]
 === Dynamic Script Compilations
 
-The `asa` and `ftd` filesets are based on Elasticsearch ingest pipelines and 
-make extensive use of script processors and painless conditions. This can cause 
+The `asa` and `ftd` filesets are based on Elasticsearch ingest pipelines and
+make extensive use of script processors and painless conditions. This can cause
 the pipelines to fail loading the first time the module is used, due to exceeding
-the maximum script compilation limits. It is recommended to tune the following 
+the maximum script compilation limits. It is recommended to tune the following
 parameters on your Elasticsearch cluster:
 
 - {ref}/circuit-breaker.html#script-compilation-circuit-breaker[script.max_compilations_rate]:

x-pack/filebeat/module/cisco/_meta/docs.asciidoc

@@ -99,6 +99,12 @@ Set to 0.0.0.0 to bind to all available interfaces.
 
 The UDP port to listen for syslog traffic. Defaults to 9001.
 
+*`var.tags`*::
+
+A list of tags to include in events. Including `forwarded` indicates that the
+events did not originate on this host and causes `host.name` to not be added to
+events. Defaults to `[cisco-asa, forwarded]`.
+
 :has-dashboards!:
 
 :fileset_ex!:
@@ -241,6 +247,12 @@ Set to 0.0.0.0 to bind to all available interfaces.
 
 The UDP port to listen for syslog traffic. Defaults to 9003.
 
+*`var.tags`*::
+
+A list of tags to include in events. Including `forwarded` indicates that the
+events did not originate on this host and causes `host.name` to not be added to
+events. Defaults to `[cisco-ftd, forwarded]`.
+
 :has-dashboards!:
 
 :fileset_ex!:
@@ -272,6 +284,12 @@ Set to 0.0.0.0 to bind to all available interfaces.
 
 The UDP port to listen for syslog traffic. Defaults to 9002.
 
+*`var.tags`*::
+
+A list of tags to include in events. Including `forwarded` indicates that the
+events did not originate on this host and causes `host.name` to not be added to
+events. Defaults to `[cisco-ios, forwarded]`.
+
 include::../include/timezone-support.asciidoc[]
 
 :has-dashboards!:
@@ -282,10 +300,10 @@ include::../include/timezone-support.asciidoc[]
 [[dynamic-script-compilations]]
 === Dynamic Script Compilations
 
-The `asa` and `ftd` filesets are based on Elasticsearch ingest pipelines and 
-make extensive use of script processors and painless conditions. This can cause 
+The `asa` and `ftd` filesets are based on Elasticsearch ingest pipelines and
+make extensive use of script processors and painless conditions. This can cause
 the pipelines to fail loading the first time the module is used, due to exceeding
-the maximum script compilation limits. It is recommended to tune the following 
+the maximum script compilation limits. It is recommended to tune the following
 parameters on your Elasticsearch cluster:
 
 - {ref}/circuit-breaker.html#script-compilation-circuit-breaker[script.max_compilations_rate]:

x-pack/filebeat/module/cisco/asa/config/input.yml

@@ -15,7 +15,8 @@ exclude_files: [".gz$"]
 
 {{ end }}
 
-tags: {{.tags}}
+tags: {{.tags | tojson}}
+publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
 
 processors:
   - add_locale: ~

x-pack/filebeat/module/cisco/asa/manifest.yml

@@ -5,7 +5,7 @@ var:
     default:
       - /var/log/cisco-asa.log
   - name: tags
-    default: [cisco-asa]
+    default: [cisco-asa, forwarded]
   - name: syslog_host
     default: localhost
   - name: syslog_port