diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index f79ddc23a865..6ed8f7a4bdf0 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -430,6 +430,7 @@ otherwise no tag is added. {issue}42208[42208] {pull}42403[42403] - Update beat module with apm-server tail sampling monitoring metrics fields {pull}42569[42569] - Log every 401 response from Kubernetes API Server {pull}42714[42714] - Add a new `match_by_parent_instance` option to `perfmon` module. {pull}43002[43002] +- Add a warning log to metricbeat.vsphere in case vSphere connection has been configured as insecure. {pull}43104[43104] *Metricbeat* - Add benchmark module {pull}41801[41801] diff --git a/metricbeat/module/vsphere/cluster/cluster.go b/metricbeat/module/vsphere/cluster/cluster.go index 24f7095c1864..6c8e11963fd3 100644 --- a/metricbeat/module/vsphere/cluster/cluster.go +++ b/metricbeat/module/vsphere/cluster/cluster.go @@ -25,6 +25,7 @@ import ( "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/module/vsphere" + "github.com/elastic/beats/v7/metricbeat/module/vsphere/security" "github.com/vmware/govmomi" "github.com/vmware/govmomi/property" @@ -75,6 +76,8 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { if err != nil { return nil, err } + + security.WarnIfInsecure(ms.Logger(), "cluster", ms.Insecure) return &ClusterMetricSet{ms}, nil } diff --git a/metricbeat/module/vsphere/datastore/datastore.go b/metricbeat/module/vsphere/datastore/datastore.go index a7359d20e5bd..302003946818 100644 --- a/metricbeat/module/vsphere/datastore/datastore.go +++ b/metricbeat/module/vsphere/datastore/datastore.go @@ -25,6 +25,7 @@ import ( "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/module/vsphere" + "github.com/elastic/beats/v7/metricbeat/module/vsphere/security" "github.com/vmware/govmomi" "github.com/vmware/govmomi/performance" @@ -52,6 +53,8 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { if err != nil { return nil, err } + + security.WarnIfInsecure(ms.Logger(), "datastore", ms.Insecure) return &DataStoreMetricSet{ms}, nil } diff --git a/metricbeat/module/vsphere/datastorecluster/datastorecluster.go b/metricbeat/module/vsphere/datastorecluster/datastorecluster.go index 3a24b4c1aaf9..2b73f54f84c7 100644 --- a/metricbeat/module/vsphere/datastorecluster/datastorecluster.go +++ b/metricbeat/module/vsphere/datastorecluster/datastorecluster.go @@ -28,6 +28,8 @@ import ( "github.com/vmware/govmomi/vim25/mo" "github.com/vmware/govmomi/vim25/types" + "github.com/elastic/beats/v7/metricbeat/module/vsphere/security" + "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/module/vsphere" @@ -56,6 +58,8 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { if err != nil { return nil, fmt.Errorf("failed to create vSphere metricset: %w", err) } + + security.WarnIfInsecure(ms.Logger(), "datastorecluster", ms.Insecure) return &DatastoreClusterMetricSet{ms}, nil } diff --git a/metricbeat/module/vsphere/host/host.go b/metricbeat/module/vsphere/host/host.go index 59846ae4b2a5..d57a7dfa7ebf 100644 --- a/metricbeat/module/vsphere/host/host.go +++ b/metricbeat/module/vsphere/host/host.go @@ -25,6 +25,7 @@ import ( "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/module/vsphere" + "github.com/elastic/beats/v7/metricbeat/module/vsphere/security" "github.com/vmware/govmomi" "github.com/vmware/govmomi/performance" @@ -52,6 +53,8 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { if err != nil { return nil, err } + + security.WarnIfInsecure(ms.Logger(), "host", ms.Insecure) return &HostMetricSet{ms}, nil } diff --git a/metricbeat/module/vsphere/network/network.go b/metricbeat/module/vsphere/network/network.go index e5518da6eedf..bbaf5de55c18 100644 --- a/metricbeat/module/vsphere/network/network.go +++ b/metricbeat/module/vsphere/network/network.go @@ -28,6 +28,8 @@ import ( "github.com/vmware/govmomi/vim25/mo" "github.com/vmware/govmomi/vim25/types" + "github.com/elastic/beats/v7/metricbeat/module/vsphere/security" + "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/module/vsphere" @@ -55,6 +57,8 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { if err != nil { return nil, fmt.Errorf("failed to create vSphere metricset: %w", err) } + + security.WarnIfInsecure(ms.Logger(), "network", ms.Insecure) return &NetworkMetricSet{ms}, nil } diff --git a/metricbeat/module/vsphere/resourcepool/resourcepool.go b/metricbeat/module/vsphere/resourcepool/resourcepool.go index 7d0f44156d85..88cdde81baaa 100644 --- a/metricbeat/module/vsphere/resourcepool/resourcepool.go +++ b/metricbeat/module/vsphere/resourcepool/resourcepool.go @@ -28,6 +28,8 @@ import ( "github.com/vmware/govmomi/vim25/mo" "github.com/vmware/govmomi/vim25/types" + "github.com/elastic/beats/v7/metricbeat/module/vsphere/security" + "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/module/vsphere" @@ -56,6 +58,8 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { if err != nil { return nil, err } + + security.WarnIfInsecure(ms.Logger(), "resourcepool", ms.Insecure) return &ResourcePoolMetricSet{ms}, nil } diff --git a/metricbeat/module/vsphere/security/logging.go b/metricbeat/module/vsphere/security/logging.go new file mode 100644 index 000000000000..0e9a3b09af2e --- /dev/null +++ b/metricbeat/module/vsphere/security/logging.go @@ -0,0 +1,26 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package security + +import "github.com/elastic/elastic-agent-libs/logp" + +func WarnIfInsecure(logger *logp.Logger, metricSet string, isInsecure bool) { + if isInsecure { + logger.With("metricset", metricSet).Warn("Your vSphere connection is configured as insecure. This can lead to man-in-the-middle attack.") + } +} diff --git a/metricbeat/module/vsphere/virtualmachine/virtualmachine.go b/metricbeat/module/vsphere/virtualmachine/virtualmachine.go index 437f75fe2071..f1080d496e21 100644 --- a/metricbeat/module/vsphere/virtualmachine/virtualmachine.go +++ b/metricbeat/module/vsphere/virtualmachine/virtualmachine.go @@ -26,6 +26,7 @@ import ( "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/metricbeat/module/vsphere" + "github.com/elastic/beats/v7/metricbeat/module/vsphere/security" "github.com/elastic/elastic-agent-libs/mapstr" "github.com/vmware/govmomi" @@ -94,6 +95,8 @@ func New(base mb.BaseMetricSet) (mb.MetricSet, error) { if err := base.Module().UnpackConfig(&config); err != nil { return nil, err } + + security.WarnIfInsecure(ms.Logger(), "virtualmachine", ms.Insecure) return &MetricSet{ MetricSet: ms, GetCustomFields: config.GetCustomFields,