Skip to content

Commit

Permalink
Remove fields not needed for session view in add_session_view process…
Browse files Browse the repository at this point in the history
…or (#39500)

In order to reduce event data size, remove all fields from the add_session_metadata processor that are not required for the Kibana session viewer to function.

The unnecessary fields that are removed here are thread and tty fields.
  • Loading branch information
mjwolf authored May 9, 2024
1 parent cc35cce commit 239deef
Show file tree
Hide file tree
Showing 2 changed files with 1 addition and 18 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -204,6 +204,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
- Add container id to file events (Linux only, eBPF backend). {pull}38328[38328]
- Add procfs backend to the `add_session_metadata` processor. {pull}38799[38799]
- Add process.entity_id, process.group.name and process.group.id in add_process_metadata processor. Make fim module with kprobes backend to always add an appropriately configured add_process_metadata processor to enrich file events {pull}38776[38776]
- Reduce data size for add_session_metadata processor by removing unneeded fields {pull}39500[39500]

*Auditbeat*

Expand Down
18 changes: 0 additions & 18 deletions x-pack/auditbeat/processors/sessionmd/types/process.go
Original file line number Diff line number Diff line change
Expand Up @@ -356,18 +356,6 @@ func (p *Process) ToMap() mapstr.M {
"pid": p.PID,
"vpid": p.Vpid,
"args": p.Args,
"thread": mapstr.M{
"capabilities": mapstr.M{
"permitted": p.Thread.Capabilities.Permitted,
"effective": p.Thread.Capabilities.Effective,
},
},
"tty": mapstr.M{
"char_device": mapstr.M{
"major": p.TTY.CharDevice.Major,
"minor": p.TTY.CharDevice.Minor,
},
},
"parent": mapstr.M{
"entity_id": p.Parent.EntityID,
"executable": p.Parent.Executable,
Expand All @@ -384,12 +372,6 @@ func (p *Process) ToMap() mapstr.M {
},
"pid": p.Parent.PID,
"args": p.Parent.Args,
"thread": mapstr.M{
"capabilities": mapstr.M{
"permitted": p.Parent.Thread.Capabilities.Permitted,
"effective": p.Parent.Thread.Capabilities.Effective,
},
},
},
"group_leader": mapstr.M{
"entity_id": p.GroupLeader.EntityID,
Expand Down

0 comments on commit 239deef

Please sign in to comment.