From 239deefcd708128a83a87f8762927972adf901b9 Mon Sep 17 00:00:00 2001 From: Michael Wolf Date: Thu, 9 May 2024 15:44:55 -0700 Subject: [PATCH] Remove fields not needed for session view in add_session_view processor (#39500) In order to reduce event data size, remove all fields from the add_session_metadata processor that are not required for the Kibana session viewer to function. The unnecessary fields that are removed here are thread and tty fields. --- CHANGELOG.next.asciidoc | 1 + .../processors/sessionmd/types/process.go | 18 ------------------ 2 files changed, 1 insertion(+), 18 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 4538758b813..a92b42f697d 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -204,6 +204,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff] - Add container id to file events (Linux only, eBPF backend). {pull}38328[38328] - Add procfs backend to the `add_session_metadata` processor. {pull}38799[38799] - Add process.entity_id, process.group.name and process.group.id in add_process_metadata processor. Make fim module with kprobes backend to always add an appropriately configured add_process_metadata processor to enrich file events {pull}38776[38776] +- Reduce data size for add_session_metadata processor by removing unneeded fields {pull}39500[39500] *Auditbeat* diff --git a/x-pack/auditbeat/processors/sessionmd/types/process.go b/x-pack/auditbeat/processors/sessionmd/types/process.go index daf989ef3cd..8f52a9c5aa5 100644 --- a/x-pack/auditbeat/processors/sessionmd/types/process.go +++ b/x-pack/auditbeat/processors/sessionmd/types/process.go @@ -356,18 +356,6 @@ func (p *Process) ToMap() mapstr.M { "pid": p.PID, "vpid": p.Vpid, "args": p.Args, - "thread": mapstr.M{ - "capabilities": mapstr.M{ - "permitted": p.Thread.Capabilities.Permitted, - "effective": p.Thread.Capabilities.Effective, - }, - }, - "tty": mapstr.M{ - "char_device": mapstr.M{ - "major": p.TTY.CharDevice.Major, - "minor": p.TTY.CharDevice.Minor, - }, - }, "parent": mapstr.M{ "entity_id": p.Parent.EntityID, "executable": p.Parent.Executable, @@ -384,12 +372,6 @@ func (p *Process) ToMap() mapstr.M { }, "pid": p.Parent.PID, "args": p.Parent.Args, - "thread": mapstr.M{ - "capabilities": mapstr.M{ - "permitted": p.Parent.Thread.Capabilities.Permitted, - "effective": p.Parent.Thread.Capabilities.Effective, - }, - }, }, "group_leader": mapstr.M{ "entity_id": p.GroupLeader.EntityID,