[Filebeat] journald input - map linux capabilities to ECS #36454

andrewkroh · 2023-08-29T19:28:40Z

Describe the enhancement:

journald has a _CAP_EFFECTIVE field ¹. This could be used to populate the ECS 8.10 process.thread.capabilities.effective field from the journald input code.

Here is a sample event is export format that contains _CAP_EFFECTIVE: journald.export.txt

Describe a specific use case for the enhancement or feature:

Our software should be aligned to ECS where possible. Formatting the data in the same way makes is possible to uniformly query all processes data that mentions a given Linux capability.

https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html#Trusted%20Journal%20Fields ↩

The text was updated successfully, but these errors were encountered:

elasticmachine · 2023-08-29T19:28:44Z

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

andrewkroh added enhancement ecs Team:Security-External Integrations labels Aug 29, 2023

andrewkroh added Team:Security-Linux Platform Linux Platform Team in Security Solution and removed Team:Security-External Integrations labels Aug 29, 2023

efd6 self-assigned this Aug 30, 2023

efd6 mentioned this issue Aug 30, 2023

filebeat/input/internal/journald/pkg/journaldfield: add support for capability rendering #36470

Merged

6 tasks

efd6 closed this as completed in #36470 Sep 5, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Filebeat] journald input - map linux capabilities to ECS #36454

[Filebeat] journald input - map linux capabilities to ECS #36454

andrewkroh commented Aug 29, 2023

elasticmachine commented Aug 29, 2023

[Filebeat] journald input - map linux capabilities to ECS #36454

[Filebeat] journald input - map linux capabilities to ECS #36454

Comments

andrewkroh commented Aug 29, 2023

Footnotes

elasticmachine commented Aug 29, 2023