From c41db814b6af64822d637ce42c090c1bd97424bf Mon Sep 17 00:00:00 2001 From: Michael Wolf Date: Thu, 9 May 2024 14:09:17 -0700 Subject: [PATCH 1/2] Remove fields not needed for session view In order to reduce event data size, remove all fields from the add_session_metadata processor that is not required for the Kibana session viewer. The unnecessary fields that are removed are thread and tty fields. --- .../processors/sessionmd/types/process.go | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/x-pack/auditbeat/processors/sessionmd/types/process.go b/x-pack/auditbeat/processors/sessionmd/types/process.go index daf989ef3cd..8f52a9c5aa5 100644 --- a/x-pack/auditbeat/processors/sessionmd/types/process.go +++ b/x-pack/auditbeat/processors/sessionmd/types/process.go @@ -356,18 +356,6 @@ func (p *Process) ToMap() mapstr.M { "pid": p.PID, "vpid": p.Vpid, "args": p.Args, - "thread": mapstr.M{ - "capabilities": mapstr.M{ - "permitted": p.Thread.Capabilities.Permitted, - "effective": p.Thread.Capabilities.Effective, - }, - }, - "tty": mapstr.M{ - "char_device": mapstr.M{ - "major": p.TTY.CharDevice.Major, - "minor": p.TTY.CharDevice.Minor, - }, - }, "parent": mapstr.M{ "entity_id": p.Parent.EntityID, "executable": p.Parent.Executable, @@ -384,12 +372,6 @@ func (p *Process) ToMap() mapstr.M { }, "pid": p.Parent.PID, "args": p.Parent.Args, - "thread": mapstr.M{ - "capabilities": mapstr.M{ - "permitted": p.Parent.Thread.Capabilities.Permitted, - "effective": p.Parent.Thread.Capabilities.Effective, - }, - }, }, "group_leader": mapstr.M{ "entity_id": p.GroupLeader.EntityID, From 7c387cad9f2e67be4017845ff01b5f5410291d76 Mon Sep 17 00:00:00 2001 From: Michael Wolf Date: Thu, 9 May 2024 14:27:30 -0700 Subject: [PATCH 2/2] update changelog --- CHANGELOG.next.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 58ce7ac0f65..40fd34b15e1 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -202,6 +202,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff] - Add container id to file events (Linux only, eBPF backend). {pull}38328[38328] - Add procfs backend to the `add_session_metadata` processor. {pull}38799[38799] - Add process.entity_id, process.group.name and process.group.id in add_process_metadata processor. Make fim module with kprobes backend to always add an appropriately configured add_process_metadata processor to enrich file events {pull}38776[38776] +- Reduce data size for add_session_metadata processor by removing unneeded fields {pull}39500[39500] *Filebeat*