Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Auditd] Populate process.args array with process arguments #2730

Merged
merged 4 commits into from
Feb 23, 2022
Merged

[Auditd] Populate process.args array with process arguments #2730

merged 4 commits into from
Feb 23, 2022

Conversation

adriansr
Copy link
Contributor

@adriansr adriansr commented Feb 22, 2022
edited
Loading

What does this PR do?

Prevents the indices exceeding the 10,000 field limit due to an arbitrarily large number of auditd.log.aNNN fields.
Also removes the unnecessary setter for event.ingested.

Easier to review by looking at each commit independently.

The first one just removes event.original and re-generates logs, which has the annoying side-effect of sorting the generated docs by key, creating a lot of noise.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Related issues

This is a combination of the following Filebeat module fixes:

@adriansr
Remove event.ingested
cae8782
@adriansr
auditd - Store program arguments in process.args array
2185d2a 
Prevents the indices exceeding the 10,000 field limit due to an
arbitrarily large number of aNN fields.

This is a combination of the following Filebeat module fixes:
 - elastic/beats#29601
 - elastic/beats#30382
@adriansr
Update version to 2.1.0
042a227
@adriansr adriansr changed the title Auditd process args Auditd - Populate process.args array with process arguments Feb 22, 2022
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@adriansr adriansr changed the title Auditd - Populate process.args array with process arguments [Auditd] Populate process.args array with process arguments Feb 22, 2022
@elasticmachine
Copy link

elasticmachine commented Feb 22, 2022
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-02-23T14:50:38.741+0000

  • Duration: 22 min 43 sec

Test stats 🧪

Test Results
Failed 0
Passed 14
Skipped 0
Total 14

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

efd6
efd6 approved these changes Feb 22, 2022
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after minor issue is fixed.

packages/auditd/changelog.yml
@@ -1,4 +1,8 @@
# newer versions go on top
- version: "2.1.0"
- description: Store EXECVE arguments in process.args array.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing changes: line.

@adriansr adriansr merged commit c91d581 into elastic:main Feb 23, 2022
@adriansr adriansr deleted the auditd_process_args branch February 23, 2022 16:07
@andrewkroh andrewkroh mentioned this pull request Feb 28, 2022
Merged
eyalkraft pushed a commit to build-security/integrations that referenced this pull request Mar 30, 2022
@adriansr
[Auditd] Populate process.args array with process arguments (elastic#…
6e9cc5f 
…2730)

Prevents the indices exceeding the 10,000 field limit due to an
arbitrarily large number of aNN fields.

This is a combination of the following Filebeat module fixes:
 - elastic/beats#29601
 - elastic/beats#30382

Updates version to 2.1.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@efd6 efd6 efd6 approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request Integration:auditd Auditd Logs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@adriansr @elasticmachine @efd6