Remove ReplaceFields config from add_session_metadata processor (#39134)

The ReplaceFields config option was used to support compatibility with session viewer in Kibana that didn't support auditbeat fields. Kibana has now been updated, and this config option isn't needed.
elastic · Apr 22, 2024 · b34334f · b34334f
1 parent b04f48b
commit b34334f
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 63 deletions.
diff --git a/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go b/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go
@@ -11,7 +11,6 @@ import (
 	"fmt"
 	"reflect"
 	"strconv"
-	"time"
 
 	"github.com/elastic/beats/v7/libbeat/beat"
 	"github.com/elastic/beats/v7/libbeat/processors"
@@ -113,8 +112,8 @@ func (p *addSessionMetadata) Run(ev *beat.Event) (*beat.Event, error) {
 }
 
 func (p *addSessionMetadata) String() string {
-	return fmt.Sprintf("%v=[backend=%s, pid_field=%s, replace_fields=%t]",
-		processorName, p.config.Backend, p.config.PIDField, p.config.ReplaceFields)
+	return fmt.Sprintf("%v=[backend=%s, pid_field=%s]",
+		processorName, p.config.Backend, p.config.PIDField)
 }
 
 func (p *addSessionMetadata) enrich(ev *beat.Event) (*beat.Event, error) {
@@ -148,12 +147,6 @@ func (p *addSessionMetadata) enrich(ev *beat.Event) (*beat.Event, error) {
 		return nil, fmt.Errorf("merging enriched fields with event: %w", err)
 	}
 	result.Fields["process"] = m
-
-	if p.config.ReplaceFields {
-		if err := p.replaceFields(result); err != nil {
-			return nil, fmt.Errorf("replace fields: %w", err)
-		}
-	}
 	return result, nil
 }
 
@@ -184,40 +177,6 @@ func pidToUInt32(value interface{}) (pid uint32, err error) {
 	return pid, nil
 }
 
-// replaceFields replaces event fields with values suitable user with the session viewer in Kibana
-// The current version of session view in Kibana expects different values than what are used by auditbeat
-// for some fields. This function converts these field to have values that will work with session view.
-//
-// This function is temporary, and can be removed when this Kibana issue is completed: https://github.com/elastic/kibana/issues/179396.
-func (p *addSessionMetadata) replaceFields(ev *beat.Event) error {
-	kind, err := ev.Fields.GetValue("event.kind")
-	if err != nil {
-		return err
-	}
-	isAuditdEvent, err := ev.Fields.HasKey("auditd")
-	if err != nil {
-		return err
-	}
-	if kind == "event" && isAuditdEvent {
-		// process start
-		syscall, err := ev.Fields.GetValue("auditd.data.syscall")
-		if err != nil {
-			return nil //nolint:nilerr // processor can be called on unsupported events; not an error
-		}
-		switch syscall {
-		case "execveat", "execve":
-			ev.Fields.Put("event.action", []string{"exec", "fork"})
-			ev.Fields.Put("event.type", []string{"start"})
-
-		case "exit_group":
-			ev.Fields.Put("event.action", []string{"end"})
-			ev.Fields.Put("event.type", []string{"end"})
-			ev.Fields.Put("process.end", time.Now())
-		}
-	}
-	return nil
-}
-
 func tryToMapStr(v interface{}) (mapstr.M, bool) {
 	switch m := v.(type) {
 	case mapstr.M:

diff --git a/x-pack/auditbeat/processors/sessionmd/add_session_metadata_test.go b/x-pack/auditbeat/processors/sessionmd/add_session_metadata_test.go
@@ -32,8 +32,7 @@ var (
 		{
 			testName: "enrich process",
 			config: config{
-				ReplaceFields: false,
-				PIDField:      "process.pid",
+				PIDField: "process.pid",
 			},
 			mockProcesses: []types.ProcessExecEvent{
 				{
@@ -94,8 +93,7 @@ var (
 		{
 			testName: "no PID field in event",
 			config: config{
-				ReplaceFields: false,
-				PIDField:      "process.pid",
+				PIDField: "process.pid",
 			},
 			input: beat.Event{
 				Fields: mapstr.M{
@@ -113,8 +111,7 @@ var (
 		{
 			testName: "PID not number",
 			config: config{
-				ReplaceFields: false,
-				PIDField:      "process.pid",
+				PIDField: "process.pid",
 			},
 			input: beat.Event{
 				Fields: mapstr.M{
@@ -133,8 +130,7 @@ var (
 		{
 			testName: "PID not in DB",
 			config: config{
-				ReplaceFields: false,
-				PIDField:      "process.pid",
+				PIDField: "process.pid",
 			},
 			input: beat.Event{
 				Fields: mapstr.M{
@@ -154,8 +150,7 @@ var (
 			testName: "process field not in event",
 			// This event, without a "process" field, is not supported by enrich, it should be handled gracefully
 			config: config{
-				ReplaceFields: false,
-				PIDField:      "action.pid",
+				PIDField: "action.pid",
 			},
 			input: beat.Event{
 				Fields: mapstr.M{
@@ -170,8 +165,7 @@ var (
 			testName: "process field not mapstr",
 			// Unsupported process field type should be handled gracefully
 			config: config{
-				ReplaceFields: false,
-				PIDField:      "action.pid",
+				PIDField: "action.pid",
 			},
 			input: beat.Event{
 				Fields: mapstr.M{
@@ -189,8 +183,7 @@ var (
 		{
 			testName: "enrich event with map[string]any process field",
 			config: config{
-				ReplaceFields: false,
-				PIDField:      "process.pid",
+				PIDField: "process.pid",
 			},
 			mockProcesses: []types.ProcessExecEvent{
 				{

diff --git a/x-pack/auditbeat/processors/sessionmd/config.go b/x-pack/auditbeat/processors/sessionmd/config.go
@@ -8,15 +8,13 @@ package sessionmd
 
 // Config for add_session_metadata processor.
 type config struct {
-	Backend       string `config:"backend"`
-	ReplaceFields bool   `config:"replace_fields"`
-	PIDField      string `config:"pid_field"`
+	Backend  string `config:"backend"`
+	PIDField string `config:"pid_field"`
 }
 
 func defaultConfig() config {
 	return config{
-		Backend:       "auto",
-		ReplaceFields: false,
-		PIDField:      "process.pid",
+		Backend:  "auto",
+		PIDField: "process.pid",
 	}
 }