diff --git a/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go b/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go index efcfdc96778..5b934980494 100644 --- a/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go +++ b/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go @@ -11,7 +11,6 @@ import ( "fmt" "reflect" "strconv" - "time" "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/processors" @@ -113,8 +112,8 @@ func (p *addSessionMetadata) Run(ev *beat.Event) (*beat.Event, error) { } func (p *addSessionMetadata) String() string { - return fmt.Sprintf("%v=[backend=%s, pid_field=%s, replace_fields=%t]", - processorName, p.config.Backend, p.config.PIDField, p.config.ReplaceFields) + return fmt.Sprintf("%v=[backend=%s, pid_field=%s]", + processorName, p.config.Backend, p.config.PIDField) } func (p *addSessionMetadata) enrich(ev *beat.Event) (*beat.Event, error) { @@ -148,12 +147,6 @@ func (p *addSessionMetadata) enrich(ev *beat.Event) (*beat.Event, error) { return nil, fmt.Errorf("merging enriched fields with event: %w", err) } result.Fields["process"] = m - - if p.config.ReplaceFields { - if err := p.replaceFields(result); err != nil { - return nil, fmt.Errorf("replace fields: %w", err) - } - } return result, nil } @@ -184,40 +177,6 @@ func pidToUInt32(value interface{}) (pid uint32, err error) { return pid, nil } -// replaceFields replaces event fields with values suitable user with the session viewer in Kibana -// The current version of session view in Kibana expects different values than what are used by auditbeat -// for some fields. This function converts these field to have values that will work with session view. -// -// This function is temporary, and can be removed when this Kibana issue is completed: https://github.com/elastic/kibana/issues/179396. -func (p *addSessionMetadata) replaceFields(ev *beat.Event) error { - kind, err := ev.Fields.GetValue("event.kind") - if err != nil { - return err - } - isAuditdEvent, err := ev.Fields.HasKey("auditd") - if err != nil { - return err - } - if kind == "event" && isAuditdEvent { - // process start - syscall, err := ev.Fields.GetValue("auditd.data.syscall") - if err != nil { - return nil //nolint:nilerr // processor can be called on unsupported events; not an error - } - switch syscall { - case "execveat", "execve": - ev.Fields.Put("event.action", []string{"exec", "fork"}) - ev.Fields.Put("event.type", []string{"start"}) - - case "exit_group": - ev.Fields.Put("event.action", []string{"end"}) - ev.Fields.Put("event.type", []string{"end"}) - ev.Fields.Put("process.end", time.Now()) - } - } - return nil -} - func tryToMapStr(v interface{}) (mapstr.M, bool) { switch m := v.(type) { case mapstr.M: diff --git a/x-pack/auditbeat/processors/sessionmd/add_session_metadata_test.go b/x-pack/auditbeat/processors/sessionmd/add_session_metadata_test.go index 1ef06c92b2e..602f80f5836 100644 --- a/x-pack/auditbeat/processors/sessionmd/add_session_metadata_test.go +++ b/x-pack/auditbeat/processors/sessionmd/add_session_metadata_test.go @@ -32,8 +32,7 @@ var ( { testName: "enrich process", config: config{ - ReplaceFields: false, - PIDField: "process.pid", + PIDField: "process.pid", }, mockProcesses: []types.ProcessExecEvent{ { @@ -94,8 +93,7 @@ var ( { testName: "no PID field in event", config: config{ - ReplaceFields: false, - PIDField: "process.pid", + PIDField: "process.pid", }, input: beat.Event{ Fields: mapstr.M{ @@ -113,8 +111,7 @@ var ( { testName: "PID not number", config: config{ - ReplaceFields: false, - PIDField: "process.pid", + PIDField: "process.pid", }, input: beat.Event{ Fields: mapstr.M{ @@ -133,8 +130,7 @@ var ( { testName: "PID not in DB", config: config{ - ReplaceFields: false, - PIDField: "process.pid", + PIDField: "process.pid", }, input: beat.Event{ Fields: mapstr.M{ @@ -154,8 +150,7 @@ var ( testName: "process field not in event", // This event, without a "process" field, is not supported by enrich, it should be handled gracefully config: config{ - ReplaceFields: false, - PIDField: "action.pid", + PIDField: "action.pid", }, input: beat.Event{ Fields: mapstr.M{ @@ -170,8 +165,7 @@ var ( testName: "process field not mapstr", // Unsupported process field type should be handled gracefully config: config{ - ReplaceFields: false, - PIDField: "action.pid", + PIDField: "action.pid", }, input: beat.Event{ Fields: mapstr.M{ @@ -189,8 +183,7 @@ var ( { testName: "enrich event with map[string]any process field", config: config{ - ReplaceFields: false, - PIDField: "process.pid", + PIDField: "process.pid", }, mockProcesses: []types.ProcessExecEvent{ { diff --git a/x-pack/auditbeat/processors/sessionmd/config.go b/x-pack/auditbeat/processors/sessionmd/config.go index 31c07c9065f..1aaa354c97d 100644 --- a/x-pack/auditbeat/processors/sessionmd/config.go +++ b/x-pack/auditbeat/processors/sessionmd/config.go @@ -8,15 +8,13 @@ package sessionmd // Config for add_session_metadata processor. type config struct { - Backend string `config:"backend"` - ReplaceFields bool `config:"replace_fields"` - PIDField string `config:"pid_field"` + Backend string `config:"backend"` + PIDField string `config:"pid_field"` } func defaultConfig() config { return config{ - Backend: "auto", - ReplaceFields: false, - PIDField: "process.pid", + Backend: "auto", + PIDField: "process.pid", } }