Remove fields not needed for session view

In order to reduce event data size, remove all fields from the add_session_metadata processor that is not required for the Kibana session viewer. The unnecessary fields that are removed are thread and tty fields.
elastic · May 9, 2024 · c41db81 · c41db81
1 parent 726f6e9
commit c41db81
Showing 1 changed file with 0 additions and 18 deletions.
diff --git a/x-pack/auditbeat/processors/sessionmd/types/process.go b/x-pack/auditbeat/processors/sessionmd/types/process.go
@@ -356,18 +356,6 @@ func (p *Process) ToMap() mapstr.M {
 		"pid":  p.PID,
 		"vpid": p.Vpid,
 		"args": p.Args,
-		"thread": mapstr.M{
-			"capabilities": mapstr.M{
-				"permitted": p.Thread.Capabilities.Permitted,
-				"effective": p.Thread.Capabilities.Effective,
-			},
-		},
-		"tty": mapstr.M{
-			"char_device": mapstr.M{
-				"major": p.TTY.CharDevice.Major,
-				"minor": p.TTY.CharDevice.Minor,
-			},
-		},
 		"parent": mapstr.M{
 			"entity_id":         p.Parent.EntityID,
 			"executable":        p.Parent.Executable,
@@ -384,12 +372,6 @@ func (p *Process) ToMap() mapstr.M {
 			},
 			"pid":  p.Parent.PID,
 			"args": p.Parent.Args,
-			"thread": mapstr.M{
-				"capabilities": mapstr.M{
-					"permitted": p.Parent.Thread.Capabilities.Permitted,
-					"effective": p.Parent.Thread.Capabilities.Effective,
-				},
-			},
 		},
 		"group_leader": mapstr.M{
 			"entity_id":         p.GroupLeader.EntityID,