From c41db814b6af64822d637ce42c090c1bd97424bf Mon Sep 17 00:00:00 2001
From: Michael Wolf <michael.wolf@elastic.co>
Date: Thu, 9 May 2024 14:09:17 -0700
Subject: [PATCH] Remove fields not needed for session view

In order to reduce event data size, remove all fields from the
add_session_metadata processor that is not required for the Kibana session
viewer.

The unnecessary fields that are removed are thread and tty fields.
---
 .../processors/sessionmd/types/process.go      | 18 ------------------
 1 file changed, 18 deletions(-)

diff --git a/x-pack/auditbeat/processors/sessionmd/types/process.go b/x-pack/auditbeat/processors/sessionmd/types/process.go
index daf989ef3cd..8f52a9c5aa5 100644
--- a/x-pack/auditbeat/processors/sessionmd/types/process.go
+++ b/x-pack/auditbeat/processors/sessionmd/types/process.go
@@ -356,18 +356,6 @@ func (p *Process) ToMap() mapstr.M {
 		"pid":  p.PID,
 		"vpid": p.Vpid,
 		"args": p.Args,
-		"thread": mapstr.M{
-			"capabilities": mapstr.M{
-				"permitted": p.Thread.Capabilities.Permitted,
-				"effective": p.Thread.Capabilities.Effective,
-			},
-		},
-		"tty": mapstr.M{
-			"char_device": mapstr.M{
-				"major": p.TTY.CharDevice.Major,
-				"minor": p.TTY.CharDevice.Minor,
-			},
-		},
 		"parent": mapstr.M{
 			"entity_id":         p.Parent.EntityID,
 			"executable":        p.Parent.Executable,
@@ -384,12 +372,6 @@ func (p *Process) ToMap() mapstr.M {
 			},
 			"pid":  p.Parent.PID,
 			"args": p.Parent.Args,
-			"thread": mapstr.M{
-				"capabilities": mapstr.M{
-					"permitted": p.Parent.Thread.Capabilities.Permitted,
-					"effective": p.Parent.Thread.Capabilities.Effective,
-				},
-			},
 		},
 		"group_leader": mapstr.M{
 			"entity_id":         p.GroupLeader.EntityID,