From 2b2e7a5ebeeff560b25b151efa2636df89f680cb Mon Sep 17 00:00:00 2001 From: Michael Wolf Date: Mon, 8 Apr 2024 10:45:47 -0700 Subject: [PATCH] Remove ReplaceFields config from add_session_metadata processor The ReplaceFields config option was used to support compatibility with session viewer in Kibana that didn't support auditbeat fields. Kibana has now been updated, and this config option isn't needed. --- .../sessionmd/add_session_metadata.go | 45 +------------------ .../sessionmd/add_session_metadata_test.go | 21 +++------ .../auditbeat/processors/sessionmd/config.go | 10 ++--- 3 files changed, 13 insertions(+), 63 deletions(-) diff --git a/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go b/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go index 50636f9d476..14ee3d3707a 100644 --- a/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go +++ b/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go @@ -11,7 +11,6 @@ import ( "fmt" "reflect" "strconv" - "time" "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/processors" @@ -98,8 +97,8 @@ func (p *addSessionMetadata) Run(ev *beat.Event) (*beat.Event, error) { } func (p *addSessionMetadata) String() string { - return fmt.Sprintf("%v=[backend=%s, pid_field=%s, replace_fields=%t]", - processorName, p.config.Backend, p.config.PIDField, p.config.ReplaceFields) + return fmt.Sprintf("%v=[backend=%s, pid_field=%s]", + processorName, p.config.Backend, p.config.PIDField) } func (p *addSessionMetadata) enrich(ev *beat.Event) (*beat.Event, error) { @@ -133,12 +132,6 @@ func (p *addSessionMetadata) enrich(ev *beat.Event) (*beat.Event, error) { return nil, fmt.Errorf("merging enriched fields with event: %w", err) } result.Fields["process"] = m - - if p.config.ReplaceFields { - if err := p.replaceFields(result); err != nil { - return nil, fmt.Errorf("replace fields: %w", err) - } - } return result, nil } @@ -169,40 +162,6 @@ func pidToUInt32(value interface{}) (pid uint32, err error) { return pid, nil } -// replaceFields replaces event fields with values suitable user with the session viewer in Kibana -// The current version of session view in Kibana expects different values than what are used by auditbeat -// for some fields. This function converts these field to have values that will work with session view. -// -// This function is temporary, and can be removed when this Kibana issue is completed: https://github.com/elastic/kibana/issues/179396. -func (p *addSessionMetadata) replaceFields(ev *beat.Event) error { - kind, err := ev.Fields.GetValue("event.kind") - if err != nil { - return err - } - isAuditdEvent, err := ev.Fields.HasKey("auditd") - if err != nil { - return err - } - if kind == "event" && isAuditdEvent { - // process start - syscall, err := ev.Fields.GetValue("auditd.data.syscall") - if err != nil { - return nil //nolint:nilerr // processor can be called on unsupported events; not an error - } - switch syscall { - case "execveat", "execve": - ev.Fields.Put("event.action", []string{"exec", "fork"}) - ev.Fields.Put("event.type", []string{"start"}) - - case "exit_group": - ev.Fields.Put("event.action", []string{"end"}) - ev.Fields.Put("event.type", []string{"end"}) - ev.Fields.Put("process.end", time.Now()) - } - } - return nil -} - func tryToMapStr(v interface{}) (mapstr.M, bool) { switch m := v.(type) { case mapstr.M: diff --git a/x-pack/auditbeat/processors/sessionmd/add_session_metadata_test.go b/x-pack/auditbeat/processors/sessionmd/add_session_metadata_test.go index 4890505aac4..296134a305d 100644 --- a/x-pack/auditbeat/processors/sessionmd/add_session_metadata_test.go +++ b/x-pack/auditbeat/processors/sessionmd/add_session_metadata_test.go @@ -32,8 +32,7 @@ var ( { testName: "enrich process", config: config{ - ReplaceFields: false, - PIDField: "process.pid", + PIDField: "process.pid", }, mockProcesses: []types.ProcessExecEvent{ { @@ -94,8 +93,7 @@ var ( { testName: "no PID field in event", config: config{ - ReplaceFields: false, - PIDField: "process.pid", + PIDField: "process.pid", }, input: beat.Event{ Fields: mapstr.M{ @@ -113,8 +111,7 @@ var ( { testName: "PID not number", config: config{ - ReplaceFields: false, - PIDField: "process.pid", + PIDField: "process.pid", }, input: beat.Event{ Fields: mapstr.M{ @@ -133,8 +130,7 @@ var ( { testName: "PID not in DB", config: config{ - ReplaceFields: false, - PIDField: "process.pid", + PIDField: "process.pid", }, input: beat.Event{ Fields: mapstr.M{ @@ -154,8 +150,7 @@ var ( testName: "process field not in event", // This event, without a "process" field, is not supported by enrich, it should be handled gracefully config: config{ - ReplaceFields: false, - PIDField: "action.pid", + PIDField: "action.pid", }, input: beat.Event{ Fields: mapstr.M{ @@ -170,8 +165,7 @@ var ( testName: "process field not mapstr", // Unsupported process field type should be handled gracefully config: config{ - ReplaceFields: false, - PIDField: "action.pid", + PIDField: "action.pid", }, input: beat.Event{ Fields: mapstr.M{ @@ -189,8 +183,7 @@ var ( { testName: "enrich event with map[string]any process field", config: config{ - ReplaceFields: false, - PIDField: "process.pid", + PIDField: "process.pid", }, mockProcesses: []types.ProcessExecEvent{ { diff --git a/x-pack/auditbeat/processors/sessionmd/config.go b/x-pack/auditbeat/processors/sessionmd/config.go index 31c07c9065f..1aaa354c97d 100644 --- a/x-pack/auditbeat/processors/sessionmd/config.go +++ b/x-pack/auditbeat/processors/sessionmd/config.go @@ -8,15 +8,13 @@ package sessionmd // Config for add_session_metadata processor. type config struct { - Backend string `config:"backend"` - ReplaceFields bool `config:"replace_fields"` - PIDField string `config:"pid_field"` + Backend string `config:"backend"` + PIDField string `config:"pid_field"` } func defaultConfig() config { return config{ - Backend: "auto", - ReplaceFields: false, - PIDField: "process.pid", + Backend: "auto", + PIDField: "process.pid", } }