Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Auditbeat] Remove temporary "ReplaceFields" config option #39134

Merged
merged 2 commits into from
Apr 22, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 2 additions & 43 deletions x-pack/auditbeat/processors/sessionmd/add_session_metadata.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ import (
"fmt"
"reflect"
"strconv"
"time"

"github.com/elastic/beats/v7/libbeat/beat"
"github.com/elastic/beats/v7/libbeat/processors"
Expand Down Expand Up @@ -113,8 +112,8 @@ func (p *addSessionMetadata) Run(ev *beat.Event) (*beat.Event, error) {
}

func (p *addSessionMetadata) String() string {
return fmt.Sprintf("%v=[backend=%s, pid_field=%s, replace_fields=%t]",
processorName, p.config.Backend, p.config.PIDField, p.config.ReplaceFields)
return fmt.Sprintf("%v=[backend=%s, pid_field=%s]",
processorName, p.config.Backend, p.config.PIDField)
}

func (p *addSessionMetadata) enrich(ev *beat.Event) (*beat.Event, error) {
Expand Down Expand Up @@ -148,12 +147,6 @@ func (p *addSessionMetadata) enrich(ev *beat.Event) (*beat.Event, error) {
return nil, fmt.Errorf("merging enriched fields with event: %w", err)
}
result.Fields["process"] = m

if p.config.ReplaceFields {
if err := p.replaceFields(result); err != nil {
return nil, fmt.Errorf("replace fields: %w", err)
}
}
return result, nil
}

Expand Down Expand Up @@ -184,40 +177,6 @@ func pidToUInt32(value interface{}) (pid uint32, err error) {
return pid, nil
}

// replaceFields replaces event fields with values suitable user with the session viewer in Kibana
// The current version of session view in Kibana expects different values than what are used by auditbeat
// for some fields. This function converts these field to have values that will work with session view.
//
// This function is temporary, and can be removed when this Kibana issue is completed: https://github.com/elastic/kibana/issues/179396.
func (p *addSessionMetadata) replaceFields(ev *beat.Event) error {
kind, err := ev.Fields.GetValue("event.kind")
if err != nil {
return err
}
isAuditdEvent, err := ev.Fields.HasKey("auditd")
if err != nil {
return err
}
if kind == "event" && isAuditdEvent {
// process start
syscall, err := ev.Fields.GetValue("auditd.data.syscall")
if err != nil {
return nil //nolint:nilerr // processor can be called on unsupported events; not an error
}
switch syscall {
case "execveat", "execve":
ev.Fields.Put("event.action", []string{"exec", "fork"})
ev.Fields.Put("event.type", []string{"start"})

case "exit_group":
ev.Fields.Put("event.action", []string{"end"})
ev.Fields.Put("event.type", []string{"end"})
ev.Fields.Put("process.end", time.Now())
}
}
return nil
}

func tryToMapStr(v interface{}) (mapstr.M, bool) {
switch m := v.(type) {
case mapstr.M:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,7 @@ var (
{
testName: "enrich process",
config: config{
ReplaceFields: false,
PIDField: "process.pid",
PIDField: "process.pid",
},
mockProcesses: []types.ProcessExecEvent{
{
Expand Down Expand Up @@ -94,8 +93,7 @@ var (
{
testName: "no PID field in event",
config: config{
ReplaceFields: false,
PIDField: "process.pid",
PIDField: "process.pid",
},
input: beat.Event{
Fields: mapstr.M{
Expand All @@ -113,8 +111,7 @@ var (
{
testName: "PID not number",
config: config{
ReplaceFields: false,
PIDField: "process.pid",
PIDField: "process.pid",
},
input: beat.Event{
Fields: mapstr.M{
Expand All @@ -133,8 +130,7 @@ var (
{
testName: "PID not in DB",
config: config{
ReplaceFields: false,
PIDField: "process.pid",
PIDField: "process.pid",
},
input: beat.Event{
Fields: mapstr.M{
Expand All @@ -154,8 +150,7 @@ var (
testName: "process field not in event",
// This event, without a "process" field, is not supported by enrich, it should be handled gracefully
config: config{
ReplaceFields: false,
PIDField: "action.pid",
PIDField: "action.pid",
},
input: beat.Event{
Fields: mapstr.M{
Expand All @@ -170,8 +165,7 @@ var (
testName: "process field not mapstr",
// Unsupported process field type should be handled gracefully
config: config{
ReplaceFields: false,
PIDField: "action.pid",
PIDField: "action.pid",
},
input: beat.Event{
Fields: mapstr.M{
Expand All @@ -189,8 +183,7 @@ var (
{
testName: "enrich event with map[string]any process field",
config: config{
ReplaceFields: false,
PIDField: "process.pid",
PIDField: "process.pid",
},
mockProcesses: []types.ProcessExecEvent{
{
Expand Down
10 changes: 4 additions & 6 deletions x-pack/auditbeat/processors/sessionmd/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,15 +8,13 @@ package sessionmd

// Config for add_session_metadata processor.
type config struct {
Backend string `config:"backend"`
ReplaceFields bool `config:"replace_fields"`
PIDField string `config:"pid_field"`
Backend string `config:"backend"`
PIDField string `config:"pid_field"`
}

func defaultConfig() config {
return config{
Backend: "auto",
ReplaceFields: false,
PIDField: "process.pid",
Backend: "auto",
PIDField: "process.pid",
}
}
Loading