From 271f9826119e43713b58af58dec224cb445293a2 Mon Sep 17 00:00:00 2001 From: Michael Wolf Date: Mon, 22 Apr 2024 10:03:08 -0700 Subject: [PATCH] Remove ReplaceFields config from add_session_metadata processor (#39134) The ReplaceFields config option was used to support compatibility with session viewer in Kibana that didn't support auditbeat fields. Kibana has now been updated, and this config option isn't needed. (cherry picked from commit b34334fd0c9f210ffa13e21361098fada26da77c) --- .../sessionmd/add_session_metadata.go | 45 +------------------ .../sessionmd/add_session_metadata_test.go | 21 +++------ .../auditbeat/processors/sessionmd/config.go | 10 ++--- 3 files changed, 13 insertions(+), 63 deletions(-) diff --git a/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go b/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go index efcfdc96778..5b934980494 100644 --- a/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go +++ b/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go @@ -11,7 +11,6 @@ import ( "fmt" "reflect" "strconv" - "time" "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/processors" @@ -113,8 +112,8 @@ func (p *addSessionMetadata) Run(ev *beat.Event) (*beat.Event, error) { } func (p *addSessionMetadata) String() string { - return fmt.Sprintf("%v=[backend=%s, pid_field=%s, replace_fields=%t]", - processorName, p.config.Backend, p.config.PIDField, p.config.ReplaceFields) + return fmt.Sprintf("%v=[backend=%s, pid_field=%s]", + processorName, p.config.Backend, p.config.PIDField) } func (p *addSessionMetadata) enrich(ev *beat.Event) (*beat.Event, error) { @@ -148,12 +147,6 @@ func (p *addSessionMetadata) enrich(ev *beat.Event) (*beat.Event, error) { return nil, fmt.Errorf("merging enriched fields with event: %w", err) } result.Fields["process"] = m - - if p.config.ReplaceFields { - if err := p.replaceFields(result); err != nil { - return nil, fmt.Errorf("replace fields: %w", err) - } - } return result, nil } @@ -184,40 +177,6 @@ func pidToUInt32(value interface{}) (pid uint32, err error) { return pid, nil } -// replaceFields replaces event fields with values suitable user with the session viewer in Kibana -// The current version of session view in Kibana expects different values than what are used by auditbeat -// for some fields. This function converts these field to have values that will work with session view. -// -// This function is temporary, and can be removed when this Kibana issue is completed: https://github.com/elastic/kibana/issues/179396. -func (p *addSessionMetadata) replaceFields(ev *beat.Event) error { - kind, err := ev.Fields.GetValue("event.kind") - if err != nil { - return err - } - isAuditdEvent, err := ev.Fields.HasKey("auditd") - if err != nil { - return err - } - if kind == "event" && isAuditdEvent { - // process start - syscall, err := ev.Fields.GetValue("auditd.data.syscall") - if err != nil { - return nil //nolint:nilerr // processor can be called on unsupported events; not an error - } - switch syscall { - case "execveat", "execve": - ev.Fields.Put("event.action", []string{"exec", "fork"}) - ev.Fields.Put("event.type", []string{"start"}) - - case "exit_group": - ev.Fields.Put("event.action", []string{"end"}) - ev.Fields.Put("event.type", []string{"end"}) - ev.Fields.Put("process.end", time.Now()) - } - } - return nil -} - func tryToMapStr(v interface{}) (mapstr.M, bool) { switch m := v.(type) { case mapstr.M: diff --git a/x-pack/auditbeat/processors/sessionmd/add_session_metadata_test.go b/x-pack/auditbeat/processors/sessionmd/add_session_metadata_test.go index 1ef06c92b2e..602f80f5836 100644 --- a/x-pack/auditbeat/processors/sessionmd/add_session_metadata_test.go +++ b/x-pack/auditbeat/processors/sessionmd/add_session_metadata_test.go @@ -32,8 +32,7 @@ var ( { testName: "enrich process", config: config{ - ReplaceFields: false, - PIDField: "process.pid", + PIDField: "process.pid", }, mockProcesses: []types.ProcessExecEvent{ { @@ -94,8 +93,7 @@ var ( { testName: "no PID field in event", config: config{ - ReplaceFields: false, - PIDField: "process.pid", + PIDField: "process.pid", }, input: beat.Event{ Fields: mapstr.M{ @@ -113,8 +111,7 @@ var ( { testName: "PID not number", config: config{ - ReplaceFields: false, - PIDField: "process.pid", + PIDField: "process.pid", }, input: beat.Event{ Fields: mapstr.M{ @@ -133,8 +130,7 @@ var ( { testName: "PID not in DB", config: config{ - ReplaceFields: false, - PIDField: "process.pid", + PIDField: "process.pid", }, input: beat.Event{ Fields: mapstr.M{ @@ -154,8 +150,7 @@ var ( testName: "process field not in event", // This event, without a "process" field, is not supported by enrich, it should be handled gracefully config: config{ - ReplaceFields: false, - PIDField: "action.pid", + PIDField: "action.pid", }, input: beat.Event{ Fields: mapstr.M{ @@ -170,8 +165,7 @@ var ( testName: "process field not mapstr", // Unsupported process field type should be handled gracefully config: config{ - ReplaceFields: false, - PIDField: "action.pid", + PIDField: "action.pid", }, input: beat.Event{ Fields: mapstr.M{ @@ -189,8 +183,7 @@ var ( { testName: "enrich event with map[string]any process field", config: config{ - ReplaceFields: false, - PIDField: "process.pid", + PIDField: "process.pid", }, mockProcesses: []types.ProcessExecEvent{ { diff --git a/x-pack/auditbeat/processors/sessionmd/config.go b/x-pack/auditbeat/processors/sessionmd/config.go index 31c07c9065f..1aaa354c97d 100644 --- a/x-pack/auditbeat/processors/sessionmd/config.go +++ b/x-pack/auditbeat/processors/sessionmd/config.go @@ -8,15 +8,13 @@ package sessionmd // Config for add_session_metadata processor. type config struct { - Backend string `config:"backend"` - ReplaceFields bool `config:"replace_fields"` - PIDField string `config:"pid_field"` + Backend string `config:"backend"` + PIDField string `config:"pid_field"` } func defaultConfig() config { return config{ - Backend: "auto", - ReplaceFields: false, - PIDField: "process.pid", + Backend: "auto", + PIDField: "process.pid", } }