[Auditbeat] system/process metricset fails to hash executables

[fixed77]

Version: 7.6.0
Operating System: Centos 7.7.1908
Steps to Reproduce:
Run auditbeat with system/process metricset enabled (default) and run big execution file.

The following errors are published:

{
  "_index": "auditbeat-2020.03.06",
  "_type": "_doc",
  "_id": "IHaAr3ABWAfwH1eDm-zq",
  "_score": 1,
  "_source": {
    "host": {
      "name": "db"
    },
    "process": {
      "working_directory": "/opt/xxx/dbs",
      "name": "oracle_17352_xx",
      "executable": "/opt/xxx/bin/oracle",
      "args": [
        "oracle",
        "(LOCAL=NO)"
      ],
      "entity_id": "DFoCu0ytLk1bYl7J",
      "ppid": 1,
      "start": "2020-03-06T11:00:01.319Z",
      "pid": 17352
    },
    "message": "ERROR for PID 17352: failed to hash executable /opt/xxx/bin/oracle for PID 17352: failed to hash file /opt/xxx/bin/oracle: hasher: file size 407988864 exceeds max file size",
    "event": {
      "kind": "error",
      "action": "process_error",
      "module": "system",
      "dataset": "process"
    },
    "@version": "1",
    "@timestamp": "2020-03-06T11:00:05.073Z",
    "error": {
      "message": "failed to hash executable /opt/xxx/bin/oracle for PID 17352: failed to hash file /opt/xxx/bin/oracle: hasher: file size 407988864 exceeds max file size"
    },
  "fields": {
    "@timestamp": [
      "2020-03-06T11:00:05.073Z"
    ],
    "process.start": [
      "2020-03-06T11:00:01.319Z"
    ]
  }
}

options max_file_size, exclude_files do not give a result. as they refer to the file_integrity module.
The system module does not have options for max_file_size or exclude_files for skipping.

Configuration of system module:

- module: system
  datasets:
    - login   # User logins, logouts, and system boots.
    - package # Installed, updated, and removed packages
    - process # Started and stopped processes
    - user    # User information

  state.period: 12h
  user.detect_password_changes: true
  login.wtmp_file_pattern: /var/log/wtmp*
  login.btmp_file_pattern: /var/log/btmp*

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[burga123]

Hi , have you succeeded to find a solution ? I'm handling with the same issue ...

[willemdh]

@fixed77 @burga123 ,

You should be able to use

process.hash.max_file_size: 250 MiB

Which prevents this from happening. Reported this last year here => https://discuss.elastic.co/t/usr-share-metricbeat-bin-metricbeat-exceeds-max-file-size/201783

The documentation still doesn't mention this anywhere it seems..... Only found in auditbeat reference file.

Grtz

Willem

[andrewkroh]

I'm adding docs in #21766.