Auditbeat's system/socket dataset can return truncated process names in two scenarios:
- When the table of running processes its bootstrapped during startup, the "comm" field of
/proc/<pid>/stat is used as the process name. This value is truncated to 15 chars by the kernel (TASK_COMM_LEN=16).
To align with the rest of the system/socket code, the filename extracted from the executable path should be used.
Example document:
{
"@timestamp": "2021-03-22T08:57:10.558Z",
"process": {
"pid": 21830,
"name": "elastic-endpoin",
"args": [
"/opt/Elastic/Endpoint/elastic-endpoint",
"run"
],
"executable": "/opt/Elastic/Endpoint/elastic-endpoint",
"created": "2021-03-04T14:05:55.860Z"
},
[...]
}
- When an
execve event is received, the length of the executable path and program arguments is limited to 128 characters each. When path is truncated, the wrong process name will be extracted from it.
As a suggestion, we could detect this truncation and do an alternative enrichment from /proc/<pid>/.
Auditbeat's system/socket dataset can return truncated process names in two scenarios:
/proc/<pid>/statis used as the process name. This value is truncated to 15 chars by the kernel (TASK_COMM_LEN=16).To align with the rest of the
system/socketcode, the filename extracted from the executable path should be used.Example document:
{ "@timestamp": "2021-03-22T08:57:10.558Z", "process": { "pid": 21830, "name": "elastic-endpoin", "args": [ "/opt/Elastic/Endpoint/elastic-endpoint", "run" ], "executable": "/opt/Elastic/Endpoint/elastic-endpoint", "created": "2021-03-04T14:05:55.860Z" }, [...] }execveevent is received, the length of the executable path and program arguments is limited to 128 characters each. When path is truncated, the wrong process name will be extracted from it.As a suggestion, we could detect this truncation and do an alternative enrichment from
/proc/<pid>/.