Skip to content

[8.0](backport #29601) auditd: Store program arguments in process.args array#29764

Merged
adriansr merged 1 commit into8.0from
mergify/bp/8.0/pr-29601
Jan 10, 2022
Merged

[8.0](backport #29601) auditd: Store program arguments in process.args array#29764
adriansr merged 1 commit into8.0from
mergify/bp/8.0/pr-29601

Conversation

@mergify
Copy link
Copy Markdown
Contributor

@mergify mergify bot commented Jan 10, 2022
edited by zube bot
Loading

This is an automatic backport of pull request #29601 done by Mergify.

Mergify commands and options

More conditions and actions can be found in the documentation.

You can also trigger Mergify actions by commenting on this pull request:

  • @Mergifyio refresh will re-evaluate the rules
  • @Mergifyio rebase will rebase this PR on its base branch
  • @Mergifyio update will merge the base branch into this PR
  • @Mergifyio backport <destination> will backport this PR on <destination> branch

Additionally, on Mergify dashboard you can:

  • look at your merge queues
  • generate the Mergify configuration with the config editor.

Finally, you can contact us on https://mergify.com

@adriansr
auditd: Store program arguments in process.args array (#29601)
d832fb4 
Changes Filebeat's auditd module to store program arguments
(from an EXECVE call) in process.args (arg0 also in process.executable).
Previously it was using fields arg0 to argN under auditd.log.

This prevents too many fields being created. When a call contained
more than 10.000 arguments, this lead to an ingest error and contributed to
very large indices:

> Could not index event to Elasticsearch: "status"=>400,
>   "error"=>{
>     "type"=>"illegal_argument_exception",
>     "reason"=>"Limit of total fields [10000] has been exceeded"}}

(cherry picked from commit 03bf169)
@mergify mergify bot added the backport label Jan 10, 2022
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jan 10, 2022
@mergify
Copy link
Copy Markdown
Contributor Author

mergify bot commented Jan 10, 2022

This pull request has not been merged yet. Could you please review and merge it @adriansr? 🙏

@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jan 10, 2022

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jan 10, 2022
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Jan 10, 2022

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-01-10T08:55:47.744+0000

  • Duration: 102 min 43 sec

  • Commit: d832fb4

Test stats 🧪

Test Results
Failed 0
Passed 9599
Skipped 1282
Total 10881

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@adriansr adriansr merged commit 96505b4 into 8.0 Jan 10, 2022
@mergify mergify bot deleted the mergify/bp/8.0/pr-29601 branch January 10, 2022 12:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@adriansr adriansr

Labels

backport

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@elasticmachine @adriansr