Skip to content

[Auditd] Populate process.args array with process arguments#2730

Merged
adriansr merged 4 commits intoelastic:mainfrom
adriansr:auditd_process_args
Feb 23, 2022
Merged

[Auditd] Populate process.args array with process arguments#2730
adriansr merged 4 commits intoelastic:mainfrom
adriansr:auditd_process_args

Conversation

@adriansr
Copy link
Copy Markdown
Contributor

@adriansr adriansr commented Feb 22, 2022
edited
Loading

What does this PR do?

Prevents the indices exceeding the 10,000 field limit due to an arbitrarily large number of auditd.log.aNNN fields.
Also removes the unnecessary setter for event.ingested.

Easier to review by looking at each commit independently.

The first one just removes event.original and re-generates logs, which has the annoying side-effect of sorting the generated docs by key, creating a lot of noise.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Related issues

This is a combination of the following Filebeat module fixes:

@adriansr
Remove event.ingested
cae8782
@adriansr
auditd - Store program arguments in process.args array
2185d2a 
Prevents the indices exceeding the 10,000 field limit due to an
arbitrarily large number of aNN fields.

This is a combination of the following Filebeat module fixes:
 - elastic/beats#29601
 - elastic/beats#30382
@adriansr
Update version to 2.1.0
042a227
@adriansr adriansr changed the title Auditd process args Auditd - Populate process.args array with process arguments Feb 22, 2022
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Feb 22, 2022

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@adriansr adriansr changed the title Auditd - Populate process.args array with process arguments [Auditd] Populate process.args array with process arguments Feb 22, 2022
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Feb 22, 2022
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-02-23T14:50:38.741+0000

  • Duration: 22 min 43 sec

Test stats 🧪

Test Results
Failed 0
Passed 14
Skipped 0
Total 14

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

efd6
efd6 approved these changes Feb 22, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after minor issue is fixed.

packages/auditd/changelog.yml
@@ -1,4 +1,8 @@
# newer versions go on top
- version: "2.1.0"
- description: Store EXECVE arguments in process.args array.
Copy link
Copy Markdown
Contributor

@efd6 efd6 Feb 22, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing changes: line.

@adriansr adriansr merged commit c91d581 into elastic:main Feb 23, 2022
@adriansr adriansr deleted the auditd_process_args branch February 23, 2022 16:07
@andrewkroh andrewkroh mentioned this pull request Feb 28, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 approved these changes

Assignees

No one assigned

Labels

enhancement New feature or request Integration:auditd Auditd Logs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@adriansr @elasticmachine @efd6