[Auditbeat] Process dataset: Only report processes with executable (#…

…11232) Excludes kernel processes on Linux. They don't provide a lot of value, the names are not unique, and they will not be able to use potential future features like process executable hashes.
elastic · Mar 14, 2019 · 115eeb7 · 115eeb7
1 parent 1946505
commit 115eeb7
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -46,6 +46,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Rename user fields to ECS in auditd module. {pull}10456[10456]
 - Rename `event.type` to `auditd.message_type` in auditd module because event.type is reserved for future use by ECS. {pull}10536[10536]
 - Rename `auditd.messages` to `event.original` and `auditd.warnings` to `error.message`. {pull}10577[10577]
+- Process dataset: Only report processes with executable. {pull}11232[11232]
 
 *Filebeat*
 

diff --git a/x-pack/auditbeat/module/system/process/process.go b/x-pack/auditbeat/module/system/process/process.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"os"
 	"os/user"
+	"runtime"
 	"strconv"
 	"time"
 
@@ -422,6 +423,11 @@ func (ms *MetricSet) getProcesses() ([]*Process, error) {
 			}
 		}
 
+		// Exclude Linux kernel processes, they are not very interesting.
+		if runtime.GOOS == "linux" && userInfo.UID == "0" && process.Info.Exe == "" {
+			continue
+		}
+
 		processes = append(processes, process)
 	}