[Auditbeat] Cherry-pick #11232 to 7.0: Process dataset: Only report p…

…rocesses with executable (#11258) Cherry-pick of PR #11232 to 7.0 branch. Original message: Excludes kernel processes on Linux. They don't provide a lot of value, the names are not unique, and they will not be able to use potential future features like process executable hashes.
elastic · Mar 15, 2019 · dc3b6da · dc3b6da
1 parent 03a9428
commit dc3b6da
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -16,6 +16,8 @@ https://github.com/elastic/beats/compare/v7.0.0-beta1...master[Check the HEAD di
 
 *Auditbeat*
 
+- Process dataset: Only report processes with executable. {pull}11232[11232]
+
 *Filebeat*
 
 - Set `ecs: true` in user_agent processors when loading pipelines with Filebeat 7.0.x into Elasticsearch 6.7.x. {issue}10655[10655] {pull}10875[10875]

diff --git a/x-pack/auditbeat/module/system/process/process.go b/x-pack/auditbeat/module/system/process/process.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"os"
 	"os/user"
+	"runtime"
 	"strconv"
 	"time"
 
@@ -422,6 +423,11 @@ func (ms *MetricSet) getProcesses() ([]*Process, error) {
 			}
 		}
 
+		// Exclude Linux kernel processes, they are not very interesting.
+		if runtime.GOOS == "linux" && userInfo.UID == "0" && process.Info.Exe == "" {
+			continue
+		}
+
 		processes = append(processes, process)
 	}