From 3a32dbe3e5e8fc480dddb93f3260341f55bb0bab Mon Sep 17 00:00:00 2001
From: fearful-symmetry <alexpkristiansen@icloud.com>
Date: Wed, 6 Nov 2024 13:29:05 -0800
Subject: [PATCH 1/3] add a few log statements

---
 x-pack/auditbeat/module/system/socket/state.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/x-pack/auditbeat/module/system/socket/state.go b/x-pack/auditbeat/module/system/socket/state.go
index 347c5385921..88753939155 100644
--- a/x-pack/auditbeat/module/system/socket/state.go
+++ b/x-pack/auditbeat/module/system/socket/state.go
@@ -570,6 +570,7 @@ func (s *state) ForkProcess(parentPID, childPID uint32, ts kernelTime) error {
 		for k, v := range parent.resolvedDomains {
 			child.resolvedDomains[k] = v
 		}
+		s.log.Debugf("forking process %d with %d associated domains", childPID, len(child.resolvedDomains))
 		s.processes[childPID] = child
 	}
 	return nil
@@ -676,6 +677,7 @@ func (s *state) CreateSocket(ref flow) error {
 func (s *state) OnDNSTransaction(tr dns.Transaction) error {
 	s.Lock()
 	defer s.Unlock()
+	s.log.Debugf("adding DNS transaction for domain %s for client %s", tr.Domain, tr.Client.String())
 	s.dns.AddTransaction(tr)
 	return nil
 }
@@ -721,6 +723,10 @@ func (s *state) mutualEnrich(sock *socket, f *flow) {
 }
 
 func (s *state) createFlow(ref flow) error {
+	if ref.process != nil {
+		s.log.Debugf("creating flow for pid %s", ref.process.pid)
+	}
+
 	// Get or create a socket for this flow
 	sock := s.getSocket(ref.sock)
 	ref.createdTime = ref.lastSeenTime
@@ -821,6 +827,9 @@ func (s *state) enrichDNS(f *flow) {
 			IP:   f.local.addr.IP,
 			Port: f.local.addr.Port,
 		}
+		if f.process != nil {
+			s.log.Debugf("registering endpoint %s for process %d", localUDP.String(), f.process.pid)
+		}
 		s.dns.RegisterEndpoint(localUDP, f.process)
 	}
 }

From 9b103fba6043dd04f5a8e73705150858bba69278 Mon Sep 17 00:00:00 2001
From: fearful-symmetry <alexpkristiansen@icloud.com>
Date: Fri, 8 Nov 2024 08:01:11 -0800
Subject: [PATCH 2/3] add debug log statements to system/socket

---
 x-pack/auditbeat/module/system/socket/state.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/x-pack/auditbeat/module/system/socket/state.go b/x-pack/auditbeat/module/system/socket/state.go
index 88753939155..f102127e783 100644
--- a/x-pack/auditbeat/module/system/socket/state.go
+++ b/x-pack/auditbeat/module/system/socket/state.go
@@ -580,6 +580,7 @@ func (s *state) TerminateProcess(pid uint32) error {
 	if pid == 0 {
 		return errors.New("can't terminate process with PID 0")
 	}
+	s.log.Debugf("terminating process %d", pid)
 	s.Lock()
 	defer s.Unlock()
 	delete(s.processes, pid)

From 072c4e4e8c98b3a5dd1aeca5c2f6613f63b17162 Mon Sep 17 00:00:00 2001
From: fearful-symmetry <alexpkristiansen@icloud.com>
Date: Fri, 8 Nov 2024 08:24:45 -0800
Subject: [PATCH 3/3] add changelog

---
 CHANGELOG.next.asciidoc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index c1084282c1b..95d6e70f77e 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -245,6 +245,8 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 
 *Auditbeat*
 
+- Improve logging in system/socket {pull}41571[41571]
+
 
 *Auditbeat*