-
Notifications
You must be signed in to change notification settings - Fork 4.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
auditd: Store program arguments in process.args array (#29601)
Changes Filebeat's auditd module to store program arguments (from an EXECVE call) in process.args (arg0 also in process.executable). Previously it was using fields arg0 to argN under auditd.log. This prevents too many fields being created. When a call contained more than 10.000 arguments, this lead to an ingest error and contributed to very large indices: > Could not index event to Elasticsearch: "status"=>400, > "error"=>{ > "type"=>"illegal_argument_exception", > "reason"=>"Limit of total fields [10000] has been exceeded"}} (cherry picked from commit 03bf169)
- Loading branch information
Showing
12 changed files
with
2,097 additions
and
209 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.