Process telemetry returned from procs.go in Packetbeat github

jostromsttora · March 5, 2020, 5:25pm

Hi, I noticed in Packetbeats github repo from two days ago, a commit for procs.go that includes returning process telemetry. I've configured my packetsbeat v7.6.1 to send logs and visualized in Kibana. However, I don't see the PID / executable, command line arguments telemetry. Very interested in this for security use cases. Can anyone help direct me? Do I need a special config.yml? Processors?

Here are the lines of returned process information in procs.go, line 326:
"
return &process{
pid: info.PID,
ppid: info.PPID,
name: name,
exe: info.Exe,
cwd: info.CWD,
args: info.Args,
startTime: info.StartTime,
expiration: time.Now().Add(processCacheExpiration),
}
"
URL: https://github.com/elastic/beats/blob/master/packetbeat/procs/procs.go#L326-L334

andrewkroh · March 16, 2020, 10:25pm

Checkout the documentation for Packetbeat regarding process enrichment: https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-processes.html. You need to enable it in the config file.

jostromsttora · March 17, 2020, 12:14pm

Excellent. Thank you for the response. I turned this on and the process enrichment looks very good. This is a great feature and I really appreciate it once again.

system · April 14, 2020, 12:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.