Add session metadata (Beta)
editAdd session metadata (Beta)
editThis functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
The add_session_metadata
processor enriches process events with additional
information that users can see using the Session View tool in the
Elastic Security platform.
The current release of add_session_metadata
processor for Auditbeat is limited to virtual machines (VMs) and bare metal environments.
Here’s an example using the add_session_metadata
processor to enhance process events generated by
the auditd
module of Auditbeat.
auditbeat.modules: - module: auditd processors: - add_session_metadata: backend: "auto"
How the add_session_metadata
processor works
editUsing the available Linux kernel technology, the processor collects comprehensive information on all running system processes, compiling this data into a process database.
When processing an event (such as those generated by the Auditbeat auditd
module), the processor queries this database to retrieve information about related processes, including the parent process, session leader, process group leader, and entry leader.
It then enriches the original event with this metadata, providing a more complete picture of process relationships and system activities.
This enhanced data enables the powerful Session View tool in the Elastic Security platform, offering users deeper insights for analysis and investigation.
Backends
editThe add_session_metadata
processor operates using various backend options.
-
auto
is the recommended setting. It attempts to useebpf
first, falling back toprocfs
if necessary, ensuring compatibility even on systems withoutebpf
support. -
ebpf
collects process information with eBPF. This backend requires a system with Linux kernel 5.10.16 or above, kernel support for eBPF enabled, and auditbeat running as superuser. -
procfs
collects process information with the proc filesystem. This is compatible with older systems that may not support ebpf. To gather complete process info, auditbeat requires permissions to read all process data in procfs; for example, run as a superuser or have theSYS_PTRACE
capability.
Containers
editIf you are running Auditbeat in a container, the container must run in the host’s PID namespace.
With the auto
or ebpf
backend, these host directories must also be mounted to the same path within the container: /sys/kernel/debug
, /sys/fs/bpf
.
Enable and configure Session View in Auditbeat
editTo configure and enable Session View functionality, you’ll:
-
Add the
add_sessions_metadata
processor to yourauditbeat.yml
file. -
Configure audit rules in your
auditbeat.yml
file. - Restart Auditbeat.
We’ll walk you through these steps in more detail.
-
Edit your
auditbeat.yml
file and add this info to the modules configuration section:auditbeat.modules: - module: auditd processors: - add_session_metadata: backend: "auto"
-
Add audit rules in the modules configuration section of
auditbeat.yml
or theaudit.rules.d
config file, depending on your configuration:auditbeat.modules: - module: auditd audit_rules: | ## executions -a always,exit -F arch=b64 -S execve,execveat -k exec -a always,exit -F arch=b64 -S exit_group ## set_sid -a always,exit -F arch=b64 -S setsid
- Save your configuration changes.
-
Restart Auditbeat:
sudo systemctl restart auditbeat