Capture environment variables
editCapture environment variables
edit[preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
You can configure an Elastic Defend policy to capture up to five environment variables (env vars
).
- Env var names must be no more than 63 characters, and env var values must be no more than 1023 characters. Values outside these limits are silently ignored.
- Env var names are case sensitive.
To set up environment variable capture for an Elastic Agent policy:
- Go to Assets → Fleet → Agent policies.
- Select an Elastic Agent policy, then the associated Elastic Defend policy.
- Go to the Settings tab, then scroll to the bottom and click Show advanced settings.
-
Scroll down or search for
linux.advanced.capture_env_vars
, ormac.advanced.capture_env_vars
. -
Enter the names of env vars you want to capture, separated by commas. For example:
PATH,USER
- Click Save.
Find captured environment variables
editCaptured environment variables are associated with process events, and appear in each event’s process.env_vars
field.
To view environment variables in the Events table:
- Click the Events tab on the Hosts, Network, or Users pages (Explore), then click Fields in the Events table.
-
Search for the
process.env_vars
field, select it, and click Close. A new column appears containing captured environment variable data.