Capture environment variables

edit

[preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

You can configure an Elastic Defend policy to capture up to five environment variables (env vars).

  • Env var names must be no more than 63 characters, and env var values must be no more than 1023 characters. Values outside these limits are silently ignored.
  • Env var names are case sensitive.

To set up environment variable capture for an Elastic Agent policy:

  1. Go to Assets → Fleet → Agent policies.
  2. Select an Elastic Agent policy, then the associated Elastic Defend policy.
  3. Go to the Settings tab, then scroll to the bottom and click Show advanced settings.
  4. Scroll down or search for linux.advanced.capture_env_vars, or mac.advanced.capture_env_vars.
  5. Enter the names of env vars you want to capture, separated by commas. For example: PATH,USER
  6. Click Save.
The "linux.advanced.capture_env_vars" advanced agent policy setting
Find captured environment variables
edit

Captured environment variables are associated with process events, and appear in each event’s process.env_vars field.

To view environment variables in the Events table:

  1. Click the Events tab on the Hosts, Network, or Users pages (Explore), then click Fields in the Events table.
  2. Search for the process.env_vars field, select it, and click Close. A new column appears containing captured environment variable data.
The Events table with the "process.env_vars" column highlighted