add_process_metadata can't create ECS-compliant parent fields #29874

adriansr · 2022-01-17T14:22:49Z

A common usage of the add_process_metadata processor:

- add_process_metadata:
      match_pids: [some_ppid_field]
      target: process.parent

One would expect that the following fields are created:

"process": {
  "parent": {
    "pid": "1234"
    "name": "parent_process",
    [...]
  }
}

However, the add_process_metadata processor always nests fields in a "process" group inside the given target:

"process": {
  "parent": {
    "process": {
      "pid": "1234"
      "name": "parent_process",
      [...]
    }
  }
}

... which leads to non-ECS compliant fields process.parent.process.name instead of process.parent.name.

The text was updated successfully, but these errors were encountered:

elasticmachine · 2022-01-17T14:22:51Z

Pinging @elastic/integrations (Team:Integrations)

elasticmachine · 2022-01-17T14:22:51Z

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

adriansr added bug Team:Integrations Label for the Integrations team breaking change Team:Security-External Integrations 8.0-candidate labels Jan 17, 2022

efd6 self-assigned this Mar 8, 2022

efd6 mentioned this issue Mar 8, 2022

libbeat/processors/add_process_metadata: place parent process information directly in parent object #30727

Merged

7 tasks

efd6 closed this as completed in #30727 Mar 8, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

add_process_metadata can't create ECS-compliant parent fields #29874

add_process_metadata can't create ECS-compliant parent fields #29874

adriansr commented Jan 17, 2022

elasticmachine commented Jan 17, 2022

elasticmachine commented Jan 17, 2022

add_process_metadata can't create ECS-compliant parent fields #29874

add_process_metadata can't create ECS-compliant parent fields #29874

Comments

adriansr commented Jan 17, 2022

elasticmachine commented Jan 17, 2022

elasticmachine commented Jan 17, 2022