beats [Auditbeat] Session view showing uid of Linux user initiated the session instead of user name

[Auditbeat] Session view showing uid of Linux user initiated the session instead of user name

Open nick-alayil opened this issue 10 months ago • 1 comments

On using the new processor add_session_metadata with auditd module of auditbeat, it appears session viewer is only showing the uid of Linux user initiated the session instead of user name as shown below.

My assumption is that, add_session_metadata processor is not setting/adding process.entry_leader.user.name field and that leads to above situation. Interesting to note that the event doc already includes another field labeled user.name, which accurately displays the user's name.

For whatever reason, root sessions seems to be showing correctly tho.

For confirmed bugs, please report:

Version: 8.14 BC1
Operating System: Amazon Linux release 2023.4.20240416 (Amazon Linux)
Discuss Forum URL:
Steps to Reproduce: Follow the steps mentioned this PR and ssh to instance as ec2-user/any local linux user and verify the session view for the corresponding session in Kibana

Apr 30 '24 00:04 nick-alayil

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

Apr 30 '24 00:04 elasticmachine

beats beats copied to clipboard

[Auditbeat] Session view showing uid of Linux user initiated the session instead of user name

beats
beats copied to clipboard