Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Auditbeat] Session view showing uid of Linux user initiated the session instead of user name #39282

Closed
nick-alayil opened this issue Apr 30, 2024 · 1 comment · Fixed by #39537
Closed

[Auditbeat] Session view showing uid of Linux user initiated the session instead of user name #39282

nick-alayil opened this issue Apr 30, 2024 · 1 comment · Fixed by #39537
Assignees
@mjwolf
Labels
Auditbeat Team:Security-Linux Platform Linux Platform Team in Security Solution

Comments

@nick-alayil
Copy link

On using the new processor add_session_metadata with auditd module of auditbeat, it appears session viewer is only showing the uid of Linux user initiated the session instead of user name as shown below.

Screenshot 2024-04-29 at 12 45 02 PM

My assumption is that, add_session_metadata processor is not setting/adding process.entry_leader.user.name field and that leads to above situation. Interesting to note that the event doc already includes another field labeled user.name, which accurately displays the user's name.

For whatever reason, root sessions seems to be showing correctly tho.

Screenshot 2024-04-29 at 12 45 36 PM

For confirmed bugs, please report:

  • Version: 8.14 BC1
  • Operating System: Amazon Linux release 2023.4.20240416 (Amazon Linux)
  • Discuss Forum URL:
  • Steps to Reproduce: Follow the steps mentioned this PR and ssh to instance as ec2-user/any local linux user and verify the session view for the corresponding session in Kibana
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Apr 30, 2024
@nick-alayil nick-alayil added the Team:Security-Linux Platform Linux Platform Team in Security Solution label Apr 30, 2024
@elasticmachine
Copy link
Collaborator

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Apr 30, 2024
@mjwolf mjwolf self-assigned this May 9, 2024
@mjwolf mjwolf mentioned this issue May 13, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mjwolf mjwolf

Labels
Auditbeat Team:Security-Linux Platform Linux Platform Team in Security Solution
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[add_session_metadata processor] Enrich events with user and group names mjwolf/beats
3 participants
@mjwolf @elasticmachine @nick-alayil