diff --git a/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go b/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go
index a4646b6b6685..a01c80643256 100644
--- a/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go
+++ b/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go
@@ -26,8 +26,10 @@ import (
 )
 
 const (
-	processorName = "add_session_metadata"
-	logName       = "processor." + processorName
+	processorName     = "add_session_metadata"
+	logName           = "processor." + processorName
+	procfsType        = "procfs"
+	kernelTracingType = "kernel_tracing"
 )
 
 // InitializeModule initializes this module.
@@ -36,13 +38,14 @@ func InitializeModule() {
 }
 
 type addSessionMetadata struct {
-	ctx      context.Context
-	cancel   context.CancelFunc
-	config   config
-	logger   *logp.Logger
-	db       *processdb.DB
-	provider provider.Provider
-	backend  string
+	ctx          context.Context
+	cancel       context.CancelFunc
+	config       config
+	logger       *logp.Logger
+	db           *processdb.DB
+	provider     provider.Provider
+	backend      string
+	providerType string
 }
 
 func New(cfg *cfg.C) (beat.Processor, error) {
@@ -61,51 +64,56 @@ func New(cfg *cfg.C) (beat.Processor, error) {
 		return nil, fmt.Errorf("failed to create DB: %w", err)
 	}
 
-	if c.Backend != "kernel_tracing" {
-		backfilledPIDs := db.ScrapeProcfs()
-		logger.Infof("backfilled %d processes", len(backfilledPIDs))
-	}
-
 	var p provider.Provider
+	var pType string
 
 	switch c.Backend {
 	case "auto":
 		p, err = kerneltracingprovider.NewProvider(ctx, logger)
 		if err != nil {
 			// Most likely cause of error is not supporting ebpf or kprobes on system, try procfs
+			backfilledPIDs := db.ScrapeProcfs()
+			logger.Infof("backfilled %d processes", len(backfilledPIDs))
 			p, err = procfsprovider.NewProvider(ctx, logger, db, reader, c.PIDField)
 			if err != nil {
 				cancel()
 				return nil, fmt.Errorf("failed to create provider: %w", err)
 			}
 			logger.Info("backend=auto using procfs")
+			pType = procfsType
 		} else {
 			logger.Info("backend=auto using kernel_tracing")
+			pType = kernelTracingType
 		}
 	case "procfs":
+		backfilledPIDs := db.ScrapeProcfs()
+		logger.Infof("backfilled %d processes", len(backfilledPIDs))
 		p, err = procfsprovider.NewProvider(ctx, logger, db, reader, c.PIDField)
 		if err != nil {
 			cancel()
 			return nil, fmt.Errorf("failed to create procfs provider: %w", err)
 		}
+		pType = procfsType
 	case "kernel_tracing":
 		p, err = kerneltracingprovider.NewProvider(ctx, logger)
 		if err != nil {
 			cancel()
 			return nil, fmt.Errorf("failed to create kernel_tracing provider: %w", err)
 		}
+		pType = kernelTracingType
 	default:
 		cancel()
 		return nil, fmt.Errorf("unknown backend configuration")
 	}
 	return &addSessionMetadata{
-		ctx:      ctx,
-		cancel:   cancel,
-		config:   c,
-		logger:   logger,
-		db:       db,
-		provider: p,
-		backend:  c.Backend,
+		ctx:          ctx,
+		cancel:       cancel,
+		config:       c,
+		logger:       logger,
+		db:           db,
+		provider:     p,
+		backend:      c.Backend,
+		providerType: pType,
 	}, nil
 }
 
@@ -161,7 +169,7 @@ func (p *addSessionMetadata) enrich(ev *beat.Event) (*beat.Event, error) {
 	}
 
 	var fullProcess types.Process
-	if p.backend == "kernel_tracing" {
+	if p.providerType == kernelTracingType {
 		// kernel_tracing doesn't enrich with the processor DB;  process info is taken directly from quark cache
 		proc, err := p.provider.GetProcess(pid)
 		if err != nil {