-
Notifications
You must be signed in to change notification settings - Fork 421
/
Copy pathprocess.yml
330 lines (273 loc) · 8.16 KB
/
process.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
# HEADS UP
# This field set supports capturing the parent process (one level).
#
# Doing so via normal reuse/nesting is tricky mainly because it's reused as a
# different name: the "process" field set is nested as "parent".
# This is the only occurrence of this in ECS, so it's not supported.
#
# The workaround is to simply duplicate each field to generate the "parent.*"
# equivalent of each "process.*" field. Please maintain each duplicate exactly as
# the main field (e.g. same wording & example), as if it was normal nesting.
#
# Each such duplicated field for the parent process is directly below the original
# field, which will hopefully help maintain this until a better solution is in place.
---
- name: process
title: Process
group: 2
short: These fields contain information about a process.
description: >
These fields contain information about a process.
These fields can help you correlate metrics information with a process id/name
from a log message. The `process.pid` often stays in the metric itself and is
copied to the global field for correlation.
type: group
fields:
- name: pid
format: string
level: core
type: long
description: >
Process id.
example: 4242
- name: parent.pid
format: string
level: core
type: long
description: >
Process id.
example: 4242
- name: name
level: extended
type: keyword
short: Process name.
description: >
Process name.
Sometimes called program name or similar.
example: ssh
multi_fields:
- type: text
name: text
- name: parent.name
level: extended
type: keyword
short: Process name.
description: >
Process name.
Sometimes called program name or similar.
example: ssh
multi_fields:
- type: text
name: text
- name: ppid
format: string
level: extended
type: long
description: >
Parent process' pid.
example: 4241
- name: parent.ppid
format: string
level: extended
type: long
description: >
Parent process' pid.
example: 4241
- name: pgid
format: string
level: extended
type: long
description: >
Identifier of the group of processes the process belongs to.
- name: parent.pgid
format: string
level: extended
type: long
description: >
Identifier of the group of processes the process belongs to.
- name: command_line
level: extended
type: keyword
short: Full command line that started the process.
description: >
Full command line that started the process, including the absolute path
to the executable, and all arguments.
Some arguments may be filtered to protect sensitive information.
example: "/usr/bin/ssh -l user 10.0.0.16"
multi_fields:
- type: text
name: text
- name: parent.command_line
level: extended
type: keyword
short: Full command line that started the process.
description: >
Full command line that started the process, including the absolute path
to the executable, and all arguments.
Some arguments may be filtered to protect sensitive information.
example: "/usr/bin/ssh -l user 10.0.0.16"
multi_fields:
- type: text
name: text
- name: args
level: extended
type: keyword
short: Array of process arguments.
description: >
Array of process arguments, starting with the absolute path to the executable.
May be filtered to protect sensitive information.
example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
- name: parent.args
level: extended
type: keyword
short: Array of process arguments.
description: >
Array of process arguments.
May be filtered to protect sensitive information.
example: ["ssh", "-l", "user", "10.0.0.16"]
- name: args_count
level: extended
type: long
short: Length of the process.args array.
description: >
Length of the process.args array.
This field can be useful for querying or performing bucket analysis on
how many arguments were provided to start a process.
More arguments may be an indication of suspicious activity.
example: 4
- name: parent.args_count
level: extended
type: long
short: Length of the process.args array.
description: >
Length of the process.args array.
This field can be useful for querying or performing bucket analysis on
how many arguments were provided to start a process.
More arguments may be an indication of suspicious activity.
example: 4
- name: executable
level: extended
type: keyword
description: >
Absolute path to the process executable.
example: /usr/bin/ssh
multi_fields:
- type: text
name: text
- name: parent.executable
level: extended
type: keyword
description: >
Absolute path to the process executable.
example: /usr/bin/ssh
multi_fields:
- type: text
name: text
- name: title
level: extended
type: keyword
short: Process title.
description: >
Process title.
The proctitle, some times the same as process name. Can also be different:
for example a browser setting its title to the web page currently opened.
multi_fields:
- type: text
name: text
- name: parent.title
level: extended
type: keyword
short: Process title.
description: >
Process title.
The proctitle, some times the same as process name. Can also be different:
for example a browser setting its title to the web page currently opened.
multi_fields:
- type: text
name: text
- name: thread.id
format: string
level: extended
type: long
example: 4242
description: >
Thread ID.
- name: parent.thread.id
format: string
level: extended
type: long
example: 4242
description: >
Thread ID.
- name: thread.name
level: extended
type: keyword
example: 'thread-0'
description: >
Thread name.
- name: parent.thread.name
level: extended
type: keyword
example: 'thread-0'
description: >
Thread name.
- name: start
level: extended
type: date
example: "2016-05-23T08:05:34.853Z"
description: >
The time the process started.
- name: parent.start
level: extended
type: date
example: "2016-05-23T08:05:34.853Z"
description: >
The time the process started.
- name: uptime
level: extended
type: long
example: 1325
description: >
Seconds the process has been up.
- name: parent.uptime
level: extended
type: long
example: 1325
description: >
Seconds the process has been up.
- name: working_directory
level: extended
type: keyword
example: /home/alice
description: >
The working directory of the process.
multi_fields:
- type: text
name: text
- name: parent.working_directory
level: extended
type: keyword
example: /home/alice
description: >
The working directory of the process.
multi_fields:
- type: text
name: text
- name: exit_code
level: extended
type: long
example: 137
short: The exit code of the process.
description: >
The exit code of the process, if this is a termination event.
The field should be absent if there is no exit code for the event (e.g.
process start).
- name: parent.exit_code
level: extended
type: long
example: 137
short: The exit code of the process.
description: >
The exit code of the process, if this is a termination event.
The field should be absent if there is no exit code for the event (e.g.
process start).