forked from elastic/ecs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
process.yml
199 lines (173 loc) · 5.56 KB
/
process.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
# Licensed to Elasticsearch B.V. under one or more contributor
# license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright
# ownership. Elasticsearch B.V. licenses this file to you under
# the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
---
- name: process
title: Process
group: 2
short: These fields contain information about a process.
description: >
These fields contain information about a process.
These fields can help you correlate metrics information with a process id/name
from a log message. The `process.pid` often stays in the metric itself and is
copied to the global field for correlation.
type: group
reusable:
top_level: true
expected:
- at: process
as: parent
short_override: Information about the parent process.
fields:
- name: pid
format: string
level: core
type: long
description: >
Process id.
example: 4242
- name: entity_id
level: extended
type: keyword
short: Unique identifier for the process.
description: >
Unique identifier for the process.
The implementation of this is specified by the data source, but some
examples of what could be used here are a process-generated UUID,
Sysmon Process GUIDs, or a hash of some uniquely identifying components
of a process.
Constructing a globally unique identifier is a common practice to mitigate
PID reuse as well as to identify a specific process over time, across multiple
monitored hosts.
example: c2c455d9f99375d
- name: name
level: extended
type: keyword
short: Process name.
description: >
Process name.
Sometimes called program name or similar.
example: ssh
multi_fields:
- type: match_only_text
name: text
- name: pgid
format: string
level: extended
type: long
description: >
Identifier of the group of processes the process belongs to.
- name: command_line
level: extended
type: wildcard
short: Full command line that started the process.
description: >
Full command line that started the process, including the absolute path
to the executable, and all arguments.
Some arguments may be filtered to protect sensitive information.
example: "/usr/bin/ssh -l user 10.0.0.16"
multi_fields:
- type: match_only_text
name: text
- name: args
level: extended
type: keyword
short: Array of process arguments.
description: >
Array of process arguments, starting with the absolute path to the executable.
May be filtered to protect sensitive information.
example: "[\"/usr/bin/ssh\", \"-l\", \"user\", \"10.0.0.16\"]"
normalize:
- array
- name: args_count
level: extended
type: long
short: Length of the process.args array.
description: >
Length of the process.args array.
This field can be useful for querying or performing bucket analysis on
how many arguments were provided to start a process.
More arguments may be an indication of suspicious activity.
example: 4
- name: executable
level: extended
type: keyword
description: >
Absolute path to the process executable.
example: /usr/bin/ssh
multi_fields:
- type: match_only_text
name: text
- name: title
level: extended
type: keyword
short: Process title.
description: >
Process title.
The proctitle, some times the same as process name. Can also be different:
for example a browser setting its title to the web page currently opened.
multi_fields:
- type: match_only_text
name: text
- name: thread.id
format: string
level: extended
type: long
example: 4242
description: >
Thread ID.
- name: thread.name
level: extended
type: keyword
example: 'thread-0'
description: >
Thread name.
- name: start
level: extended
type: date
example: "2016-05-23T08:05:34.853Z"
description: >
The time the process started.
- name: uptime
level: extended
type: long
example: 1325
description: >
Seconds the process has been up.
- name: working_directory
level: extended
type: keyword
example: /home/alice
description: >
The working directory of the process.
multi_fields:
- type: match_only_text
name: text
- name: exit_code
level: extended
type: long
example: 137
short: The exit code of the process.
description: >
The exit code of the process, if this is a termination event.
The field should be absent if there is no exit code for the event (e.g.
process start).
- name: end
level: extended
type: date
example: "2016-05-23T08:05:34.853Z"
description: >
The time the process ended.