diff --git a/.chloggen/process-fields.yaml b/.chloggen/process-fields.yaml new file mode 100755 index 0000000000..d04194ef99 --- /dev/null +++ b/.chloggen/process-fields.yaml @@ -0,0 +1,4 @@ +change_type: enhancement +component: process +note: Add additional process fields from ECS +issues: [0] diff --git a/docs/attributes-registry/process.md b/docs/attributes-registry/process.md index 0d0e005b66..fc3a9588cd 100644 --- a/docs/attributes-registry/process.md +++ b/docs/attributes-registry/process.md @@ -8,6 +8,7 @@ | Attribute | Type | Description | Examples | Stability | |---|---|---|---|---| +| `process.args_count` | int | Length of the process.command_args array [1] | `4` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `process.command` | string | The command used to launch the process (i.e. the command name). On Linux based systems, can be set to the zeroth string in `proc/[pid]/cmdline`. On Windows, can be set to the first parameter extracted from `GetCommandLineW`. | `cmd/otelcol` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `process.command_args` | string[] | All the command arguments (including the command/executable itself) as received by the process. On Linux-based systems (and some other Unixoid systems supporting procfs), can be set according to the list of null-delimited strings extracted from `proc/[pid]/cmdline`. For libc-based executables, this would be the full argv vector passed to `main`. | `[cmd/otecol, --config=config.yaml]` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `process.command_line` | string | The full command used to launch the process as a single string representing the full command. On Windows, can be set to the result of `GetCommandLineW`. Do not set this if you have to assemble it just for monitoring; use `process.command_args` instead. | `C:\cmd\otecol --config="my directory\config.yaml"` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | @@ -29,9 +30,16 @@ | `process.saved_user.id` | int | The saved user ID (SUID) of the process. | `1002` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `process.saved_user.name` | string | The username of the saved user. | `operator` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `process.session_leader.pid` | int | The PID of the process's session leader. This is also the session ID (SID) of the process. | `14` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `process.title` | string | Process title [2] | `cat /etc/hostname` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `process.uptime` | int | Seconds the process has been up. | `2880` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `process.user.id` | int | The effective user ID (EUID) of the process. | `1001` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | | `process.user.name` | string | The username of the effective user of the process. | `root` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -| `process.vpid` | int | Virtual process identifier. [1] | `12` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `process.vpid` | int | Virtual process identifier. [3] | `12` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | +| `process.working_directory` | string | The working directory of the process. | `/root` | ![Experimental](https://img.shields.io/badge/-experimental-blue) | -**[1]:** The process ID within a PID namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within. +**[1]:** This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. + +**[2]:** The proctitle, some times the same as process name. Can also be different, for example, a browser setting its title to the web page currently opened. + +**[3]:** The process ID within a PID namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within. diff --git a/model/registry/process.yaml b/model/registry/process.yaml index bccb070551..93ad82459f 100644 --- a/model/registry/process.yaml +++ b/model/registry/process.yaml @@ -84,6 +84,16 @@ groups: null-delimited strings extracted from `proc/[pid]/cmdline`. For libc-based executables, this would be the full argv vector passed to `main`. examples: ['cmd/otecol', '--config=config.yaml'] + - id: args_count + type: int + stability: experimental + brief: > + Length of the process.command_args array + note: > + This field can be useful for querying or performing bucket analysis on how many + arguments were provided to start a process. More arguments may be an indication + of suspicious activity. + examples: [4] - id: owner type: string stability: experimental @@ -147,6 +157,15 @@ groups: An additional description about the runtime of the process, for example a specific vendor customization of the runtime environment. examples: 'Eclipse OpenJ9 Eclipse OpenJ9 VM openj9-0.21.0' + - id: title + type: string + stability: experimental + brief: > + Process title + note: > + The proctitle, some times the same as process name. Can also be different, for + example, a browser setting its title to the web page currently opened. + examples: ["cat /etc/hostname"] - id: creation.time type: string stability: experimental @@ -165,8 +184,20 @@ groups: brief: > The exit code of the process. examples: [127] + - id: uptime + type: int + stability: experimental + brief: > + Seconds the process has been up. + examples: [2880] - id: interactive type: boolean stability: experimental brief: > Whether the process is connected to an interactive shell. + - id: working_directory + type: string + stability: experimental + brief: > + The working directory of the process. + examples: ["/root"]