Skip to content

Commit

Permalink
Implement tty.char_device.major field to processes mapping (#583)
Browse files Browse the repository at this point in the history 
* Add tty char_device.major field to processes mapping

Update event generator to implement tty fields

* Update processes ecs documentation
  • Loading branch information
@QU3B1M
QU3B1M authored Dec 9, 2024
1 parent 1dd7be5 commit 534a541
Show file tree
Hide file tree
Showing 3 changed files with 33 additions and 19 deletions.
42 changes: 23 additions & 19 deletions ecs/docs/inventory-processes.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,24 +8,24 @@ Based on ECS:

- [Process Fields](https://www.elastic.co/guide/en/ecs/current/ecs-process.html).

| | Field name | Data type | Description | Examples | Comments |
| --- | ------------------------ | --------- | ---------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------- |
| | `agent.*` | object | All the agent fields. | ` |
| | `@timestamp` | date | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` | |
| | `process.args` | keyword | Array of process arguments. | `["/usr/bin/ssh", "-l", "user", "10.0.0.16"]` | |
| | `process.command_line` | wildcard | process.command_line. | `/usr/bin/ssh -l user 10.0.0.16` | |
| | `process.name` | keyword | Process name. | `ssh` | |
| | `process.parent.pid` | long | Parent process ID. | `4242` | |
| | `process.pid` | long | Process ID. | `4242` | |
| | `process.real_group.id` | keyword | Unique identifier for the group on the system/platform. | | |
| | `process.real_user.id` | keyword | Unique identifier of the user. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | |
| | `process.saved_group.id` | keyword | Unique identifier for the group on the system/platform. | | |
| | `process.saved_user.id` | keyword | Unique identifier of the user. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | |
| | `process.start` | date | The time the process started. | `2016-05-23T08:05:34.853Z` | |
| | `process.user.id` | keyword | Unique identifier of the user. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | |
| ! | `process.thread.id` | long | Thread ID. | | `thread.group` is **not part of ECS;** but `thread.id` is. |
| ! | `process.tty` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | | Needs clarification |
| \* | `process.group.id` | keyword | Unique identifier for the effective group on the system/platform. | | |
| | Field name | Data type | Description | Examples | Comments |
|----|---------------------------------| --------- | ---------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------- |
| | `agent.*` | object | All the agent fields. | ` |
| | `@timestamp` | date | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` | |
| | `process.args` | keyword | Array of process arguments. | `["/usr/bin/ssh", "-l", "user", "10.0.0.16"]` | |
| | `process.command_line` | wildcard | process.command_line. | `/usr/bin/ssh -l user 10.0.0.16` | |
| | `process.name` | keyword | Process name. | `ssh` | |
| | `process.parent.pid` | long | Parent process ID. | `4242` | |
| | `process.pid` | long | Process ID. | `4242` | |
| | `process.real_group.id` | keyword | Unique identifier for the group on the system/platform. | | |
| | `process.real_user.id` | keyword | Unique identifier of the user. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | |
| | `process.saved_group.id` | keyword | Unique identifier for the group on the system/platform. | | |
| | `process.saved_user.id` | keyword | Unique identifier of the user. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | |
| | `process.start` | date | The time the process started. | `2016-05-23T08:05:34.853Z` | |
| | `process.user.id` | keyword | Unique identifier of the user. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | |
| ! | `process.thread.id` | long | Thread ID. | | `thread.group` is **not part of ECS;** but `thread.id` is. |
| | `process.tty.char_device.major` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | | Needs clarification |
| \* | `process.group.id` | keyword | Unique identifier for the effective group on the system/platform. | | |

\* Custom field

Expand All @@ -50,7 +50,6 @@ Based on ECS:
| x | session | `process.session` | **No ECS mapping** | Session ID | | **Not part of ECS;** Needs clarification. |
| x | nlwp | `process.nlwp` | **No ECS mapping** | Number of light-weight processes | | **Not part of ECS;** Needs clarification. |
| ! | tgid | `process.thread.id` | **No ECS mapping** | Thread ID ID | | `thread.group` is **not part of ECS;** but `thread.id` is. |
| ! | tty | `process.tty` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | | Needs clarification |
| x | processor | `host.cpu.processor` | **No ECS mapping** | Processor number | | No ECS field refers to the core number of the CPU. |

</p>
Expand Down Expand Up @@ -106,6 +105,11 @@ fields:
thread:
fields:
id: ""
tty:
fields:
char_device:
fields:
major: ""
```
### Index settings
Expand Down
5 changes: 5 additions & 0 deletions ecs/states-inventory-processes/event-generator/event_generator.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,11 @@ def generate_random_process():
},
'user': {
'id': f'userid{random.randint(0, 9999)}'
},
'tty': {
'char_device': {
'major': random.randint(0, 5)
}
}
}
return process
Expand Down
5 changes: 5 additions & 0 deletions ecs/states-inventory-processes/fields/subset.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,3 +45,8 @@ fields:
thread:
fields:
id: ""
tty:
fields:
char_device:
fields:
major: ""

0 comments on commit 534a541

Please sign in to comment.