Add process.command_line (#599)

CHANGELOG.next.md

@@ -15,10 +15,10 @@ Thanks, you're awesome :-) -->
 * Added `package.build_version`. #586
 * Added `package.type`. #587
 * Added `host.domain` field. #591
+* Added `process.command_line`. #599
 * Added `process.exit_code`. #600
 * Added fields in `tls.*` to support analysis of TLS protocol events. #606
 
-
 ### Improvements
 
 ### Deprecated

docs/field-details.asciidoc

@@ -2964,13 +2964,26 @@ These fields can help you correlate metrics information with a process id/name f
 // ===============================================================
 
 | process.args
-| Array of process arguments.
+| Array of process arguments, starting with the absolute path to the executable.
 
 May be filtered to protect sensitive information.
 
 type: keyword
 
-example: `['ssh', '-l', 'user', '10.0.0.16']`
+example: `['/usr/bin/ssh', '-l', 'user', '10.0.0.16']`
+
+| extended
+
+// ===============================================================
+
+| process.command_line
+| Full command line that started the process, including the absolute path to the executable, and all arguments.
+
+Some arguments may be filtered to protect sensitive information.
+
+type: keyword
+
+example: `/usr/bin/ssh -l user 10.0.0.16`
 
 | extended
 

generated/beats/fields.ecs.yml

@@ -2201,14 +2201,24 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: 'Array of process arguments.
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
 
         May be filtered to protect sensitive information.'
       example:
-      - ssh
+      - /usr/bin/ssh
       - -l
       - user
       - 10.0.0.16
+    - name: command_line
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
     - name: executable
       level: extended
       type: keyword

generated/csv/fields.csv

@@ -274,7 +274,8 @@ package.reference,keyword,extended,https://golang.org,1.2.0-dev
 package.size,long,extended,62231,1.2.0-dev
 package.type,keyword,extended,rpm,1.2.0-dev
 package.version,keyword,extended,1.12.9,1.2.0-dev
-process.args,keyword,extended,"['ssh', '-l', 'user', '10.0.0.16']",1.2.0-dev
+process.args,keyword,extended,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",1.2.0-dev
+process.command_line,keyword,extended,/usr/bin/ssh -l user 10.0.0.16,1.2.0-dev
 process.executable,keyword,extended,/usr/bin/ssh,1.2.0-dev
 process.exit_code,long,extended,137,1.2.0-dev
 process.hash.md5,keyword,extended,,1.2.0-dev

generated/ecs/ecs_flat.yml

@@ -3121,29 +3121,43 @@ package.version:
   short: Package version
   type: keyword
 process.args:
-  description: 'Array of process arguments.
+  description: 'Array of process arguments, starting with the absolute path to the
+    executable.
 
     May be filtered to protect sensitive information.'
   example:
-  - ssh
+  - /usr/bin/ssh
   - -l
   - user
   - 10.0.0.16
   flat_name: process.args
   ignore_above: 1024
   level: extended
   name: args
-  order: 4
+  order: 5
   short: Array of process arguments.
   type: keyword
+process.command_line:
+  description: 'Full command line that started the process, including the absolute
+    path to the executable, and all arguments.
+
+    Some arguments may be filtered to protect sensitive information.'
+  example: /usr/bin/ssh -l user 10.0.0.16
+  flat_name: process.command_line
+  ignore_above: 1024
+  level: extended
+  name: command_line
+  order: 4
+  short: Full command line that started the process.
+  type: keyword
 process.executable:
   description: Absolute path to the process executable.
   example: /usr/bin/ssh
   flat_name: process.executable
   ignore_above: 1024
   level: extended
   name: executable
-  order: 5
+  order: 6
   short: Absolute path to the process executable.
   type: keyword
 process.exit_code:
@@ -3155,7 +3169,7 @@ process.exit_code:
   flat_name: process.exit_code
   level: extended
   name: exit_code
-  order: 12
+  order: 13
   short: The exit code of the process.
   type: long
 process.hash.md5:
@@ -3245,7 +3259,7 @@ process.start:
   flat_name: process.start
   level: extended
   name: start
-  order: 9
+  order: 10
   short: The time the process started.
   type: date
 process.thread.id:
@@ -3255,7 +3269,7 @@ process.thread.id:
   format: string
   level: extended
   name: thread.id
-  order: 7
+  order: 8
   short: Thread ID.
   type: long
 process.thread.name:
@@ -3265,7 +3279,7 @@ process.thread.name:
   ignore_above: 1024
   level: extended
   name: thread.name
-  order: 8
+  order: 9
   short: Thread name.
   type: keyword
 process.title:
@@ -3277,7 +3291,7 @@ process.title:
   ignore_above: 1024
   level: extended
   name: title
-  order: 6
+  order: 7
   short: Process title.
   type: keyword
 process.uptime:
@@ -3286,7 +3300,7 @@ process.uptime:
   flat_name: process.uptime
   level: extended
   name: uptime
-  order: 10
+  order: 11
   short: Seconds the process has been up.
   type: long
 process.working_directory:
@@ -3296,7 +3310,7 @@ process.working_directory:
   ignore_above: 1024
   level: extended
   name: working_directory
-  order: 11
+  order: 12
   short: The working directory of the process.
   type: keyword
 related.ip:

generated/ecs/ecs_nested.yml

@@ -3510,29 +3510,43 @@ process:
     copied to the global field for correlation.'
   fields:
     args:
-      description: 'Array of process arguments.
+      description: 'Array of process arguments, starting with the absolute path to
+        the executable.
 
         May be filtered to protect sensitive information.'
       example:
-      - ssh
+      - /usr/bin/ssh
       - -l
       - user
       - 10.0.0.16
       flat_name: process.args
       ignore_above: 1024
       level: extended
       name: args
-      order: 4
+      order: 5
       short: Array of process arguments.
       type: keyword
+    command_line:
+      description: 'Full command line that started the process, including the absolute
+        path to the executable, and all arguments.
+
+        Some arguments may be filtered to protect sensitive information.'
+      example: /usr/bin/ssh -l user 10.0.0.16
+      flat_name: process.command_line
+      ignore_above: 1024
+      level: extended
+      name: command_line
+      order: 4
+      short: Full command line that started the process.
+      type: keyword
     executable:
       description: Absolute path to the process executable.
       example: /usr/bin/ssh
       flat_name: process.executable
       ignore_above: 1024
       level: extended
       name: executable
-      order: 5
+      order: 6
       short: Absolute path to the process executable.
       type: keyword
     exit_code:
@@ -3544,7 +3558,7 @@ process:
       flat_name: process.exit_code
       level: extended
       name: exit_code
-      order: 12
+      order: 13
       short: The exit code of the process.
       type: long
     hash.md5:
@@ -3634,7 +3648,7 @@ process:
       flat_name: process.start
       level: extended
       name: start
-      order: 9
+      order: 10
       short: The time the process started.
       type: date
     thread.id:
@@ -3644,7 +3658,7 @@ process:
       format: string
       level: extended
       name: thread.id
-      order: 7
+      order: 8
       short: Thread ID.
       type: long
     thread.name:
@@ -3654,7 +3668,7 @@ process:
       ignore_above: 1024
       level: extended
       name: thread.name
-      order: 8
+      order: 9
       short: Thread name.
       type: keyword
     title:
@@ -3666,7 +3680,7 @@ process:
       ignore_above: 1024
       level: extended
       name: title
-      order: 6
+      order: 7
       short: Process title.
       type: keyword
     uptime:
@@ -3675,7 +3689,7 @@ process:
       flat_name: process.uptime
       level: extended
       name: uptime
-      order: 10
+      order: 11
       short: Seconds the process has been up.
       type: long
     working_directory:
@@ -3685,7 +3699,7 @@ process:
       ignore_above: 1024
       level: extended
       name: working_directory
-      order: 11
+      order: 12
       short: The working directory of the process.
       type: keyword
   group: 2

generated/elasticsearch/6/template.json

@@ -1293,6 +1293,10 @@
               "ignore_above": 1024, 
               "type": "keyword"
             }, 
+            "command_line": {
+              "ignore_above": 1024, 
+              "type": "keyword"
+            }, 
             "executable": {
               "ignore_above": 1024, 
               "type": "keyword"

generated/elasticsearch/7/template.json

@@ -1292,6 +1292,10 @@
             "ignore_above": 1024, 
             "type": "keyword"
           }, 
+          "command_line": {
+            "ignore_above": 1024, 
+            "type": "keyword"
+          }, 
           "executable": {
             "ignore_above": 1024, 
             "type": "keyword"

generated/legacy/template.json

@@ -916,6 +916,10 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "command_line": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
             "executable": {
               "ignore_above": 1024,
               "type": "keyword"

schema.json

@@ -2170,15 +2170,25 @@
     "description": "These fields contain information about a process.\nThese fields can help you correlate metrics information with a process id/name from a log message.  The `process.pid` often stays in the metric itself and is copied to the global field for correlation.\n", 
     "fields": {
       "process.args": {
-        "description": "Array of process arguments.\nMay be filtered to protect sensitive information.", 
-        "example": "['ssh', '-l', 'user', '10.0.0.16']", 
+        "description": "Array of process arguments, starting with the absolute path to the executable.\nMay be filtered to protect sensitive information.", 
+        "example": "['/usr/bin/ssh', '-l', 'user', '10.0.0.16']", 
         "footnote": "", 
         "group": 2, 
         "level": "extended", 
         "name": "process.args", 
         "required": false, 
         "type": "keyword"
       }, 
+      "process.command_line": {
+        "description": "Full command line that started the process, including the absolute path to the executable, and all arguments.\nSome arguments may be filtered to protect sensitive information.", 
+        "example": "/usr/bin/ssh -l user 10.0.0.16", 
+        "footnote": "", 
+        "group": 2, 
+        "level": "extended", 
+        "name": "process.command_line", 
+        "required": false, 
+        "type": "keyword"
+      }, 
       "process.executable": {
         "description": "Absolute path to the process executable.", 
         "example": "/usr/bin/ssh",