diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index 5d69cec1b9..c3f4f2bec4 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -15,10 +15,10 @@ Thanks, you're awesome :-) --> * Added `package.build_version`. #586 * Added `package.type`. #587 * Added `host.domain` field. #591 +* Added `process.command_line`. #599 * Added `process.exit_code`. #600 * Added fields in `tls.*` to support analysis of TLS protocol events. #606 - ### Improvements ### Deprecated diff --git a/code/go/ecs/process.go b/code/go/ecs/process.go index 7ac77205e7..84e59dea4a 100644 --- a/code/go/ecs/process.go +++ b/code/go/ecs/process.go @@ -41,7 +41,13 @@ type Process struct { // Identifier of the group of processes the process belongs to. PGID int64 `ecs:"pgid"` - // Array of process arguments. + // Full command line that started the process, including the absolute path + // to the executable, and all arguments. + // Some arguments may be filtered to protect sensitive information. + CommandLine string `ecs:"command_line"` + + // Array of process arguments, starting with the absolute path to the + // executable. // May be filtered to protect sensitive information. Args []string `ecs:"args"` diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index c5c92587cb..8de9671ce3 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -2964,13 +2964,26 @@ These fields can help you correlate metrics information with a process id/name f // =============================================================== | process.args -| Array of process arguments. +| Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. type: keyword -example: `['ssh', '-l', 'user', '10.0.0.16']` +example: `['/usr/bin/ssh', '-l', 'user', '10.0.0.16']` + +| extended + +// =============================================================== + +| process.command_line +| Full command line that started the process, including the absolute path to the executable, and all arguments. + +Some arguments may be filtered to protect sensitive information. + +type: keyword + +example: `/usr/bin/ssh -l user 10.0.0.16` | extended diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index e35d06200c..6b13493a8d 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -2201,14 +2201,24 @@ level: extended type: keyword ignore_above: 1024 - description: 'Array of process arguments. + description: 'Array of process arguments, starting with the absolute path to + the executable. May be filtered to protect sensitive information.' example: - - ssh + - /usr/bin/ssh - -l - user - 10.0.0.16 + - name: command_line + level: extended + type: keyword + ignore_above: 1024 + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 - name: executable level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index ac7f51a037..5c8871685e 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -274,7 +274,8 @@ package.reference,keyword,extended,https://golang.org,1.2.0-dev package.size,long,extended,62231,1.2.0-dev package.type,keyword,extended,rpm,1.2.0-dev package.version,keyword,extended,1.12.9,1.2.0-dev -process.args,keyword,extended,"['ssh', '-l', 'user', '10.0.0.16']",1.2.0-dev +process.args,keyword,extended,"['/usr/bin/ssh', '-l', 'user', '10.0.0.16']",1.2.0-dev +process.command_line,keyword,extended,/usr/bin/ssh -l user 10.0.0.16,1.2.0-dev process.executable,keyword,extended,/usr/bin/ssh,1.2.0-dev process.exit_code,long,extended,137,1.2.0-dev process.hash.md5,keyword,extended,,1.2.0-dev diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 44dd735278..0f875b0c42 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -3121,11 +3121,12 @@ package.version: short: Package version type: keyword process.args: - description: 'Array of process arguments. + description: 'Array of process arguments, starting with the absolute path to the + executable. May be filtered to protect sensitive information.' example: - - ssh + - /usr/bin/ssh - -l - user - 10.0.0.16 @@ -3133,9 +3134,22 @@ process.args: ignore_above: 1024 level: extended name: args - order: 4 + order: 5 short: Array of process arguments. type: keyword +process.command_line: + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.command_line + ignore_above: 1024 + level: extended + name: command_line + order: 4 + short: Full command line that started the process. + type: keyword process.executable: description: Absolute path to the process executable. example: /usr/bin/ssh @@ -3143,7 +3157,7 @@ process.executable: ignore_above: 1024 level: extended name: executable - order: 5 + order: 6 short: Absolute path to the process executable. type: keyword process.exit_code: @@ -3155,7 +3169,7 @@ process.exit_code: flat_name: process.exit_code level: extended name: exit_code - order: 12 + order: 13 short: The exit code of the process. type: long process.hash.md5: @@ -3245,7 +3259,7 @@ process.start: flat_name: process.start level: extended name: start - order: 9 + order: 10 short: The time the process started. type: date process.thread.id: @@ -3255,7 +3269,7 @@ process.thread.id: format: string level: extended name: thread.id - order: 7 + order: 8 short: Thread ID. type: long process.thread.name: @@ -3265,7 +3279,7 @@ process.thread.name: ignore_above: 1024 level: extended name: thread.name - order: 8 + order: 9 short: Thread name. type: keyword process.title: @@ -3277,7 +3291,7 @@ process.title: ignore_above: 1024 level: extended name: title - order: 6 + order: 7 short: Process title. type: keyword process.uptime: @@ -3286,7 +3300,7 @@ process.uptime: flat_name: process.uptime level: extended name: uptime - order: 10 + order: 11 short: Seconds the process has been up. type: long process.working_directory: @@ -3296,7 +3310,7 @@ process.working_directory: ignore_above: 1024 level: extended name: working_directory - order: 11 + order: 12 short: The working directory of the process. type: keyword related.ip: diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index a258dc7a5f..61fa2bd2c0 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -3510,11 +3510,12 @@ process: copied to the global field for correlation.' fields: args: - description: 'Array of process arguments. + description: 'Array of process arguments, starting with the absolute path to + the executable. May be filtered to protect sensitive information.' example: - - ssh + - /usr/bin/ssh - -l - user - 10.0.0.16 @@ -3522,9 +3523,22 @@ process: ignore_above: 1024 level: extended name: args - order: 4 + order: 5 short: Array of process arguments. type: keyword + command_line: + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + flat_name: process.command_line + ignore_above: 1024 + level: extended + name: command_line + order: 4 + short: Full command line that started the process. + type: keyword executable: description: Absolute path to the process executable. example: /usr/bin/ssh @@ -3532,7 +3546,7 @@ process: ignore_above: 1024 level: extended name: executable - order: 5 + order: 6 short: Absolute path to the process executable. type: keyword exit_code: @@ -3544,7 +3558,7 @@ process: flat_name: process.exit_code level: extended name: exit_code - order: 12 + order: 13 short: The exit code of the process. type: long hash.md5: @@ -3634,7 +3648,7 @@ process: flat_name: process.start level: extended name: start - order: 9 + order: 10 short: The time the process started. type: date thread.id: @@ -3644,7 +3658,7 @@ process: format: string level: extended name: thread.id - order: 7 + order: 8 short: Thread ID. type: long thread.name: @@ -3654,7 +3668,7 @@ process: ignore_above: 1024 level: extended name: thread.name - order: 8 + order: 9 short: Thread name. type: keyword title: @@ -3666,7 +3680,7 @@ process: ignore_above: 1024 level: extended name: title - order: 6 + order: 7 short: Process title. type: keyword uptime: @@ -3675,7 +3689,7 @@ process: flat_name: process.uptime level: extended name: uptime - order: 10 + order: 11 short: Seconds the process has been up. type: long working_directory: @@ -3685,7 +3699,7 @@ process: ignore_above: 1024 level: extended name: working_directory - order: 11 + order: 12 short: The working directory of the process. type: keyword group: 2 diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index bd1aa69ae4..f61553232f 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -1293,6 +1293,10 @@ "ignore_above": 1024, "type": "keyword" }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, "executable": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 847ea5a9e9..1954acd87b 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -1292,6 +1292,10 @@ "ignore_above": 1024, "type": "keyword" }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, "executable": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/legacy/template.json b/generated/legacy/template.json index 1ec7509f1e..012edc9192 100644 --- a/generated/legacy/template.json +++ b/generated/legacy/template.json @@ -916,6 +916,10 @@ "ignore_above": 1024, "type": "keyword" }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, "executable": { "ignore_above": 1024, "type": "keyword" diff --git a/schema.json b/schema.json index 7a0825ae21..f9850c4e49 100644 --- a/schema.json +++ b/schema.json @@ -2170,8 +2170,8 @@ "description": "These fields contain information about a process.\nThese fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation.\n", "fields": { "process.args": { - "description": "Array of process arguments.\nMay be filtered to protect sensitive information.", - "example": "['ssh', '-l', 'user', '10.0.0.16']", + "description": "Array of process arguments, starting with the absolute path to the executable.\nMay be filtered to protect sensitive information.", + "example": "['/usr/bin/ssh', '-l', 'user', '10.0.0.16']", "footnote": "", "group": 2, "level": "extended", @@ -2179,6 +2179,16 @@ "required": false, "type": "keyword" }, + "process.command_line": { + "description": "Full command line that started the process, including the absolute path to the executable, and all arguments.\nSome arguments may be filtered to protect sensitive information.", + "example": "/usr/bin/ssh -l user 10.0.0.16", + "footnote": "", + "group": 2, + "level": "extended", + "name": "process.command_line", + "required": false, + "type": "keyword" + }, "process.executable": { "description": "Absolute path to the process executable.", "example": "/usr/bin/ssh", diff --git a/schemas/process.yml b/schemas/process.yml index 2c600bf53a..9e7c5f4316 100644 --- a/schemas/process.yml +++ b/schemas/process.yml @@ -45,15 +45,26 @@ description: > Identifier of the group of processes the process belongs to. + - name: command_line + level: extended + type: keyword + short: Full command line that started the process. + description: > + Full command line that started the process, including the absolute path + to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information. + example: "/usr/bin/ssh -l user 10.0.0.16" + - name: args level: extended type: keyword short: Array of process arguments. description: > - Array of process arguments. + Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. - example: ["ssh", "-l", "user", "10.0.0.16"] + example: ["/usr/bin/ssh", "-l", "user", "10.0.0.16"] - name: executable level: extended