Introduce process.executable. (elastic#209)

Also move the more canonical process fields to the top.
MikePaquette · Dec 4, 2018 · 468e8a4 · 468e8a4
1 parent 360ad4c
commit 468e8a4
Show file tree

Hide file tree

Showing 6 changed files with 53 additions and 32 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -20,6 +20,7 @@ All notable changes to this project will be documented in this file based on the
 * Add `user.group` field. #204
 * Create new `group` field set with `group.id` and `group.name`. #203
 * Add `url.full` field. #207
+* Add `process.executable` field. #209
 
 ### Improvements
 * Improve and clarify the definition of Device fields #192

diff --git a/README.md b/README.md
@@ -350,10 +350,11 @@ These fields contain information about a process. These fields can help you corr
 
 | Field  | Description  | Level  | Type  | Example  |
 |---|---|---|---|---|
-| <a name="process.args"></a>process.args | Process arguments.<br/>May be filtered to protect sensitive information. | extended | keyword | `['-l', 'user', '10.0.0.16']` |
+| <a name="process.pid"></a>process.pid | Process id. | core | long |  |
 | <a name="process.name"></a>process.name | Process name.<br/>Sometimes called program name or similar. | extended | keyword | `ssh` |
-| <a name="process.pid"></a>process.pid | Process id. | core | long | `4242` |
 | <a name="process.ppid"></a>process.ppid | Process parent id. | extended | long |  |
+| <a name="process.args"></a>process.args | Process arguments.<br/>May be filtered to protect sensitive information. | extended | keyword | `['ssh', '-l', 'user', '10.0.0.16']` |
+| <a name="process.executable"></a>process.executable | Absolute path to the process executable. | extended | keyword | `/usr/bin/ssh` |
 | <a name="process.title"></a>process.title | Process title.<br/>The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | extended | keyword |  |
 | <a name="process.thread.id"></a>process.thread.id | Thread ID. | extended | long | `4242` |
 

diff --git a/fields.yml b/fields.yml
@@ -984,14 +984,12 @@
       type: group
       fields:
 
-        - name: args
-          level: extended
-          type: keyword
+        - name: pid
+          level: core
+          type: long
           description: >
-            Process arguments.
-    
-            May be filtered to protect sensitive information.
-          example: ["-l", "user", "10.0.0.16"]
+            Process id.
+          exmple: ssh
 
         - name: name
           level: extended
@@ -1002,19 +1000,28 @@
             Sometimes called program name or similar.
           example: ssh
 
-        - name: pid
-          level: core
-          type: long
-          description: >
-            Process id.
-          example: 4242
-
         - name: ppid
           level: extended
           type: long
           description: >
             Process parent id.
     
+        - name: args
+          level: extended
+          type: keyword
+          description: >
+            Process arguments.
+    
+            May be filtered to protect sensitive information.
+          example: ["ssh", "-l", "user", "10.0.0.16"]
+
+        - name: executable
+          level: extended
+          type: keyword
+          description: >
+            Absolute path to the process executable.
+          example: /usr/bin/ssh
+
         - name: title
           level: extended
           type: keyword

diff --git a/schema.csv b/schema.csv
@@ -102,9 +102,10 @@ os.kernel,keyword,extended,4.4.0-112-generic
 os.name,keyword,extended,Mac OS X
 os.platform,keyword,extended,darwin
 os.version,keyword,extended,10.12.6-rc2
-process.args,keyword,extended,"['-l', 'user', '10.0.0.16']"
+process.args,keyword,extended,"['ssh', '-l', 'user', '10.0.0.16']"
+process.executable,keyword,extended,/usr/bin/ssh
 process.name,keyword,extended,ssh
-process.pid,long,core,4242
+process.pid,long,core,
 process.ppid,long,extended,
 process.thread.id,long,extended,4242
 process.title,keyword,extended,

diff --git a/schemas/process.yml b/schemas/process.yml
@@ -10,14 +10,12 @@
   type: group
   fields:
 
-    - name: args
-      level: extended
-      type: keyword
+    - name: pid
+      level: core
+      type: long
       description: >
-        Process arguments.
-
-        May be filtered to protect sensitive information.
-      example: ["-l", "user", "10.0.0.16"]
+        Process id.
+      exmple: ssh
 
     - name: name
       level: extended
@@ -28,19 +26,28 @@
         Sometimes called program name or similar.
       example: ssh
 
-    - name: pid
-      level: core
-      type: long
-      description: >
-        Process id.
-      example: 4242
-
     - name: ppid
       level: extended
       type: long
       description: >
         Process parent id.
 
+    - name: args
+      level: extended
+      type: keyword
+      description: >
+        Process arguments.
+
+        May be filtered to protect sensitive information.
+      example: ["ssh", "-l", "user", "10.0.0.16"]
+
+    - name: executable
+      level: extended
+      type: keyword
+      description: >
+        Absolute path to the process executable.
+      example: /usr/bin/ssh
+
     - name: title
       level: extended
       type: keyword

diff --git a/template.json b/template.json
@@ -505,6 +505,10 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "executable": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
             "name": {
               "ignore_above": 1024,
               "type": "keyword"