[RFC Stage-2] Process IO events (#2031) (#2045)

CHANGELOG.next.md

@@ -45,6 +45,8 @@ Thanks, you're awesome :-) -->
 #### Added
 
 * Adding `risk.*` fields as experimental. #1994, #2010
+* Adding `process.io.*` as beta fields. #1956, #2031
+* Adding `process.tty.rows` and `process.tty.columns` as beta fields. #2031
 
 #### Improvements
 

docs/fields/field-details.asciidoc

@@ -7520,13 +7520,13 @@ type: object
 
 a| beta:[ This field is beta and subject to change. ]
 
-The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0. For more details, please refer to the Linux kernel documentation.
+The major number identifies the driver associated with the device. The character device's major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". For more details, please refer to the Linux kernel documentation.
 
 type: long
 
 
 
-example: `1`
+example: `4`
 
 | extended
 
@@ -7544,7 +7544,47 @@ type: long
 
 
 
-example: `128`
+example: `1`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-process-tty-columns]]
+<<field-process-tty-columns, process.tty.columns>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+The number of character columns per line. e.g terminal width
+
+Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = 'text_output'
+
+type: long
+
+
+
+example: `80`
+
+| extended
+
+// ===============================================================
+
+|
+[[field-process-tty-rows]]
+<<field-process-tty-rows, process.tty.rows>>
+
+a| beta:[ This field is beta and subject to change. ]
+
+The number of character rows in the terminal. e.g terminal height
+
+Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = 'text_output'
+
+type: long
+
+
+
+example: `24`
 
 | extended
 

experimental/generated/beats/fields.ecs.yml

@@ -5460,9 +5460,9 @@
       type: long
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
-      example: 1
+      example: 4
       default_field: false
     - name: entry_leader.tty.char_device.minor
       level: extended
@@ -5471,7 +5471,7 @@
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
         \ along to the driver. It is common for a driver to control several devices;\
         \ the minor number provides a way for the driver to differentiate among them."
-      example: 128
+      example: 1
       default_field: false
     - name: entry_leader.user.id
       level: core
@@ -5744,9 +5744,9 @@
       type: long
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
-      example: 1
+      example: 4
       default_field: false
     - name: group_leader.tty.char_device.minor
       level: extended
@@ -5755,7 +5755,7 @@
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
         \ along to the driver. It is common for a driver to control several devices;\
         \ the minor number provides a way for the driver to differentiate among them."
-      example: 128
+      example: 1
       default_field: false
     - name: group_leader.user.id
       level: core
@@ -6482,9 +6482,9 @@
       type: long
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
-      example: 1
+      example: 4
       default_field: false
     - name: parent.tty.char_device.minor
       level: extended
@@ -6493,7 +6493,7 @@
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
         \ along to the driver. It is common for a driver to control several devices;\
         \ the minor number provides a way for the driver to differentiate among them."
-      example: 128
+      example: 1
       default_field: false
     - name: parent.uptime
       level: extended
@@ -6965,9 +6965,9 @@
       type: long
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
-      example: 1
+      example: 4
       default_field: false
     - name: session_leader.tty.char_device.minor
       level: extended
@@ -6976,7 +6976,7 @@
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
         \ along to the driver. It is common for a driver to control several devices;\
         \ the minor number provides a way for the driver to differentiate among them."
-      example: 128
+      example: 1
       default_field: false
     - name: session_leader.user.id
       level: core
@@ -7057,9 +7057,9 @@
       type: long
       description: The major number identifies the driver associated with the device.
         The character device's major and minor numbers can be algorithmically combined
-        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0.
+        to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0".
         For more details, please refer to the Linux kernel documentation.
-      example: 1
+      example: 4
       default_field: false
     - name: tty.char_device.minor
       level: extended
@@ -7068,7 +7068,25 @@
         \ number; other parts of the kernel don\u2019t use it, and merely pass it\
         \ along to the driver. It is common for a driver to control several devices;\
         \ the minor number provides a way for the driver to differentiate among them."
-      example: 128
+      example: 1
+      default_field: false
+    - name: tty.columns
+      level: extended
+      type: long
+      description: 'The number of character columns per line. e.g terminal width
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 80
+      default_field: false
+    - name: tty.rows
+      level: extended
+      type: long
+      description: 'The number of character rows in the terminal. e.g terminal height
+
+        Terminal sizes can change, so this value reflects the maximum value for a
+        given IO event. i.e. where event.action = ''text_output'''
+      example: 24
       default_field: false
     - name: uptime
       level: extended

experimental/generated/csv/fields.csv

@@ -602,8 +602,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.5.0-dev+exp,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.5.0-dev+exp,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
 8.5.0-dev+exp,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.5.0-dev+exp,true,process,process.entry_leader.tty.char_device.major,long,extended,,1,The TTY character device's major number.
-8.5.0-dev+exp,true,process,process.entry_leader.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
+8.5.0-dev+exp,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.5.0-dev+exp,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
 8.5.0-dev+exp,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.5.0-dev+exp,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.5.0-dev+exp,true,process,process.entry_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
@@ -641,8 +641,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.5.0-dev+exp,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.5.0-dev+exp,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
 8.5.0-dev+exp,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.5.0-dev+exp,true,process,process.group_leader.tty.char_device.major,long,extended,,1,The TTY character device's major number.
-8.5.0-dev+exp,true,process,process.group_leader.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
+8.5.0-dev+exp,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.5.0-dev+exp,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
 8.5.0-dev+exp,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.5.0-dev+exp,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.5.0-dev+exp,true,process,process.group_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
@@ -748,8 +748,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.5.0-dev+exp,true,process,process.parent.title,keyword,extended,,,Process title.
 8.5.0-dev+exp,true,process,process.parent.title.text,match_only_text,extended,,,Process title.
 8.5.0-dev+exp,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device.
-8.5.0-dev+exp,true,process,process.parent.tty.char_device.major,long,extended,,1,The TTY character device's major number.
-8.5.0-dev+exp,true,process,process.parent.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
+8.5.0-dev+exp,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.5.0-dev+exp,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
 8.5.0-dev+exp,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up.
 8.5.0-dev+exp,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.5.0-dev+exp,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user.
@@ -814,8 +814,8 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.5.0-dev+exp,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform.
 8.5.0-dev+exp,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group.
 8.5.0-dev+exp,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device.
-8.5.0-dev+exp,true,process,process.session_leader.tty.char_device.major,long,extended,,1,The TTY character device's major number.
-8.5.0-dev+exp,true,process,process.session_leader.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
+8.5.0-dev+exp,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.5.0-dev+exp,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
 8.5.0-dev+exp,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.5.0-dev+exp,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user.
 8.5.0-dev+exp,true,process,process.session_leader.user.name.text,match_only_text,core,,a.einstein,Short name or login of the user.
@@ -829,8 +829,10 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 8.5.0-dev+exp,true,process,process.title,keyword,extended,,,Process title.
 8.5.0-dev+exp,true,process,process.title.text,match_only_text,extended,,,Process title.
 8.5.0-dev+exp,true,process,process.tty,object,extended,,,Information about the controlling TTY device.
-8.5.0-dev+exp,true,process,process.tty.char_device.major,long,extended,,1,The TTY character device's major number.
-8.5.0-dev+exp,true,process,process.tty.char_device.minor,long,extended,,128,The TTY character device's minor number.
+8.5.0-dev+exp,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number.
+8.5.0-dev+exp,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number.
+8.5.0-dev+exp,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width
+8.5.0-dev+exp,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height
 8.5.0-dev+exp,true,process,process.uptime,long,extended,,1325,Seconds the process has been up.
 8.5.0-dev+exp,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user.
 8.5.0-dev+exp,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user.