pub struct Process { /* private fields */ }Expand description
These fields contain information about a process.
These fields can help you correlate metrics information with a process id/name from a log message. The process.pid often stays in the metric itself and is copied to the global field for correlation.
Implementations§
Source§impl Process
impl Process
Sourcepub fn get_entity_id(&self) -> Option<&String>
pub fn get_entity_id(&self) -> Option<&String>
Unique identifier for the process.
The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
Sourcepub fn set_entity_id(&mut self, entity_id_arg: String)
pub fn set_entity_id(&mut self, entity_id_arg: String)
Unique identifier for the process.
The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process.
Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts.
§Example
c2c455d9f99375d
Sourcepub fn get_name(&self) -> Option<&String>
pub fn get_name(&self) -> Option<&String>
Process name.
Sometimes called program name or similar.
Sourcepub fn get_pgid(&self) -> Option<&u64>
pub fn get_pgid(&self) -> Option<&u64>
Deprecated for removal in next major version release. This field is superseded by process.group_leader.pid.
Identifier of the group of processes the process belongs to.
Sourcepub fn set_pgid(&mut self, pgid_arg: u64)
pub fn set_pgid(&mut self, pgid_arg: u64)
Deprecated for removal in next major version release. This field is superseded by process.group_leader.pid.
Identifier of the group of processes the process belongs to.
Sourcepub fn get_command_line(&self) -> Option<&String>
pub fn get_command_line(&self) -> Option<&String>
Full command line that started the process, including the absolute path to the executable, and all arguments.
Some arguments may be filtered to protect sensitive information.
Sourcepub fn set_command_line(&mut self, command_line_arg: String)
pub fn set_command_line(&mut self, command_line_arg: String)
Full command line that started the process, including the absolute path to the executable, and all arguments.
Some arguments may be filtered to protect sensitive information.
§Example
/usr/bin/ssh -l user 10.0.0.16
Sourcepub fn get_args(&self) -> &Vec<String>
pub fn get_args(&self) -> &Vec<String>
Array of process arguments, starting with the absolute path to the executable.
May be filtered to protect sensitive information.
Sourcepub fn add_arg(&mut self, arg_arg: String)
pub fn add_arg(&mut self, arg_arg: String)
Array of process arguments, starting with the absolute path to the executable.
May be filtered to protect sensitive information.
§Example
["/usr/bin/ssh", "-l", "user", "10.0.0.16"]
Sourcepub fn get_args_count(&self) -> Option<&u64>
pub fn get_args_count(&self) -> Option<&u64>
Length of the process.args array.
This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
Sourcepub fn set_args_count(&mut self, args_count_arg: u64)
pub fn set_args_count(&mut self, args_count_arg: u64)
Length of the process.args array.
This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.
§Example
4
Sourcepub fn get_executable(&self) -> Option<&String>
pub fn get_executable(&self) -> Option<&String>
Absolute path to the process executable.
Sourcepub fn set_executable(&mut self, executable_arg: String)
pub fn set_executable(&mut self, executable_arg: String)
Sourcepub fn get_title(&self) -> Option<&String>
pub fn get_title(&self) -> Option<&String>
Process title.
The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
Sourcepub fn set_title(&mut self, title_arg: String)
pub fn set_title(&mut self, title_arg: String)
Process title.
The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
Sourcepub fn get_thread_id(&self) -> Option<&u64>
pub fn get_thread_id(&self) -> Option<&u64>
Thread ID.
Sourcepub fn set_thread_id(&mut self, thread_id_arg: u64)
pub fn set_thread_id(&mut self, thread_id_arg: u64)
Sourcepub fn get_thread_name(&self) -> Option<&String>
pub fn get_thread_name(&self) -> Option<&String>
Thread name.
Sourcepub fn set_thread_name(&mut self, thread_name_arg: String)
pub fn set_thread_name(&mut self, thread_name_arg: String)
Sourcepub fn get_uptime(&self) -> Option<&u64>
pub fn get_uptime(&self) -> Option<&u64>
Seconds the process has been up.
Sourcepub fn set_uptime(&mut self, uptime_arg: u64)
pub fn set_uptime(&mut self, uptime_arg: u64)
Sourcepub fn get_working_directory(&self) -> Option<&String>
pub fn get_working_directory(&self) -> Option<&String>
The working directory of the process.
Sourcepub fn set_working_directory(&mut self, working_directory_arg: String)
pub fn set_working_directory(&mut self, working_directory_arg: String)
Sourcepub fn get_exit_code(&self) -> Option<&u64>
pub fn get_exit_code(&self) -> Option<&u64>
The exit code of the process, if this is a termination event.
The field should be absent if there is no exit code for the event (e.g. process start).
Sourcepub fn set_exit_code(&mut self, exit_code_arg: u64)
pub fn set_exit_code(&mut self, exit_code_arg: u64)
The exit code of the process, if this is a termination event.
The field should be absent if there is no exit code for the event (e.g. process start).
§Example
137
Sourcepub fn get_interactive(&self) -> Option<&bool>
pub fn get_interactive(&self) -> Option<&bool>
Whether the process is connected to an interactive shell.
Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive.
Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.
Sourcepub fn set_interactive(&mut self, interactive_arg: bool)
pub fn set_interactive(&mut self, interactive_arg: bool)
Whether the process is connected to an interactive shell.
Process interactivity is inferred from the processes file descriptors. If the character device for the controlling tty is the same as stdin and stderr for the process, the process is considered interactive.
Note: A non-interactive process can belong to an interactive session and is simply one that does not have open file descriptors reading the controlling TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A backgrounded process is still considered interactive if stdin and stderr are connected to the controlling TTY.
§Example
true
Sourcepub fn get_same_as_process(&self) -> Option<&bool>
pub fn get_same_as_process(&self) -> Option<&bool>
This boolean is used to identify if a leader process is the same as the top level process.
For example, if process.group_leader.same_as_process = true, it means the process event in question is the leader of its process group. Details under process.* like pid would be the same under process.group_leader.* The same applies for both process.session_leader and process.entry_leader.
This field exists to the benefit of EQL and other rule engines since it’s not possible to compare equality between two fields in a single document. e.g process.entity_id = process.group_leader.entity_id (top level process is the process group leader) OR process.entity_id = process.entry_leader.entity_id (top level process is the entry session leader)
Instead these rules could be written like: process.group_leader.same_as_process: true OR process.entry_leader.same_as_process: true
Note: This field is only set on process.entry_leader, process.session_leader and process.group_leader.
Sourcepub fn set_same_as_process(&mut self, same_as_process_arg: bool)
pub fn set_same_as_process(&mut self, same_as_process_arg: bool)
This boolean is used to identify if a leader process is the same as the top level process.
For example, if process.group_leader.same_as_process = true, it means the process event in question is the leader of its process group. Details under process.* like pid would be the same under process.group_leader.* The same applies for both process.session_leader and process.entry_leader.
This field exists to the benefit of EQL and other rule engines since it’s not possible to compare equality between two fields in a single document. e.g process.entity_id = process.group_leader.entity_id (top level process is the process group leader) OR process.entity_id = process.entry_leader.entity_id (top level process is the entry session leader)
Instead these rules could be written like: process.group_leader.same_as_process: true OR process.entry_leader.same_as_process: true
Note: This field is only set on process.entry_leader, process.session_leader and process.group_leader.
§Example
true
Sourcepub fn get_env_vars(&self) -> &Vec<String>
pub fn get_env_vars(&self) -> &Vec<String>
Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution.
May be filtered to protect sensitive information.
Sourcepub fn add_env_var(&mut self, env_var_arg: String)
pub fn add_env_var(&mut self, env_var_arg: String)
Array of environment variable bindings. Captured from a snapshot of the environment at the time of execution.
May be filtered to protect sensitive information.
§Example
["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]
Sourcepub fn get_entry_meta_type(&self) -> Option<&String>
pub fn get_entry_meta_type(&self) -> Option<&String>
The entry type for the entry session leader. Values include: init(e.g systemd), sshd, ssm, kubelet, teleport, terminal, console
Note: This field is only set on process.session_leader.
Sourcepub fn set_entry_meta_type(&mut self, entry_meta_type_arg: String)
pub fn set_entry_meta_type(&mut self, entry_meta_type_arg: String)
The entry type for the entry session leader. Values include: init(e.g systemd), sshd, ssm, kubelet, teleport, terminal, console
Note: This field is only set on process.session_leader.
Sourcepub fn get_entry_meta_source(&self) -> Option<&String>
pub fn get_entry_meta_source(&self) -> Option<&String>
Entry point information for a session. Remote client information such as ip, port and geo location.
Sourcepub fn set_entry_meta_source(&mut self, entry_meta_source_arg: String)
pub fn set_entry_meta_source(&mut self, entry_meta_source_arg: String)
Entry point information for a session. Remote client information such as ip, port and geo location.
Sourcepub fn get_tty(&self) -> Option<&Value>
pub fn get_tty(&self) -> Option<&Value>
Information about the controlling TTY device. If set, the process belongs to an interactive session.
Sourcepub fn set_tty(&mut self, tty_arg: Value)
pub fn set_tty(&mut self, tty_arg: Value)
Information about the controlling TTY device. If set, the process belongs to an interactive session.
Sourcepub fn get_tty_char_device_major(&self) -> Option<&u64>
pub fn get_tty_char_device_major(&self) -> Option<&u64>
The major number identifies the driver associated with the device. The character device’s major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as “ttyS0” and “pts/0”. For more details, please refer to the Linux kernel documentation.
Sourcepub fn set_tty_char_device_major(&mut self, tty_char_device_major_arg: u64)
pub fn set_tty_char_device_major(&mut self, tty_char_device_major_arg: u64)
The major number identifies the driver associated with the device. The character device’s major and minor numbers can be algorithmically combined to produce the more familiar terminal identifiers such as “ttyS0” and “pts/0”. For more details, please refer to the Linux kernel documentation.
§Example
4
Sourcepub fn get_tty_char_device_minor(&self) -> Option<&u64>
pub fn get_tty_char_device_minor(&self) -> Option<&u64>
The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.
Sourcepub fn set_tty_char_device_minor(&mut self, tty_char_device_minor_arg: u64)
pub fn set_tty_char_device_minor(&mut self, tty_char_device_minor_arg: u64)
The minor number is used only by the driver specified by the major number; other parts of the kernel don’t use it, and merely pass it along to the driver. It is common for a driver to control several devices; the minor number provides a way for the driver to differentiate among them.
§Example
1
Sourcepub fn get_tty_rows(&self) -> Option<&u64>
pub fn get_tty_rows(&self) -> Option<&u64>
The number of character rows in the terminal. e.g terminal height
Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = ‘text_output’
Sourcepub fn set_tty_rows(&mut self, tty_rows_arg: u64)
pub fn set_tty_rows(&mut self, tty_rows_arg: u64)
The number of character rows in the terminal. e.g terminal height
Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = ‘text_output’
§Example
24
Sourcepub fn get_tty_columns(&self) -> Option<&u64>
pub fn get_tty_columns(&self) -> Option<&u64>
The number of character columns per line. e.g terminal width
Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = ‘text_output’
Sourcepub fn set_tty_columns(&mut self, tty_columns_arg: u64)
pub fn set_tty_columns(&mut self, tty_columns_arg: u64)
The number of character columns per line. e.g terminal width
Terminal sizes can change, so this value reflects the maximum value for a given IO event. i.e. where event.action = ‘text_output’
§Example
80
Sourcepub fn get_io(&self) -> Option<&Value>
pub fn get_io(&self) -> Option<&Value>
A chunk of input or output (IO) from a single process.
This field only appears on the top level process object, which is the process that wrote the output or read the input.
Sourcepub fn set_io(&mut self, io_arg: Value)
pub fn set_io(&mut self, io_arg: Value)
A chunk of input or output (IO) from a single process.
This field only appears on the top level process object, which is the process that wrote the output or read the input.
Sourcepub fn get_io_type(&self) -> Option<&String>
pub fn get_io_type(&self) -> Option<&String>
The type of object on which the IO action (read or write) was taken.
Currently only ‘tty’ is supported. Other types may be added in the future for ‘file’ and ‘socket’ support.
Sourcepub fn set_io_type(&mut self, io_type_arg: String)
pub fn set_io_type(&mut self, io_type_arg: String)
The type of object on which the IO action (read or write) was taken.
Currently only ‘tty’ is supported. Other types may be added in the future for ‘file’ and ‘socket’ support.
Sourcepub fn get_io_text(&self) -> Option<&String>
pub fn get_io_text(&self) -> Option<&String>
A chunk of output or input sanitized to UTF-8.
Best efforts are made to ensure complete lines are captured in these events. Assumptions should NOT be made that multiple lines will appear in the same event. TTY output may contain terminal control codes such as for cursor movement, so some string queries may not match due to terminal codes inserted between characters of a word.
Sourcepub fn set_io_text(&mut self, io_text_arg: String)
pub fn set_io_text(&mut self, io_text_arg: String)
A chunk of output or input sanitized to UTF-8.
Best efforts are made to ensure complete lines are captured in these events. Assumptions should NOT be made that multiple lines will appear in the same event. TTY output may contain terminal control codes such as for cursor movement, so some string queries may not match due to terminal codes inserted between characters of a word.
Sourcepub fn get_io_total_bytes_captured(&self) -> Option<&u64>
pub fn get_io_total_bytes_captured(&self) -> Option<&u64>
The total number of bytes captured in this event.
Sourcepub fn set_io_total_bytes_captured(&mut self, io_total_bytes_captured_arg: u64)
pub fn set_io_total_bytes_captured(&mut self, io_total_bytes_captured_arg: u64)
The total number of bytes captured in this event.
Sourcepub fn get_io_total_bytes_skipped(&self) -> Option<&u64>
pub fn get_io_total_bytes_skipped(&self) -> Option<&u64>
The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero
Sourcepub fn set_io_total_bytes_skipped(&mut self, io_total_bytes_skipped_arg: u64)
pub fn set_io_total_bytes_skipped(&mut self, io_total_bytes_skipped_arg: u64)
The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero
Sourcepub fn get_io_max_bytes_per_process_exceeded(&self) -> Option<&bool>
pub fn get_io_max_bytes_per_process_exceeded(&self) -> Option<&bool>
If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting.
Sourcepub fn set_io_max_bytes_per_process_exceeded(
&mut self,
io_max_bytes_per_process_exceeded_arg: bool,
)
pub fn set_io_max_bytes_per_process_exceeded( &mut self, io_max_bytes_per_process_exceeded_arg: bool, )
If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting.
Sourcepub fn get_io_bytes_skipped(&self) -> &Vec<Value>
pub fn get_io_bytes_skipped(&self) -> &Vec<Value>
An array of byte offsets and lengths denoting where IO data has been skipped.
Sourcepub fn add_io_bytes_skipped(&mut self, io_bytes_skipped_arg: Value)
pub fn add_io_bytes_skipped(&mut self, io_bytes_skipped_arg: Value)
An array of byte offsets and lengths denoting where IO data has been skipped.
Sourcepub fn get_io_bytes_skipped_offset(&self) -> Option<&u64>
pub fn get_io_bytes_skipped_offset(&self) -> Option<&u64>
The byte offset into this event’s io.text (or io.bytes in the future) where length bytes were skipped.
Sourcepub fn set_io_bytes_skipped_offset(&mut self, io_bytes_skipped_offset_arg: u64)
pub fn set_io_bytes_skipped_offset(&mut self, io_bytes_skipped_offset_arg: u64)
The byte offset into this event’s io.text (or io.bytes in the future) where length bytes were skipped.
Sourcepub fn get_io_bytes_skipped_length(&self) -> Option<&u64>
pub fn get_io_bytes_skipped_length(&self) -> Option<&u64>
The length of bytes skipped.
Sourcepub fn set_io_bytes_skipped_length(&mut self, io_bytes_skipped_length_arg: u64)
pub fn set_io_bytes_skipped_length(&mut self, io_bytes_skipped_length_arg: u64)
The length of bytes skipped.