diff --git a/code/go/ecs/process.go b/code/go/ecs/process.go index b81da4e3dc..6ec38d289c 100644 --- a/code/go/ecs/process.go +++ b/code/go/ecs/process.go @@ -38,6 +38,9 @@ type Process struct { // Process parent id. PPID int64 `ecs:"ppid"` + // Identifier of the group of processes the process belongs to. + PGID int64 `ecs:"pgid"` + // Array of process arguments. // May be filtered to protect sensitive information. Args []string `ecs:"args"` diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index a65f982c92..04251bfff9 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -2026,6 +2026,17 @@ type: keyword example: `ssh` +| extended + +// =============================================================== + +| process.pgid +| Identifier of the group of processes the process belongs to. + +type: long + + + | extended // =============================================================== diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index d27d7f5ea3..44514e3489 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -1520,6 +1520,10 @@ Sometimes called program name or similar.' example: ssh + - name: pgid + level: extended + type: long + description: Identifier of the group of processes the process belongs to. - name: pid level: core type: long diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index c955eced51..938ccd92ac 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -194,6 +194,7 @@ os.version,keyword,extended,10.14.1,1.1.0-dev process.args,keyword,extended,"['ssh', '-l', 'user', '10.0.0.16']",1.1.0-dev process.executable,keyword,extended,/usr/bin/ssh,1.1.0-dev process.name,keyword,extended,ssh,1.1.0-dev +process.pgid,long,extended,,1.1.0-dev process.pid,long,core,,1.1.0-dev process.ppid,long,extended,,1.1.0-dev process.start,date,extended,2016-05-23T08:05:34.853Z,1.1.0-dev diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 28f575c964..27242d77a9 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -2127,7 +2127,7 @@ process.args: ignore_above: 1024 level: extended name: args - order: 3 + order: 4 short: Array of process arguments. type: keyword process.executable: @@ -2137,7 +2137,7 @@ process.executable: ignore_above: 1024 level: extended name: executable - order: 4 + order: 5 short: Absolute path to the process executable. type: keyword process.name: @@ -2152,6 +2152,14 @@ process.name: order: 1 short: Process name. type: keyword +process.pgid: + description: Identifier of the group of processes the process belongs to. + flat_name: process.pgid + level: extended + name: pgid + order: 3 + short: Identifier of the group of processes the process belongs to. + type: long process.pid: description: Process id. exmple: ssh @@ -2175,7 +2183,7 @@ process.start: flat_name: process.start level: extended name: start - order: 7 + order: 8 short: The time the process started. type: date process.thread.id: @@ -2184,7 +2192,7 @@ process.thread.id: flat_name: process.thread.id level: extended name: thread.id - order: 6 + order: 7 short: Thread ID. type: long process.title: @@ -2196,7 +2204,7 @@ process.title: ignore_above: 1024 level: extended name: title - order: 5 + order: 6 short: Process title. type: keyword process.working_directory: @@ -2206,7 +2214,7 @@ process.working_directory: ignore_above: 1024 level: extended name: working_directory - order: 8 + order: 9 short: The working directory of the process. type: keyword related.ip: diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index 8019764df6..0f9c623dee 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -2437,7 +2437,7 @@ process: ignore_above: 1024 level: extended name: args - order: 3 + order: 4 short: Array of process arguments. type: keyword executable: @@ -2447,7 +2447,7 @@ process: ignore_above: 1024 level: extended name: executable - order: 4 + order: 5 short: Absolute path to the process executable. type: keyword name: @@ -2462,6 +2462,14 @@ process: order: 1 short: Process name. type: keyword + pgid: + description: Identifier of the group of processes the process belongs to. + flat_name: process.pgid + level: extended + name: pgid + order: 3 + short: Identifier of the group of processes the process belongs to. + type: long pid: description: Process id. exmple: ssh @@ -2485,7 +2493,7 @@ process: flat_name: process.start level: extended name: start - order: 7 + order: 8 short: The time the process started. type: date thread.id: @@ -2494,7 +2502,7 @@ process: flat_name: process.thread.id level: extended name: thread.id - order: 6 + order: 7 short: Thread ID. type: long title: @@ -2506,7 +2514,7 @@ process: ignore_above: 1024 level: extended name: title - order: 5 + order: 6 short: Process title. type: keyword working_directory: @@ -2516,7 +2524,7 @@ process: ignore_above: 1024 level: extended name: working_directory - order: 8 + order: 9 short: The working directory of the process. type: keyword group: 2 diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index bcd9d3a3c0..8fbc51a27a 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -918,6 +918,9 @@ "ignore_above": 1024, "type": "keyword" }, + "pgid": { + "type": "long" + }, "pid": { "type": "long" }, diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index b7dbf70306..bd4b921677 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -917,6 +917,9 @@ "ignore_above": 1024, "type": "keyword" }, + "pgid": { + "type": "long" + }, "pid": { "type": "long" }, diff --git a/generated/legacy/template.json b/generated/legacy/template.json index aee36994c3..82783af8fa 100644 --- a/generated/legacy/template.json +++ b/generated/legacy/template.json @@ -614,6 +614,9 @@ "ignore_above": 1024, "type": "keyword" }, + "pgid": { + "type": "long" + }, "pid": { "type": "long" }, diff --git a/schema.json b/schema.json index a00cc38aef..da78dd10bf 100644 --- a/schema.json +++ b/schema.json @@ -1473,6 +1473,16 @@ "required": false, "type": "keyword" }, + "process.pgid": { + "description": "Identifier of the group of processes the process belongs to.", + "example": "", + "footnote": "", + "group": 2, + "level": "extended", + "name": "process.pgid", + "required": false, + "type": "long" + }, "process.pid": { "description": "Process id.", "example": "", diff --git a/schemas/process.yml b/schemas/process.yml index 22159936fe..8ab0b400c2 100644 --- a/schemas/process.yml +++ b/schemas/process.yml @@ -35,6 +35,12 @@ description: > Process parent id. + - name: pgid + level: extended + type: long + description: > + Identifier of the group of processes the process belongs to. + - name: args level: extended type: keyword diff --git a/scripts/cmd/gocodegen/gocodegen.go b/scripts/cmd/gocodegen/gocodegen.go index 85638a02a2..652d4dd9f1 100644 --- a/scripts/cmd/gocodegen/gocodegen.go +++ b/scripts/cmd/gocodegen/gocodegen.go @@ -295,7 +295,7 @@ func goDataType(fieldName, elasticsearchDataType string) string { // abbreviations capitalizes common abbreviations. func abbreviations(abv string) string { switch strings.ToLower(abv) { - case "id", "ppid", "pid", "mac", "ip", "iana", "uid", "ecs": + case "id", "ppid", "pid", "pgid", "mac", "ip", "iana", "uid", "ecs": return strings.ToUpper(abv) default: return abv