Skip to content

Commit

Permalink
docs(userspace/libsinsp): more detailed docs about proc filterchecks
Browse files Browse the repository at this point in the history 
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
  • Loading branch information
@therealbobo
therealbobo committed May 15, 2023
1 parent e54bbb8 commit 713f935
Showing 1 changed file with 13 additions and 13 deletions.
26 changes: 13 additions & 13 deletions userspace/libsinsp/filterchecks.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1873,19 +1873,19 @@ bool sinsp_filter_check_fd::compare(sinsp_evt *evt)
///////////////////////////////////////////////////////////////////////////////
const filtercheck_field_info sinsp_filter_check_thread_fields[] =
{
{PT_CHARBUF, EPF_NONE, PF_NA, "proc.exe", "First Argument", "The first command line argument argv[0] (usually the executable name or a custom one)."},
{PT_CHARBUF, EPF_NONE, PF_NA, "proc.pexe", "Parent First Argument", "The first command line argument (usually the executable name or a custom one) of the parent process."},
{PT_CHARBUF, EPF_NONE, PF_NA, "proc.aexe", "Ancestor First Argument", "The first command line argument (usually the executable name or a custom one) of one of the process ancestors. e.g. proc.aexe[1] returns the parent first argument, proc.aexe[2] returns the grandparent first argument, and so on. proc.aexe[0] is the first argument of the current process. proc.aexe without arguments can be used in filters only and matches any of the process ancestors, e.g. proc.aexe endswith java."},
{PT_CHARBUF, EPF_NONE, PF_NA, "proc.exepath", "Process Executable Path", "The full executable path of the process."},
{PT_CHARBUF, EPF_NONE, PF_NA, "proc.pexepath", "Parent Process Executable Path", "The full executable path of the parent process."},
{PT_CHARBUF, EPF_NONE, PF_NA, "proc.aexepath", "Ancestor Executable Path", "The full executable path of one of the process ancestors. e.g. proc.aexepath[1] returns the parent full executable path, proc.aexepath[2] returns the grandparent full executable path, and so on. proc.aexepath[0] is the full executable path of the current process. proc.aexepath without arguments can be used in filters only and matches any of the process ancestors, e.g. proc.aexepath contains java."},
{PT_CHARBUF, EPF_NONE, PF_NA, "proc.name", "Name", "The name (excluding the path) of the executable generating the event (task->comm)."},
{PT_CHARBUF, EPF_NONE, PF_NA, "proc.pname", "Parent Name", "The name (excluding the path) of the parent of the process generating the event."},
{PT_CHARBUF, EPF_NONE, PF_NA, "proc.aname", "Ancestor Name", "The name (excluding the path) of one of the process ancestors. e.g. proc.aname[1] returns the parent name, proc.aname[2] returns the grandparent name, and so on. proc.aname[0] is the name of the current process. proc.aname without arguments can be used in filters only and matches any of the process ancestors, e.g. proc.aname=bash."},
{PT_CHARBUF, EPF_NONE, PF_NA, "proc.args", "Arguments", "The arguments passed on the command line when starting the process generating the event excluding argv[0]."},
{PT_CHARBUF, EPF_NONE, PF_NA, "proc.exe", "First Argument", "The first command line argument argv[0] which is usually the executable name or a custom string. This field is initially updated through a procfs scan (specifically by reading from /proc/<pid>/cmdline), then through the syscall events stream at runtime (in this case, the field is read from the syscall args)."},
{PT_CHARBUF, EPF_NONE, PF_NA, "proc.pexe", "Parent First Argument", "The proc.exe (first command line argument argv[0]) of the parent process."},
{PT_CHARBUF, EPF_NONE, PF_NA, "proc.aexe", "Ancestor First Argument", "The proc.exe (first command line argument argv[0]) of one of the process ancestors. e.g. proc.aexe[1] returns the parent first argument, proc.aexe[2] returns the grandparent first argument, and so on. proc.aexe[0] is the first argument of the current process. proc.aexe without arguments can be used in filters only and matches any of the process ancestors, e.g. proc.aexe endswith java."},
{PT_CHARBUF, EPF_NONE, PF_NA, "proc.exepath", "Process Executable Path", "The full executable path of the process. This field is updated on a procfs scan (in this case the field is the resolved path of /proc/<pid>/exe) or when a exceve or close syscall occurs."},
{PT_CHARBUF, EPF_NONE, PF_NA, "proc.pexepath", "Parent Process Executable Path", "The proc.exepath (full executable path) of the parent process."},
{PT_CHARBUF, EPF_NONE, PF_NA, "proc.aexepath", "Ancestor Executable Path", "The list of proc.exepath (full executable path) of one of the process ancestors. e.g. proc.aexepath[1] returns the parent full executable path, proc.aexepath[2] returns the grandparent full executable path, and so on. proc.aexepath[0] is the full executable path of the current process. proc.aexepath without arguments can be used in filters only and matches any of the process ancestors, e.g. proc.aexepath contains java."},
{PT_CHARBUF, EPF_NONE, PF_NA, "proc.name", "Name", "The name (excluding the path) of the executable generating the event (task->comm). This field is updated on a procfs scan (in this case the field is read from /proc/<pid>/status) or when a exceve or close syscall occurs (in this case the field is read from the syscall args)."},
{PT_CHARBUF, EPF_NONE, PF_NA, "proc.pname", "Parent Name", "The proc.name (name excluding the path of the parent) of the process generating the event."},
{PT_CHARBUF, EPF_NONE, PF_NA, "proc.aname", "Ancestor Name", "List of the proc.name of one of the process ancestors. e.g. proc.aname[1] returns the parent name, proc.aname[2] returns the grandparent name, and so on. proc.aname[0] is the name of the current process. proc.aname without arguments can be used in filters only and matches any of the process ancestors, e.g. proc.aname=bash."},
{PT_CHARBUF, EPF_NONE, PF_NA, "proc.args", "Arguments", "The arguments passed on the command line when starting the process generating the event excluding argv[0]. This field is updated on a procfs scan (in this case the field is read from /proc/<pid>/cmdline) or when a exceve or close syscall occurs (in this case the field is read from the syscall args)."},
{PT_CHARBUF, EPF_NONE, PF_NA, "proc.cmdline", "Command Line", "The full command line (proc.name + proc.args) when starting the process generating the event."},
{PT_CHARBUF, EPF_NONE, PF_NA, "proc.pcmdline", "Parent Command Line", "The full command line (proc.name + proc.args) of the parent of the process generating the event."},
{PT_CHARBUF, EPF_NONE, PF_NA, "proc.acmdline", "Ancestor Command Line", "The full command line (proc.name + proc.args) of one of the process ancestors. e.g. proc.acmdline[1] returns the parent full command line, proc.acmdline[2] returns the grandparent full command line and so on. proc.acmdline[0] is the full command line of the current process. proc.acmdline without arguments can be used in filters only and matches any of the process ancestors, e.g. proc.acmdline contains base64."},
{PT_CHARBUF, EPF_NONE, PF_NA, "proc.pcmdline", "Parent Command Line", "The proc.cmdline (full command line (proc.name + proc.args)) of the parent of the process generating the event."},
{PT_CHARBUF, EPF_NONE, PF_NA, "proc.acmdline", "Ancestor Command Line", "The list of proc.cmdline (full command line (proc.name + proc.args)) of one of the process ancestors. e.g. proc.acmdline[1] returns the parent full command line, proc.acmdline[2] returns the grandparent full command line and so on. proc.acmdline[0] is the full command line of the current process. proc.acmdline without arguments can be used in filters only and matches any of the process ancestors, e.g. proc.acmdline contains base64."},
{PT_UINT64, EPF_NONE, PF_DEC, "proc.cmdnargs", "Number of Command Line args", "The number of command line args (proc.args)."},
{PT_UINT64, EPF_NONE, PF_DEC, "proc.cmdlenargs", "Total Count of Characters in Command Line args", "The total count of characters / length of the comamnd line args (proc.args) combined excluding whitespaces between args."},
{PT_CHARBUF, EPF_NONE, PF_NA, "proc.exeline", "Executable Command Line", "The full command line, with exe as first argument (proc.exe + proc.args) when starting the process generating the event."},
Expand All @@ -1895,7 +1895,7 @@ const filtercheck_field_info sinsp_filter_check_thread_fields[] =
{PT_INT32, EPF_NONE, PF_ID, "proc.tty", "Process TTY", "The controlling terminal of the process. 0 for processes without a terminal."},
{PT_INT64, EPF_NONE, PF_ID, "proc.pid", "Process ID", "The id of the process generating the event."},
{PT_INT64, EPF_NONE, PF_ID, "proc.ppid", "Parent Process ID", "The pid of the parent of the process generating the event."},
{PT_INT64, EPF_NONE, PF_ID, "proc.apid", "Ancestor Process ID", "The pid of one of the process ancestors. e.g. proc.apid[1] returns the parent pid, proc.apid[2] returns the grandparent pid, and so on. proc.apid[0] is the pid of the current process. proc.apid without arguments can be used in filters only and matches any of the process ancestors, e.g. proc.apid=1234."},
{PT_INT64, EPF_NONE, PF_ID, "proc.apid", "Ancestor Process ID", "The list of the pids of the process ancestors. e.g. proc.apid[1] returns the parent pid, proc.apid[2] returns the grandparent pid, and so on. proc.apid[0] is the pid of the current process. proc.apid without arguments can be used in filters only and matches any of the process ancestors, e.g. proc.apid=1234."},
{PT_INT64, EPF_NONE, PF_ID, "proc.vpid", "Virtual Process ID", "The id of the process generating the event as seen from its current PID namespace."},
{PT_INT64, EPF_NONE, PF_ID, "proc.pvpid", "Parent Virtual Process ID", "The id of the parent process generating the event as seen from its current PID namespace."},
{PT_INT64, EPF_NONE, PF_ID, "proc.sid", "Process Session ID", "The session id of the process generating the event."},
Expand Down

0 comments on commit 713f935

Please sign in to comment.