Add process metadata
Theadd_process_metadata processor enriches events with information from running processes, identified by their process ID (PID).
- add_process_metadata: match_pids: [system.process.ppid] target: system.process.parentThe fields added to the event look as follows:
"process": { "name": "systemd", "title": "/usr/lib/systemd/systemd --switched-root --system --deserialize 22", "exe": "/usr/lib/systemd/systemd", "args": ["/usr/lib/systemd/systemd", "--switched-root", "--system", "--deserialize", "22"], "pid": 1, "parent": { "pid": 0 }, "start_time": "2018-08-22T08:44:50.684Z", "owner": { "name": "root", "id": "0" }},"container": { "id": "b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b1"},Optionally, the process environment can be included, too:
..."env": { "HOME": "/", "TERM": "linux", "BOOT_IMAGE": "/boot/vmlinuz-4.11.8-300.fc26.x86_64", "LANG": "en_US.UTF-8",}...Note
Elastic Agent processors executebefore ingest pipelines, which means that they process the raw event data rather than the final event sent to Elasticsearch. For related limitations, refer toWhat are some limitations of using processors?
| Name | Required | Default | Description |
|---|---|---|---|
match_pids | Yes | List of fields to lookup for a PID. The processor searches the list sequentially until the field is found in the current event, and the PID lookup is then applied to the value of this field. | |
target | No | event root | Destination prefix where theprocess object will be created. |
include_fields | No | List of fields to add. By default, adds all available fields exceptprocess.env. | |
ignore_missing | No | true | Whether to ignore missing fields. Iffalse, discards events that don’t contain any of the fields specified inmatch_pids and then generates an error. Iftrue, missing fields are ignored. |
overwrite_keys | No | false | Whether to overwrite existing keys. Iffalse and a target field already exists, it is not, overwritten, and an error is logged. Iftrue, the target field is overwritten. |
restricted_fields | No | false | Whether to output restricted fields. Iffalse, to avoid leaking sensitive data, theprocess.env field is not output. Iftrue, the field will be present in the output. |
host_path | No | root directory (/) of host | Host path where/proc is mounted. For different runtime configurations of Kubernetes or Docker, set thehost_path to overwrite the default. |
cgroup_prefixes | No | /kubepods and/docker | Prefix where the container ID is inside cgroup. For different runtime configurations of Kubernetes or Docker, setcgroup_prefixes to overwrite the defaults. |
cgroup_regex | No | Regular expression with capture group for capturing the container ID from the cgroup path. For example: 1. ^\/.+\/.+\/.+\/([0-9a-f]{{64}}).* matches the container ID of a cgroup like/kubepods/besteffort/pod665fb997-575b-11ea-bfce-080027421ddf/b5285682fba7449c86452b89a800609440ecc88a7ba5f2d38bedfb85409b30b12. ^\/.+\/.+\/.+\/docker-([0-9a-f]{{64}}).scope matches the container ID of a cgroup like/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod69349abe_d645_11ea_9c4c_08002709c05c.slice/docker-80d85a3a585f1575028ebe468d83093c301eda20d37d1671ff2a0be50fc0e460.scope3. ^\/.+\/.+\/.+\/crio-([0-9a-f]{{64}}).scope matches the container ID of a cgroup like/kubepods.slice/kubepods-burstable.slice/kubepods-burstable-pod69349abe_d645_11ea_9c4c_08002709c05c.slice/crio-80d85a3a585f1575028ebe468d83093c301eda20d37d1671ff2a0be50fc0e460.scopeIf cgroup_regex is not set, the container ID is extracted from the cgroup file based on thecgroup_prefixes setting. | |
cgroup_cache_expire_time | No | 30s | Time in seconds before cgroup cache elements expire. To disable the cgroup cache, set this to0. In some container runtime technologies, like runc, the container’s process is also a process in the host kernel and will be affected by PID rollover/reuse. Set the expire time to a value that is smaller than the PIDs wrap around time to avoid the wrong container ID. |