Skip to content

Commit 3871710

Browse files
mjwolfmjwolf
authored
Merge branch 'main' into task/updating_process_fields
2 parents 7da2327 + 146c96a commit 3871710

File tree

15 files changed

+0
-570
lines changed

15 files changed

+0
-570
lines changed

CHANGELOG.next.md

-2
Original file line numberDiff line numberDiff line change
@@ -25,8 +25,6 @@ Thanks, you're awesome :-) -->
2525

2626
#### Improvements
2727

28-
* Added `.caseless` subfield to `process.name` and `process.executable`. #2341
29-
3028
#### Deprecated
3129

3230
### Tooling and Artifact Changes

docs/fields/field-details.asciidoc

-6
Original file line numberDiff line numberDiff line change
@@ -8128,9 +8128,6 @@ type: keyword
81288128

81298129
Multi-fields:
81308130

8131-
* process.executable.caseless (type: keyword)
8132-
8133-
81348131
* process.executable.text (type: match_only_text)
81358132

81368133

@@ -8346,9 +8343,6 @@ type: keyword
83468343

83478344
Multi-fields:
83488345

8349-
* process.name.caseless (type: keyword)
8350-
8351-
83528346
* process.name.text (type: match_only_text)
83538347

83548348

experimental/generated/beats/fields.ecs.yml

-46
Original file line numberDiff line numberDiff line change
@@ -5175,10 +5175,6 @@
51755175
type: keyword
51765176
ignore_above: 1024
51775177
multi_fields:
5178-
- name: caseless
5179-
type: keyword
5180-
normalizer: lowercase
5181-
ignore_above: 1024
51825178
- name: text
51835179
type: match_only_text
51845180
description: Absolute path to the process executable.
@@ -5217,10 +5213,6 @@
52175213
type: keyword
52185214
ignore_above: 1024
52195215
multi_fields:
5220-
- name: caseless
5221-
type: keyword
5222-
normalizer: lowercase
5223-
ignore_above: 1024
52245216
- name: text
52255217
type: match_only_text
52265218
description: 'Process name.
@@ -5490,11 +5482,6 @@
54905482
type: keyword
54915483
ignore_above: 1024
54925484
multi_fields:
5493-
- name: caseless
5494-
type: keyword
5495-
normalizer: lowercase
5496-
ignore_above: 1024
5497-
default_field: false
54985485
- name: text
54995486
type: match_only_text
55005487
default_field: false
@@ -5573,10 +5560,6 @@
55735560
type: keyword
55745561
ignore_above: 1024
55755562
multi_fields:
5576-
- name: caseless
5577-
type: keyword
5578-
normalizer: lowercase
5579-
ignore_above: 1024
55805563
- name: text
55815564
type: match_only_text
55825565
description: Absolute path to the process executable.
@@ -5615,10 +5598,6 @@
56155598
type: keyword
56165599
ignore_above: 1024
56175600
multi_fields:
5618-
- name: caseless
5619-
type: keyword
5620-
normalizer: lowercase
5621-
ignore_above: 1024
56225601
- name: text
56235602
type: match_only_text
56245603
description: 'Process name.
@@ -6033,11 +6012,6 @@
60336012
type: keyword
60346013
ignore_above: 1024
60356014
multi_fields:
6036-
- name: caseless
6037-
type: keyword
6038-
normalizer: lowercase
6039-
ignore_above: 1024
6040-
default_field: false
60416015
- name: text
60426016
type: match_only_text
60436017
default_field: false
@@ -6427,10 +6401,6 @@
64276401
type: keyword
64286402
ignore_above: 1024
64296403
multi_fields:
6430-
- name: caseless
6431-
type: keyword
6432-
normalizer: lowercase
6433-
ignore_above: 1024
64346404
- name: text
64356405
type: match_only_text
64366406
description: Absolute path to the process executable.
@@ -6674,10 +6644,6 @@
66746644
type: keyword
66756645
ignore_above: 1024
66766646
multi_fields:
6677-
- name: caseless
6678-
type: keyword
6679-
normalizer: lowercase
6680-
ignore_above: 1024
66816647
- name: text
66826648
type: match_only_text
66836649
description: 'Process name.
@@ -7264,10 +7230,6 @@
72647230
type: keyword
72657231
ignore_above: 1024
72667232
multi_fields:
7267-
- name: caseless
7268-
type: keyword
7269-
normalizer: lowercase
7270-
ignore_above: 1024
72717233
- name: text
72727234
type: match_only_text
72737235
description: Absolute path to the process executable.
@@ -7383,10 +7345,6 @@
73837345
type: keyword
73847346
ignore_above: 1024
73857347
multi_fields:
7386-
- name: caseless
7387-
type: keyword
7388-
normalizer: lowercase
7389-
ignore_above: 1024
73907348
- name: text
73917349
type: match_only_text
73927350
description: Absolute path to the process executable.
@@ -7425,10 +7383,6 @@
74257383
type: keyword
74267384
ignore_above: 1024
74277385
multi_fields:
7428-
- name: caseless
7429-
type: keyword
7430-
normalizer: lowercase
7431-
ignore_above: 1024
74327386
- name: text
74337387
type: match_only_text
74347388
description: 'Process name.

experimental/generated/csv/fields.csv

-11
Original file line numberDiff line numberDiff line change
@@ -648,13 +648,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
648648
8.12.0-dev+exp,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source.
649649
8.12.0-dev+exp,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader.
650650
8.12.0-dev+exp,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
651-
8.12.0-dev+exp,true,process,process.entry_leader.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
652651
8.12.0-dev+exp,true,process,process.entry_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
653652
8.12.0-dev+exp,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
654653
8.12.0-dev+exp,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group.
655654
8.12.0-dev+exp,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
656655
8.12.0-dev+exp,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name.
657-
8.12.0-dev+exp,true,process,process.entry_leader.name.caseless,keyword,extended,,ssh,Process name.
658656
8.12.0-dev+exp,true,process,process.entry_leader.name.text,match_only_text,extended,,ssh,Process name.
659657
8.12.0-dev+exp,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
660658
8.12.0-dev+exp,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id.
@@ -690,7 +688,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
690688
8.12.0-dev+exp,true,process,process.entry_leader.working_directory.text,match_only_text,extended,,/home/alice,The working directory of the process.
691689
8.12.0-dev+exp,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings.
692690
8.12.0-dev+exp,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
693-
8.12.0-dev+exp,true,process,process.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
694691
8.12.0-dev+exp,true,process,process.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
695692
8.12.0-dev+exp,true,process,process.exit_code,long,extended,,137,The exit code of the process.
696693
8.12.0-dev+exp,true,process,process.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
@@ -701,13 +698,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
701698
8.12.0-dev+exp,true,process,process.group_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
702699
8.12.0-dev+exp,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
703700
8.12.0-dev+exp,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
704-
8.12.0-dev+exp,true,process,process.group_leader.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
705701
8.12.0-dev+exp,true,process,process.group_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
706702
8.12.0-dev+exp,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
707703
8.12.0-dev+exp,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group.
708704
8.12.0-dev+exp,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
709705
8.12.0-dev+exp,true,process,process.group_leader.name,keyword,extended,,ssh,Process name.
710-
8.12.0-dev+exp,true,process,process.group_leader.name.caseless,keyword,extended,,ssh,Process name.
711706
8.12.0-dev+exp,true,process,process.group_leader.name.text,match_only_text,extended,,ssh,Process name.
712707
8.12.0-dev+exp,true,process,process.group_leader.pid,long,core,,4242,Process id.
713708
8.12.0-dev+exp,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
@@ -767,7 +762,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
767762
8.12.0-dev+exp,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
768763
8.12.0-dev+exp,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
769764
8.12.0-dev+exp,true,process,process.name,keyword,extended,,ssh,Process name.
770-
8.12.0-dev+exp,true,process,process.name.caseless,keyword,extended,,ssh,Process name.
771765
8.12.0-dev+exp,true,process,process.name.text,match_only_text,extended,,ssh,Process name.
772766
8.12.0-dev+exp,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
773767
8.12.0-dev+exp,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array.
@@ -823,7 +817,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
823817
8.12.0-dev+exp,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended.
824818
8.12.0-dev+exp,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
825819
8.12.0-dev+exp,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
826-
8.12.0-dev+exp,true,process,process.parent.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
827820
8.12.0-dev+exp,true,process,process.parent.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
828821
8.12.0-dev+exp,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process.
829822
8.12.0-dev+exp,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
@@ -857,7 +850,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
857850
8.12.0-dev+exp,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`.
858851
8.12.0-dev+exp,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file.
859852
8.12.0-dev+exp,true,process,process.parent.name,keyword,extended,,ssh,Process name.
860-
8.12.0-dev+exp,true,process,process.parent.name.caseless,keyword,extended,,ssh,Process name.
861853
8.12.0-dev+exp,true,process,process.parent.name.text,match_only_text,extended,,ssh,Process name.
862854
8.12.0-dev+exp,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file.
863855
8.12.0-dev+exp,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time."
@@ -941,7 +933,6 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
941933
8.12.0-dev+exp,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments.
942934
8.12.0-dev+exp,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array.
943935
8.12.0-dev+exp,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
944-
8.12.0-dev+exp,true,process,process.previous.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
945936
8.12.0-dev+exp,true,process,process.previous.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
946937
8.12.0-dev+exp,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
947938
8.12.0-dev+exp,true,process,process.real_group.name,keyword,extended,,,Name of the group.
@@ -959,13 +950,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
959950
8.12.0-dev+exp,true,process,process.session_leader.command_line.text,match_only_text,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process.
960951
8.12.0-dev+exp,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
961952
8.12.0-dev+exp,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
962-
8.12.0-dev+exp,true,process,process.session_leader.executable.caseless,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable.
963953
8.12.0-dev+exp,true,process,process.session_leader.executable.text,match_only_text,extended,,/usr/bin/ssh,Absolute path to the process executable.
964954
8.12.0-dev+exp,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform.
965955
8.12.0-dev+exp,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group.
966956
8.12.0-dev+exp,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell.
967957
8.12.0-dev+exp,true,process,process.session_leader.name,keyword,extended,,ssh,Process name.
968-
8.12.0-dev+exp,true,process,process.session_leader.name.caseless,keyword,extended,,ssh,Process name.
969958
8.12.0-dev+exp,true,process,process.session_leader.name.text,match_only_text,extended,,ssh,Process name.
970959
8.12.0-dev+exp,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process.
971960
8.12.0-dev+exp,true,process,process.session_leader.parent.pid,long,core,,4242,Process id.

experimental/generated/ecs/ecs_flat.yml

-55
Original file line numberDiff line numberDiff line change
@@ -8426,11 +8426,6 @@ process.entry_leader.executable:
84268426
ignore_above: 1024
84278427
level: extended
84288428
multi_fields:
8429-
- flat_name: process.entry_leader.executable.caseless
8430-
ignore_above: 1024
8431-
name: caseless
8432-
normalizer: lowercase
8433-
type: keyword
84348429
- flat_name: process.entry_leader.executable.text
84358430
name: text
84368431
type: match_only_text
@@ -8492,11 +8487,6 @@ process.entry_leader.name:
84928487
ignore_above: 1024
84938488
level: extended
84948489
multi_fields:
8495-
- flat_name: process.entry_leader.name.caseless
8496-
ignore_above: 1024
8497-
name: caseless
8498-
normalizer: lowercase
8499-
type: keyword
85008490
- flat_name: process.entry_leader.name.text
85018491
name: text
85028492
type: match_only_text
@@ -8920,11 +8910,6 @@ process.executable:
89208910
ignore_above: 1024
89218911
level: extended
89228912
multi_fields:
8923-
- flat_name: process.executable.caseless
8924-
ignore_above: 1024
8925-
name: caseless
8926-
normalizer: lowercase
8927-
type: keyword
89288913
- flat_name: process.executable.text
89298914
name: text
89308915
type: match_only_text
@@ -9044,11 +9029,6 @@ process.group_leader.executable:
90449029
ignore_above: 1024
90459030
level: extended
90469031
multi_fields:
9047-
- flat_name: process.group_leader.executable.caseless
9048-
ignore_above: 1024
9049-
name: caseless
9050-
normalizer: lowercase
9051-
type: keyword
90529032
- flat_name: process.group_leader.executable.text
90539033
name: text
90549034
type: match_only_text
@@ -9110,11 +9090,6 @@ process.group_leader.name:
91109090
ignore_above: 1024
91119091
level: extended
91129092
multi_fields:
9113-
- flat_name: process.group_leader.name.caseless
9114-
ignore_above: 1024
9115-
name: caseless
9116-
normalizer: lowercase
9117-
type: keyword
91189093
- flat_name: process.group_leader.name.text
91199094
name: text
91209095
type: match_only_text
@@ -9804,11 +9779,6 @@ process.name:
98049779
ignore_above: 1024
98059780
level: extended
98069781
multi_fields:
9807-
- flat_name: process.name.caseless
9808-
ignore_above: 1024
9809-
name: caseless
9810-
normalizer: lowercase
9811-
type: keyword
98129782
- flat_name: process.name.text
98139783
name: text
98149784
type: match_only_text
@@ -10470,11 +10440,6 @@ process.parent.executable:
1047010440
ignore_above: 1024
1047110441
level: extended
1047210442
multi_fields:
10473-
- flat_name: process.parent.executable.caseless
10474-
ignore_above: 1024
10475-
name: caseless
10476-
normalizer: lowercase
10477-
type: keyword
1047810443
- flat_name: process.parent.executable.text
1047910444
name: text
1048010445
type: match_only_text
@@ -10884,11 +10849,6 @@ process.parent.name:
1088410849
ignore_above: 1024
1088510850
level: extended
1088610851
multi_fields:
10887-
- flat_name: process.parent.name.caseless
10888-
ignore_above: 1024
10889-
name: caseless
10890-
normalizer: lowercase
10891-
type: keyword
1089210852
- flat_name: process.parent.name.text
1089310853
name: text
1089410854
type: match_only_text
@@ -11873,11 +11833,6 @@ process.previous.executable:
1187311833
ignore_above: 1024
1187411834
level: extended
1187511835
multi_fields:
11876-
- flat_name: process.previous.executable.caseless
11877-
ignore_above: 1024
11878-
name: caseless
11879-
normalizer: lowercase
11880-
type: keyword
1188111836
- flat_name: process.previous.executable.text
1188211837
name: text
1188311838
type: match_only_text
@@ -12063,11 +12018,6 @@ process.session_leader.executable:
1206312018
ignore_above: 1024
1206412019
level: extended
1206512020
multi_fields:
12066-
- flat_name: process.session_leader.executable.caseless
12067-
ignore_above: 1024
12068-
name: caseless
12069-
normalizer: lowercase
12070-
type: keyword
1207112021
- flat_name: process.session_leader.executable.text
1207212022
name: text
1207312023
type: match_only_text
@@ -12129,11 +12079,6 @@ process.session_leader.name:
1212912079
ignore_above: 1024
1213012080
level: extended
1213112081
multi_fields:
12132-
- flat_name: process.session_leader.name.caseless
12133-
ignore_above: 1024
12134-
name: caseless
12135-
normalizer: lowercase
12136-
type: keyword
1213712082
- flat_name: process.session_leader.name.text
1213812083
name: text
1213912084
type: match_only_text

0 commit comments

Comments
 (0)