You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Add `trace_exec` to the `Trace` parameter example list.
- Add `exec` to the `event_type` enumeration in the Common fields
table.
- Add a new `Exec trace fields` section documenting the fields
produced by the exec trace.
Note this is a fix for code changes without corresponding docs PR
Signed-off-by: Eric D. Schabell <eric@schabell.org>
Copy file name to clipboardExpand all lines: pipeline/inputs/ebpf.md
+18-2Lines changed: 18 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -20,7 +20,7 @@ The plugin supports the following configuration parameters:
20
20
|:----|:------------|:--------|
21
21
|`poll_ms`| Set the polling interval in milliseconds for collecting events from the ring buffer. |`1000`|
22
22
|`ringbuf_map_name`| Set the name of the eBPF ring buffer map to read events from. |`events`|
23
-
|`trace`| Set the eBPF trace to enable (for example, `trace_bind`, `trace_malloc`, `trace_signal`, `trace_tcp`, `trace_vfs`). This parameter can be set multiple times to enable multiple traces. |_none_|
23
+
|`trace`| Set the eBPF trace to enable (for example, `trace_bind`, `trace_exec`, `trace_malloc`, `trace_signal`, `trace_tcp`, `trace_vfs`). This parameter can be set multiple times to enable multiple traces. |_none_|
24
24
25
25
## System dependencies
26
26
@@ -130,7 +130,7 @@ All traces include the following fields:
130
130
131
131
| Field | Description |
132
132
|:------|:------------|
133
-
|`event_type`| Type of event (`signal`, `malloc`, `bind`, `tcp`, or `vfs`). |
133
+
|`event_type`| Type of event (`signal`, `malloc`, `bind`, `exec`, `tcp`, or `vfs`). |
134
134
|`pid`| Process ID that generated the event. |
135
135
|`tid`| Thread ID that generated the event. |
136
136
|`comm`| Command name (process name) that generated the event. |
@@ -194,3 +194,19 @@ The `trace_vfs` trace includes these additional fields:
194
194
|`mode`| File mode bits for the operation. |
195
195
|`fd`| File descriptor returned by the operation. |
196
196
|`error_raw`| Error code for the operation (`0` indicates success). |
197
+
198
+
### Exec trace fields
199
+
200
+
The `trace_exec` trace includes these additional fields:
201
+
202
+
| Field | Description |
203
+
|:------|:------------|
204
+
|`stage`| Execution stage. One of `enter`, `exit`, or `unknown`. |
205
+
|`ppid`| Parent process ID. |
206
+
|`filename`| Path of the executable being run. |
207
+
|`argv`| First argument of the command (`argv[0]`). |
208
+
|`argv1`| Second argument of the command (`argv[1]`). |
209
+
|`argv2`| Third argument of the command (`argv[2]`). |
210
+
|`argv_last`| Final captured argument when more than three are present. |
211
+
|`argc`| Total number of arguments. |
212
+
|`error_raw`| Error code for the operation (`0` indicates success). |
0 commit comments