Skip to content

process.md

Latest commit

 

History

History
152 lines (113 loc) · 15.8 KB

process.md

File metadata and controls

152 lines (113 loc) · 15.8 KB

Process

Process Attributes

An operating system process.

Attributes:

Key Stability Value Type Description Example Values
process.args_count Release Candidate int Length of the process.command_args array [1] 4
process.command Release Candidate string The command used to launch the process (i.e. the command name). On Linux based systems, can be set to the zeroth string in proc/[pid]/cmdline. On Windows, can be set to the first parameter extracted from GetCommandLineW. cmd/otelcol
process.command_args Release Candidate string[] All the command arguments (including the command/executable itself) as received by the process. On Linux-based systems (and some other Unixoid systems supporting procfs), can be set according to the list of null-delimited strings extracted from proc/[pid]/cmdline. For libc-based executables, this would be the full argv vector passed to main. SHOULD NOT be collected by default unless there is sanitization that excludes sensitive data. ["cmd/otecol", "--config=config.yaml"]
process.command_line Release Candidate string The full command used to launch the process as a single string representing the full command. On Windows, can be set to the result of GetCommandLineW. Do not set this if you have to assemble it just for monitoring; use process.command_args instead. SHOULD NOT be collected by default unless there is sanitization that excludes sensitive data. C:\cmd\otecol --config="my directory\config.yaml"
process.context_switch.type Release Candidate string Specifies whether the context switches for this data point were voluntary or involuntary. voluntary; involuntary
process.creation.time Release Candidate string The date and time the process was created, in ISO 8601 format. 2023-11-21T09:25:34.853Z
process.environment_variable.<key> Release Candidate string Process environment variables, <key> being the environment variable name, the value being the environment variable value. [2] ubuntu; /usr/local/bin:/usr/bin
process.executable.build_id.gnu Release Candidate string The GNU build ID as found in the .note.gnu.build-id ELF section (hex string). c89b11207f6479603b0d49bf291c092c2b719293
process.executable.build_id.go Release Candidate string The Go build ID as retrieved by go tool buildid <go executable>. foh3mEXu7BLZjsN9pOwG/kATcXlYVCDEFouRMQed_/WwRFB1hPo9LBkekthSPG/x8hMC8emW2cCjXD0_1aY
process.executable.build_id.htlhash Release Candidate string Deterministic build ID for executables. [3] 600DCAFE4A110000F2BF38C493F5FB92
process.executable.name Release Candidate string The name of the process executable. On Linux based systems, this SHOULD be set to the base name of the target of /proc/[pid]/exe. On Windows, this SHOULD be set to the base name of GetProcessImageFileNameW. otelcol
process.executable.path Release Candidate string The full path to the process executable. On Linux based systems, can be set to the target of proc/[pid]/exe. On Windows, can be set to the result of GetProcessImageFileNameW. /usr/bin/cmd/otelcol
process.exit.code Release Candidate int The exit code of the process. 127
process.exit.time Release Candidate string The date and time the process exited, in ISO 8601 format. 2023-11-21T09:26:12.315Z
process.group_leader.pid Release Candidate int The PID of the process's group leader. This is also the process group ID (PGID) of the process. 23
process.interactive Release Candidate boolean Whether the process is connected to an interactive shell.
process.owner Release Candidate string The username of the user that owns the process. root
process.parent_pid Release Candidate int Parent Process identifier (PPID). 111
process.pid Release Candidate int Process identifier (PID). 1234
process.real_user.id Release Candidate int The real user ID (RUID) of the process. 1000
process.real_user.name Release Candidate string The username of the real user of the process. operator
process.runtime.description Release Candidate string An additional description about the runtime of the process, for example a specific vendor customization of the runtime environment. Eclipse OpenJ9 Eclipse OpenJ9 VM openj9-0.21.0
process.runtime.name Release Candidate string The name of the runtime of this process. OpenJDK Runtime Environment
process.runtime.version Release Candidate string The version of the runtime of this process, as returned by the runtime without modification. 14.0.2
process.saved_user.id Release Candidate int The saved user ID (SUID) of the process. 1002
process.saved_user.name Release Candidate string The username of the saved user. operator
process.session_leader.pid Release Candidate int The PID of the process's session leader. This is also the session ID (SID) of the process. 14
process.state Release Candidate string The process state, e.g., Linux Process State Codes running
process.title Release Candidate string Process title (proctitle) [4] cat /etc/hostname; xfce4-session; bash
process.user.id Release Candidate int The effective user ID (EUID) of the process. 1001
process.user.name Release Candidate string The username of the effective user of the process. root
process.vpid Release Candidate int Virtual process identifier. [5] 12
process.working_directory Release Candidate string The working directory of the process. /root

[1] process.args_count: This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity.

[2] process.environment_variable.<key>: Examples:

  • an environment variable USER with value "ubuntu" SHOULD be recorded as the process.environment_variable.USER attribute with value "ubuntu".

  • an environment variable PATH with value "/usr/local/bin:/usr/bin" SHOULD be recorded as the process.environment_variable.PATH attribute with value "/usr/local/bin:/usr/bin".

[3] process.executable.build_id.htlhash: GNU and Go build IDs may be stripped or unavailable in some environments (e.g., Alpine Linux, Docker images). This attribute provides a deterministic build ID computed by hashing the first and last 4096 bytes of the file along with its length:

Input   ← Concat(File[:4096], File[-4096:], BigEndianUInt64(Len(File)))
Digest  ← SHA256(Input)
BuildID ← Digest[:16]

The result is the first 16 bytes (128 bits) of the SHA256 digest, represented as a hex string.

[4] process.title: In many Unix-like systems, process title (proctitle), is the string that represents the name or command line of a running process, displayed by system monitoring tools like ps, top, and htop.

[5] process.vpid: The process ID within a PID namespace. This is not necessarily unique across all processes on the host but it is unique within the process namespace that the process exists within.

process.context_switch.type has the following list of well-known values. If one of them applies, then the respective value MUST be used; otherwise, a custom value MAY be used.

Value Description Stability
involuntary involuntary Release Candidate
voluntary voluntary Release Candidate

process.state has the following list of well-known values. If one of them applies, then the respective value MUST be used; otherwise, a custom value MAY be used.

Value Description Stability
defunct defunct Release Candidate
running running Release Candidate
sleeping sleeping Release Candidate
stopped stopped Release Candidate

Process Linux Attributes

Describes Linux Process attributes

Attributes:

Key Stability Value Type Description Example Values
process.linux.cgroup Release Candidate string The control group associated with the process. [6] 1:name=systemd:/user.slice/user-1000.slice/session-3.scope; 0::/user.slice/user-1000.slice/user@1000.service/tmux-spawn-0267755b-4639-4a27-90ed-f19f88e53748.scope

[6] process.linux.cgroup: Control groups (cgroups) are a kernel feature used to organize and manage process resources. This attribute provides the path(s) to the cgroup(s) associated with the process, which should match the contents of the /proc/[PID]/cgroup file.

Deprecated Process Attributes

Deprecated process attributes.

Attributes:

Key Stability Value Type Description Example Values
process.context_switch_type Deprecated
Replaced by process.context_switch.type.		 string "Deprecated, use process.context_switch.type instead." voluntary; involuntary
process.cpu.state Deprecated
Replaced by cpu.mode.		 string Deprecated, use cpu.mode instead. system; user; wait
process.executable.build_id.profiling Deprecated
Replaced by process.executable.build_id.htlhash.		 string "Deprecated, use process.executable.build_id.htlhash instead." 600DCAFE4A110000F2BF38C493F5FB92
process.paging.fault_type Deprecated
Replaced by system.paging.fault.type.		 string Deprecated, use system.paging.fault.type instead. major; minor

process.context_switch_type has the following list of well-known values. If one of them applies, then the respective value MUST be used; otherwise, a custom value MAY be used.

Value Description Stability
involuntary involuntary Development
voluntary voluntary Development

process.cpu.state has the following list of well-known values. If one of them applies, then the respective value MUST be used; otherwise, a custom value MAY be used.

Value Description Stability
system system Development
user user Development
wait wait Development

process.paging.fault_type has the following list of well-known values. If one of them applies, then the respective value MUST be used; otherwise, a custom value MAY be used.

Value Description Stability
major major Development
minor minor Development