Migrate system process metricset fields to ECS

[jsoriano]

No description provided.

[jsoriano]

It can be weird to find pgid here but the rest of ids in process.*, should we add this to ECS?

[ruflin]

+1. even if it's not in ECS, we can push it under process.*.

@webmat FYI

[jsoriano]

To what fields file should I add this field? To the ECS one even if it is not in ECS yet?

[jsoriano]

I have added it by now to field.ecs.yml and opened a PR in ECS elastic/ecs#311

[jsoriano]

CI failure not related, reproduced locally and it seems related to latest ES snapshot:

{"type":"mapper_parsing_exception","reason":"failed to parse field [suricata.eve.flow.start] of type [date]","caused_by":{"type":"illegal_argument_exception","reason":"failed to parse date field [2018-10-03T14:42:44.613469+0000] with format [strict_date_optional_time||epoch_millis]","caused_by":{"type":"date_time_parse_exception","reason":"Text '2018-10-03T14:42:44.613469+0000' could not be parsed, unparsed text found at index 26"}}

[ruflin]

Nice data.json update.

[webmat]

Mostly commented about the group ID

[webmat]

As proposed in your ECS PR, I would go for process.group.id here (and process.user.id if you have that)

[webmat]

Actually seeing the full context, I wonder if we shouldn't simply map to the top level fields, like you did for user.name. So:

• system.process.username => user.name
• system.process.pgid => group.id

And equivalent mappings, if you have user id and group name.

WDYT @ruflin ?

I'd say unless the events can contain more than one user or group, we shouldn't nest them.

[jsoriano]

As commented in elastic/ecs#311, the pgid identifies a group of processes, not a group of users. It is a value similar to ppid, I think it belongs to process.

[webmat]

And don't forget to leave group ID as text (wherever it ends up)

[webmat]

By text I meant keyword datatype, here

[jsoriano]

I agree that these ids could be keyword, but this is a value of the same kind as pid or ppid and they are defined as long in ECS 🤔

[webmat]

Gotcha, I was not familiar with pgid. If the semantics are like PID, this can be left as numeric, then.

So recap: I'm good with the field process.pgid, and I'm good with it remaining numeric 👍

[ruflin]

Ah I see, we also have it as part of the monitoring reporting?

[jsoriano]

Yes, I think this is also used for beats monitoring.

[jsoriano]

pgid moved to metricbeat only fields

[webmat]

I'm good with the pgid as it is now. I wasn't familiar with the concept.

Noticed that cwd migration is missing an alias in fields.yml and ecs-migration.yml. After that, I think we're good :-)

[webmat]

Gotcha, I was not familiar with pgid. If the semantics are like PID, this can be left as numeric, then.

So recap: I'm good with the field process.pgid, and I'm good with it remaining numeric 👍

[webmat]

cwd should be migrated to process.working_directory

[jsoriano]

Oh, good catch, thanks.

[jsoriano]

Fixed

[webmat]

❤️ more verbose failures ;-)

[webmat]

LGTM