Channels
#general
Title
# general
c
Carl
02/19/2020, 5:04 PMtrying to correlate socket events to process events, does anybody have a good column for doing corelation based on unique identifier in the following example query?
Copy code
select
socket_events.remote_port,
socket_events.remote_address,
process_events.cmdline,
process_events.pid
from socket_events
join process_events on process_events.pid = socket_events.pids
seph
02/19/2020, 6:51 PM
What problem are you having?
I suspect that the issue is not the identifier. but that the event tables are transient.
select * process_eventsc
Carl
02/19/2020, 6:52 PMhm, possible, the problem im having is im not sure what uniqe index to use to join them on
pid = repeats, and matching on hostname or host id doesn't solve that issue
s
seph
02/19/2020, 6:52 PM
pid seems correct to me.
c
Carl
02/19/2020, 6:52 PMwhats the diff between procs and proc_events again? procs is real time? like running a ps -A and proc events is logged proc actions right?
i tried pid but again, due to pid recycling, it seems to not work
and time doesn't work because a proc could be a live for a long time before it does "socket thing"
or it might not, who knows
s
seph
02/19/2020, 6:54 PM
Yeah.
processesprocess_eventsc
Carl
02/19/2020, 6:54 PMso, in my case im using Uptycs, it does that
but the issue is that within my window, im lacking a uniqe identifier to join across
s
seph
02/19/2020, 6:55 PM
If you’re churning processes so fast that you’re hitting pid reuse. I suspect you’d do better to subscribe to the events and correlate them serverside/
#uptycs may have suggestions.
9 Views