https://github.com/osquery/osquery logo
Powered by
Title
t

theopolis

10/16/2020, 3:11 PM
Proposal (which I can raise on GitHub as a blueprint, but wanted to post here for quick discussion first), since we'll have 
bpf_process_events
and 
es_process_events
, should we rename the original to 
audit_process_events
? The code should facilitate this "aliasing" without breaking people's existing queries. Essentially 
process_events
will become a clone, of 
audit_process_events
and will not show up in documentation/schema listing, but the virtual table will exist.
👍 2
s

sundsta

10/16/2020, 3:17 PM
Makes sense to me
m

Mike Myers

10/16/2020, 3:39 PM
https://github.com/osquery/osquery/pull/6571#issuecomment-665922702 Alessandro told me this last time but maybe you're asking a slightly different question
Like I guess they collect slightly different event fields and therefore he thought they are not interchangeable
a

alessandrogario

10/16/2020, 3:42 PM
Maybe we could come up with a small subset of columns that should be always present, and use those in the alias as some sort of interface
Mike is right, the bpf_process_events table already has some things that process_events can't easily have: duration (how much time it took to service the system call), ntime (nsecs timestamp of the syscall relative to the boot time, as provided by BPF), cid (cgroup id)
t

theopolis

10/16/2020, 4:17 PM
For most things we try to abstract the concept across operating systems. But there is too much nuance, configuration, and expectation setting with process eventing so it makes sense to have them technology specific. We can iterate though.
👍 2
3 Views
#coreJoin Slack
Powered by