ContextQMD
Back to Beats

elastic_host_processes

x-pack/osquerybeat/ext/osquery-extension/docs/tables/elastic_host_processes.md

9.4.02.7 KB
Original Source

% This file is generated! See ext/osquery-extension/cmd/gentables.

elastic_host_processes

Host system running processes from /proc (e.g. when running in a container with hostfs mounted)

Platforms

  • ✅ Linux
  • ❌ macOS
  • ❌ Windows

Description

Query running process information from the host system when running in a container. Reads from the host's /proc via hostfs (default /hostfs); set ELASTIC_OSQUERY_HOSTFS to override. Use for container security monitoring, host process auditing, and forensics.

Schema

ColumnTypeDescription
pidBIGINTProcess (or thread) ID
nameTEXTThe process path or shorthand argv[0]
pathTEXTPath to executed binary
cmdlineTEXTComplete argv (command line arguments)
stateTEXTProcess state (R=running, S=sleeping, D=disk sleep, Z=zombie, T=stopped)
cwdTEXTProcess current working directory
rootTEXTProcess virtual root directory
uidBIGINTUnsigned user ID (real UID)
gidBIGINTUnsigned group ID (real GID)
euidBIGINTUnsigned effective user ID
egidBIGINTUnsigned effective group ID
suidBIGINTUnsigned saved user ID
sgidBIGINTUnsigned saved group ID
on_diskINTEGERThe process path exists; yes=1, no=0, unknown=-1
wired_sizeBIGINTBytes of unpageable memory (always 0 on Linux)
resident_sizeBIGINTBytes of private memory used by process (RSS)
total_sizeBIGINTTotal virtual memory size
user_timeBIGINTCPU time in milliseconds spent in user space
system_timeBIGINTCPU time in milliseconds spent in kernel space
disk_bytes_readBIGINTBytes read from disk
disk_bytes_writtenBIGINTBytes written to disk
start_timeBIGINTProcess start time in seconds since Epoch, or -1 if error
parentBIGINTProcess parent's PID (PPID)
pgroupBIGINTProcess group ID
threadsINTEGERNumber of threads used by process
niceINTEGERProcess nice level (-20 to 20, default 0)

Examples

Get all host processes

sql
SELECT pid, name, cmdline FROM elastic_host_processes;

Find process by PID

sql
SELECT * FROM elastic_host_processes WHERE pid = 1;

Find processes running as root

sql
SELECT pid, name, uid, cmdline FROM elastic_host_processes WHERE uid = 0;

Notes

  • Linux only. Requires host /proc (or root) mounted (e.g. -v /:/hostfs:ro or -v /proc:/hostfs/proc:ro).
  • Use ELASTIC_OSQUERY_HOSTFS to override the hostfs root (default /hostfs).
  • elastic_host_users
  • processes