You are viewing documentation for Falco version: v0.37.1

Falco v0.37.1 documentation is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date documentation, see the latest version.

Supported Fields for Conditions and Outputs

Events fields that you can use in conditions and outputs of Falco Rules

Here are the fields supported by Falco. These fields can be used in the condition key of a Falco rule and well as the output key. Any fields included in the output key of a rule will also be included in the alert's output_fields object when json_output is set to true.

You can also see this set of fields via falco --list=<source>, with <source> being one of the Falco event sources.

System Calls (source syscall)

syscall event source fields are provided by the Falco Drivers. See the supported events documentation to learn about all the available event types. The field evt.arg, evt.args and evt.rawarg is used to access arguments for each event. For example, in order to access the target arg of a symlinkat exit event you can use evt.arg.target.

# System Kernel Fields
$ falco --list=syscall

Field Class: evt

These fields can be used for all event types

NameTypeDescription
evt.numUINT64event number.
evt.timeCHARBUFevent timestamp as a time string that includes the nanosecond part.
evt.time.sCHARBUFevent timestamp as a time string with no nanoseconds.
evt.time.iso8601CHARBUFevent timestamp in ISO 8601 format, including nanoseconds and time zone offset (in UTC).
evt.datetimeCHARBUFevent timestamp as a time string that includes the date.
evt.datetime.sCHARBUFevent timestamp as a datetime string with no nanoseconds.
evt.rawtimeABSTIMEabsolute event timestamp, i.e. nanoseconds from epoch.
evt.rawtime.sABSTIMEinteger part of the event timestamp (e.g. seconds since epoch).
evt.rawtime.nsABSTIMEfractional part of the absolute event timestamp.
evt.reltimeRELTIMEnumber of nanoseconds from the beginning of the capture.
evt.reltime.sRELTIMEnumber of seconds from the beginning of the capture.
evt.reltime.nsRELTIMEfractional part (in ns) of the time from the beginning of the capture.
evt.pluginnameCHARBUFif the event comes from a plugin-defined event source, the name of the plugin that generated it. The plugin must be currently loaded.
evt.plugininfoCHARBUFif the event comes from a plugin-defined event source, a summary of the event as formatted by the plugin. The plugin must be currently loaded.
evt.sourceCHARBUFthe name of the source that produced the event.
evt.is_asyncBOOL'true' for asynchronous events, 'false' otherwise.
evt.asynctypeCHARBUFIf the event is asynchronous, the type of the event (e.g. 'container').
evt.hostnameCHARBUFThe hostname of the underlying host can be customized by setting an environment variable (e.g. FALCO_HOSTNAME for the Falco agent). This is valuable in Kubernetes setups, where the hostname can match the pod name particularly in DaemonSet deployments. To achieve this, assign Kubernetes' spec.nodeName to the environment variable. Notably, spec.nodeName generally includes the cluster name.

Field Class: evt (for system calls)

Event fields applicable to syscall events. Note that for most events you can access the individual arguments/parameters of each syscall via evt.arg, e.g. evt.arg.filename.

NameTypeDescription
evt.latencyRELTIMEdelta between an exit event and the correspondent enter event, in nanoseconds.
evt.latency.sRELTIMEinteger part of the event latency delta.
evt.latency.nsRELTIMEfractional part of the event latency delta.
evt.latency.humanCHARBUFdelta between an exit event and the correspondent enter event, as a human readable string (e.g. 10.3ms).
evt.deltatimeRELTIMEdelta between this event and the previous event, in nanoseconds.
evt.deltatime.sRELTIMEinteger part of the delta between this event and the previous event.
evt.deltatime.nsRELTIMEfractional part of the delta between this event and the previous event.
evt.dirCHARBUFevent direction can be either '>' for enter events or '<' for exit events.
evt.typeCHARBUFThe name of the event (e.g. 'open').
evt.type.isUINT32allows one to specify an event type, and returns 1 for events that are of that type. For example, evt.type.is.open returns 1 for open events, 0 for any other event.
syscall.typeCHARBUFFor system call events, the name of the system call (e.g. 'open'). Unset for other events (e.g. switch or internal events). Use this field instead of evt.type if you need to make sure that the filtered/printed value is actually a system call.
evt.categoryCHARBUFThe event category. Example values are 'file' (for file operations like open and close), 'net' (for network operations like socket and bind), memory (for things like brk or mmap), and so on.
evt.cpuINT16number of the CPU where this event happened.
evt.argsCHARBUFall the event arguments, aggregated into a single string.
evt.argCHARBUFone of the event arguments specified by name or by number. Some events (e.g. return codes or FDs) will be converted into a text representation when possible. E.g. 'evt.arg.fd' or 'evt.arg[0]'.
evt.rawargDYNAMICone of the event arguments specified by name. E.g. 'evt.rawarg.fd'.
evt.infoCHARBUFfor most events, this field returns the same value as evt.args. However, for some events (like writes to /dev/log) it provides higher level information coming from decoding the arguments.
evt.bufferBYTEBUFthe binary data buffer for events that have one, like read(), recvfrom(), etc. Use this field in filters with 'contains' to search into I/O data buffers.
evt.buflenUINT64the length of the binary data buffer for events that have one, like read(), recvfrom(), etc.
evt.resCHARBUFevent return value, as a string. If the event failed, the result is an error code string (e.g. 'ENOENT'), otherwise the result is the string 'SUCCESS'.
evt.rawresINT64event return value, as a number (e.g. -2). Useful for range comparisons.
evt.failedBOOL'true' for events that returned an error status.
evt.is_ioBOOL'true' for events that read or write to FDs, like read(), send, recvfrom(), etc.
evt.is_io_readBOOL'true' for events that read from FDs, like read(), recv(), recvfrom(), etc.
evt.is_io_writeBOOL'true' for events that write to FDs, like write(), send(), etc.
evt.io_dirCHARBUF'r' for events that read from FDs, like read(); 'w' for events that write to FDs, like write().
evt.is_waitBOOL'true' for events that make the thread wait, e.g. sleep(), select(), poll().
evt.wait_latencyRELTIMEfor events that make the thread wait (e.g. sleep(), select(), poll()), this is the time spent waiting for the event to return, in nanoseconds.
evt.is_syslogBOOL'true' for events that are writes to /dev/log.
evt.countUINT32This filter field always returns 1 and can be used to count events from inside chisels.
evt.count.errorUINT32This filter field returns 1 for events that returned with an error, and can be used to count event failures from inside chisels.
evt.count.error.fileUINT32This filter field returns 1 for events that returned with an error and are related to file I/O, and can be used to count event failures from inside chisels.
evt.count.error.netUINT32This filter field returns 1 for events that returned with an error and are related to network I/O, and can be used to count event failures from inside chisels.
evt.count.error.memoryUINT32This filter field returns 1 for events that returned with an error and are related to memory allocation, and can be used to count event failures from inside chisels.
evt.count.error.otherUINT32This filter field returns 1 for events that returned with an error and are related to none of the previous categories, and can be used to count event failures from inside chisels.
evt.count.exitUINT32This filter field returns 1 for exit events, and can be used to count single events from inside chisels.
evt.aroundUINT64Accepts the event if it's around the specified time interval. The syntax is evt.around[T]=D, where T is the value returned by %evt.rawtime for the event and D is a delta in milliseconds. For example, evt.around[1404996934793590564]=1000 will return the events with timestamp with one second before the timestamp and one second after it, for a total of two seconds of capture.
evt.abspathCHARBUFAbsolute path calculated from dirfd and name during syscalls like renameat and symlinkat. Use 'evt.abspath.src' or 'evt.abspath.dst' for syscalls that support multiple paths.
evt.is_open_readBOOL'true' for open/openat/openat2/open_by_handle_at events where the path was opened for reading
evt.is_open_writeBOOL'true' for open/openat/openat2/open_by_handle_at events where the path was opened for writing
evt.is_open_execBOOL'true' for open/openat/openat2/open_by_handle_at or creat events where a file is created with execute permissions
evt.is_open_createBOOL'true' for for open/openat/openat2/open_by_handle_at events where a file is created.

Field Class: process

Additional information about the process and thread executing the syscall event.

NameTypeDescription
proc.exeCHARBUFThe first command line argument argv[0] (truncated after 4096 bytes) which is usually the executable name but it could be also a custom string, it depends on what the user specifies. This field is collected from the syscalls args or, as a fallback, extracted from /proc/PID/cmdline.
proc.pexeCHARBUFThe proc.exe (first command line argument argv[0]) of the parent process.
proc.aexeCHARBUFThe proc.exe (first command line argument argv[0]) for a specific process ancestor. You can access different levels of ancestors by using indices. For example, proc.aexe[1] retrieves the proc.exe of the parent process, proc.aexe[2] retrieves the proc.exe of the grandparent process, and so on. The current process's proc.exe line can be obtained using proc.aexe[0]. When used without any arguments, proc.aexe is applicable only in filters and matches any of the process ancestors. For instance, you can use proc.aexe endswith java to match any process ancestor whose proc.exe ends with the term java.
proc.exepathCHARBUFThe full executable path of the process (it could be truncated after 1024 bytes if read from '/proc'). This field is collected directly from the kernel or, as a fallback, extracted resolving the path of /proc/PID/exe, so symlinks are resolved. If you are using eBPF drivers this path could be truncated due to verifier complexity limits. (legacy eBPF kernel version < 5.2) truncated after 24 path components. (legacy eBPF kernel version >= 5.2) truncated after 48 path components. (modern eBPF kernel) truncated after 96 path components.
proc.pexepathCHARBUFThe proc.exepath (full executable path) of the parent process.
proc.aexepathCHARBUFThe proc.exepath (full executable path) for a specific process ancestor. You can access different levels of ancestors by using indices. For example, proc.aexepath[1] retrieves the proc.exepath of the parent process, proc.aexepath[2] retrieves the proc.exepath of the grandparent process, and so on. The current process's proc.exepath line can be obtained using proc.aexepath[0]. When used without any arguments, proc.aexepath is applicable only in filters and matches any of the process ancestors. For instance, you can use proc.aexepath endswith java to match any process ancestor whose path ends with the term java.
proc.nameCHARBUFThe process name (truncated after 16 characters) generating the event (task->comm). Truncation is determined by kernel settings and not by Falco. This field is collected from the syscalls args or, as a fallback, extracted from /proc/PID/status. The name of the process and the name of the executable file on disk (if applicable) can be different if a process is given a custom name which is often the case for example for java applications.
proc.pnameCHARBUFThe proc.name truncated after 16 characters) of the process generating the event.
proc.anameCHARBUFThe proc.name (truncated after 16 characters) for a specific process ancestor. You can access different levels of ancestors by using indices. For example, proc.aname[1] retrieves the proc.name of the parent process, proc.aname[2] retrieves the proc.name of the grandparent process, and so on. The current process's proc.name line can be obtained using proc.aname[0]. When used without any arguments, proc.aname is applicable only in filters and matches any of the process ancestors. For instance, you can use proc.aname=bash to match any process ancestor whose name is bash.
proc.argsCHARBUFThe arguments passed on the command line when starting the process generating the event excluding argv[0] (truncated after 4096 bytes). This field is collected from the syscalls args or, as a fallback, extracted from /proc/PID/cmdline.
proc.cmdlineCHARBUFThe concatenation of proc.name + proc.args (truncated after 4096 bytes) when starting the process generating the event.
proc.pcmdlineCHARBUFThe proc.cmdline (full command line (proc.name + proc.args)) of the parent of the process generating the event.
proc.acmdlineCHARBUFThe full command line (proc.name + proc.args) for a specific process ancestor. You can access different levels of ancestors by using indices. For example, proc.acmdline[1] retrieves the full command line of the parent process, proc.acmdline[2] retrieves the proc.cmdline of the grandparent process, and so on. The current process's full command line can be obtained using proc.acmdline[0]. When used without any arguments, proc.acmdline is applicable only in filters and matches any of the process ancestors. For instance, you can use proc.acmdline contains base64 to match any process ancestor whose command line contains the term base64.
proc.cmdnargsUINT64The number of command line args (proc.args).
proc.cmdlenargsUINT64The total count of characters / length of the command line args (proc.args) combined excluding whitespaces between args.
proc.exelineCHARBUFThe full command line, with exe as first argument (proc.exe + proc.args) when starting the process generating the event.
proc.envCHARBUFThe environment variables of the process generating the event as concatenated string 'ENV_NAME=value ENV_NAME1=value1'. Can also be used to extract the value of a known env variable, e.g. proc.env[ENV_NAME].
proc.aenvCHARBUF[EXPERIMENTAL] This field can be used in three flavors: (1) as a filter checking all parents, e.g. 'proc.aenv contains xyz', which is similar to the familiar 'proc.aname contains xyz' approach, (2) checking the proc.env of a specified level of the parent, e.g. 'proc.aenv[2]', which is similar to the familiar 'proc.aname[2]' approach, or (3) checking the first matched value of a known ENV_NAME in the parent lineage, such as 'proc.aenv[ENV_NAME]' (across a max of 20 ancestor levels). This field may be deprecated or undergo breaking changes in future releases. Please use it with caution.
proc.cwdCHARBUFThe current working directory of the event.
proc.loginshellidINT64The pid of the oldest shell among the ancestors of the current process, if there is one. This field can be used to separate different user sessions, and is useful in conjunction with chisels like spy_user.
proc.ttyUINT32The controlling terminal of the process. 0 for processes without a terminal.
proc.pidINT64The id of the process generating the event.
proc.ppidINT64The pid of the parent of the process generating the event.
proc.apidINT64The pid for a specific process ancestor. You can access different levels of ancestors by using indices. For example, proc.apid[1] retrieves the pid of the parent process, proc.apid[2] retrieves the pid of the grandparent process, and so on. The current process's pid can be obtained using proc.apid[0]. When used without any arguments, proc.apid is applicable only in filters and matches any of the process ancestors. For instance, you can use proc.apid=1337 to match any process ancestor whose pid is equal to 1337.
proc.vpidINT64The id of the process generating the event as seen from its current PID namespace.
proc.pvpidINT64The id of the parent process generating the event as seen from its current PID namespace.
proc.sidINT64The session id of the process generating the event.
proc.snameCHARBUFThe name of the current process's session leader. This is either the process with pid=proc.sid or the eldest ancestor that has the same sid as the current process.
proc.sid.exeCHARBUFThe first command line argument argv[0] (usually the executable name or a custom one) of the current process's session leader. This is either the process with pid=proc.sid or the eldest ancestor that has the same sid as the current process.
proc.sid.exepathCHARBUFThe full executable path of the current process's session leader. This is either the process with pid=proc.sid or the eldest ancestor that has the same sid as the current process.
proc.vpgidINT64The process group id of the process generating the event, as seen from its current PID namespace.
proc.vpgid.nameCHARBUFThe name of the current process's process group leader. This is either the process with proc.vpgid == proc.vpid or the eldest ancestor that has the same vpgid as the current process. The description of proc.is_vpgid_leader offers additional insights.
proc.vpgid.exeCHARBUFThe first command line argument argv[0] (usually the executable name or a custom one) of the current process's process group leader. This is either the process with proc.vpgid == proc.vpid or the eldest ancestor that has the same vpgid as the current process. The description of proc.is_vpgid_leader offers additional insights.
proc.vpgid.exepathCHARBUFThe full executable path of the current process's process group leader. This is either the process with proc.vpgid == proc.vpid or the eldest ancestor that has the same vpgid as the current process. The description of proc.is_vpgid_leader offers additional insights.
proc.durationRELTIMENumber of nanoseconds since the process started.
proc.ppid.durationRELTIMENumber of nanoseconds since the parent process started.
proc.pid.tsRELTIMEStart of process as epoch timestamp in nanoseconds.
proc.ppid.tsRELTIMEStart of parent process as epoch timestamp in nanoseconds.
proc.is_exe_writableBOOL'true' if this process' executable file is writable by the same user that spawned the process.
proc.is_exe_upper_layerBOOL'true' if this process' executable file is in upper layer in overlayfs. This field value can only be trusted if the underlying kernel version is greater or equal than 3.18.0, since overlayfs was introduced at that time.
proc.is_exe_from_memfdBOOL'true' if the executable file of the current process is an anonymous file created using memfd_create() and is being executed by referencing its file descriptor (fd). This type of file exists only in memory and not on disk. Relevant to detect malicious in-memory code injection. Requires kernel version greater or equal to 3.17.0.
proc.is_sid_leaderBOOL'true' if this process is the leader of the process session, proc.sid == proc.vpid. For host processes vpid reflects pid.
proc.is_vpgid_leaderBOOL'true' if this process is the leader of the virtual process group, proc.vpgid == proc.vpid. For host processes vpgid and vpid reflect pgid and pid. Can help to distinguish if the process was 'directly' executed for instance in a tty (similar to bash history logging, is_vpgid_leader would be 'true') or executed as descendent process in the same process group which for example is the case when subprocesses are spawned from a script (is_vpgid_leader would be 'false').
proc.exe_inoINT64The inode number of the executable file on disk. Can be correlated with fd.ino.
proc.exe_ino.ctimeABSTIMELast status change time of executable file (inode->ctime) as epoch timestamp in nanoseconds. Time is changed by writing or by setting inode information e.g. owner, group, link count, mode etc.
proc.exe_ino.mtimeABSTIMELast modification time of executable file (inode->mtime) as epoch timestamp in nanoseconds. Time is changed by file modifications, e.g. by mknod, truncate, utime, write of more than zero bytes etc. For tracking changes in owner, group, link count or mode, use proc.exe_ino.ctime instead.
proc.exe_ino.ctime_duration_proc_startABSTIMENumber of nanoseconds between modifying status of executable image and spawning a new process using the changed executable image.
proc.exe_ino.ctime_duration_pidns_startABSTIMENumber of nanoseconds between PID namespace start ts and ctime exe file if PID namespace start predates ctime.
proc.pidns_init_start_tsUINT64Start of PID namespace (container or non container pid namespace) as epoch timestamp in nanoseconds.
thread.cap_permittedCHARBUFThe permitted capabilities set
thread.cap_inheritableCHARBUFThe inheritable capabilities set
thread.cap_effectiveCHARBUFThe effective capabilities set
proc.is_container_healthcheckBOOL'true' if this process is running as a part of the container's health check.
proc.is_container_liveness_probeBOOL'true' if this process is running as a part of the container's liveness probe.
proc.is_container_readiness_probeBOOL'true' if this process is running as a part of the container's readiness probe.
proc.fdopencountUINT64Number of open FDs for the process
proc.fdlimitINT64Maximum number of FDs the process can open.
proc.fdusageDOUBLEThe ratio between open FDs and maximum available FDs for the process.
proc.vmsizeUINT64Total virtual memory for the process (as kb).
proc.vmrssUINT64Resident non-swapped memory for the process (as kb).
proc.vmswapUINT64Swapped memory for the process (as kb).
thread.pfmajorUINT64Number of major page faults since thread start.
thread.pfminorUINT64Number of minor page faults since thread start.
thread.tidINT64The id of the thread generating the event.
thread.ismainBOOL'true' if the thread generating the event is the main one in the process.
thread.vtidINT64The id of the thread generating the event as seen from its current PID namespace.
thread.exectimeRELTIMECPU time spent by the last scheduled thread, in nanoseconds. Exported by switch events only.
thread.totexectimeRELTIMETotal CPU time, in nanoseconds since the beginning of the capture, for the current thread. Exported by switch events only.
thread.cgroupsCHARBUFAll cgroups the thread belongs to, aggregated into a single string.
thread.cgroupCHARBUFThe cgroup the thread belongs to, for a specific subsystem. e.g. thread.cgroup.cpuacct.
proc.nthreadsUINT64The number of alive threads that the process generating the event currently has, including the leader thread. Please note that the leader thread may not be here, in that case 'proc.nthreads' and 'proc.nchilds' are equal
proc.nchildsUINT64The number of alive not leader threads that the process generating the event currently has. This excludes the leader thread.
thread.cpuDOUBLEThe CPU consumed by the thread in the last second.
thread.cpu.userDOUBLEThe user CPU consumed by the thread in the last second.
thread.cpu.systemDOUBLEThe system CPU consumed by the thread in the last second.
thread.vmsizeUINT64For the process main thread, this is the total virtual memory for the process (as kb). For the other threads, this field is zero.
thread.vmrssUINT64For the process main thread, this is the resident non-swapped memory for the process (as kb). For the other threads, this field is zero.

Field Class: user

Information about the user executing the specific event.

NameTypeDescription
user.uidUINT32user ID.
user.nameCHARBUFuser name.
user.homedirCHARBUFhome directory of the user.
user.shellCHARBUFuser's shell.
user.loginuidINT64audit user id (auid), internally the loginuid is of type uint32_t. However, if an invalid uid corresponding to UINT32_MAX is encountered, it is returned as -1 to support familiar filtering conditions.
user.loginnameCHARBUFaudit user name (auid).

Field Class: group

Information about the user group.

NameTypeDescription
group.gidUINT32group ID.
group.nameCHARBUFgroup name.

Field Class: container

Container information. If the event is not happening inside a container, both id and name will be set to 'host'.

NameTypeDescription
container.idCHARBUFThe truncated container ID (first 12 characters), e.g. 3ad7b26ded6d is extracted from the Linux cgroups by Falco within the kernel. Consequently, this field is reliably available and serves as the lookup key for Falco's synchronous or asynchronous requests against the container runtime socket to retrieve all other 'container.' information. One important aspect to be aware of is that if the process occurs on the host, meaning not in the container PID namespace, this field is set to a string called 'host'. In Kubernetes, pod sandbox container processes can exist where container.id matches k8s.pod.sandbox_id, lacking other 'container.' details.
container.full_idCHARBUFThe full container ID, e.g. 3ad7b26ded6d8e7b23da7d48fe889434573036c27ae5a74837233de441c3601e. In contrast to container.id, we enrich this field as part of the container engine enrichment. In instances of userspace container engine lookup delays, this field may not be available yet.
container.nameCHARBUFThe container name. In instances of userspace container engine lookup delays, this field may not be available yet. One important aspect to be aware of is that if the process occurs on the host, meaning not in the container PID namespace, this field is set to a string called 'host'.
container.imageCHARBUFThe container image name (e.g. falcosecurity/falco:latest for docker). In instances of userspace container engine lookup delays, this field may not be available yet.
container.image.idCHARBUFThe container image id (e.g. 6f7e2741b66b). In instances of userspace container engine lookup delays, this field may not be available yet.
container.typeCHARBUFThe container type, e.g. docker, cri-o, containerd etc.
container.privilegedBOOL'true' for containers running as privileged, 'false' otherwise. In instances of userspace container engine lookup delays, this field may not be available yet.
container.mountsCHARBUFA space-separated list of mount information. Each item in the list has the format <source>:<dest>:<mode>:<rdrw>:<propagation>. In instances of userspace container engine lookup delays, this field may not be available yet.
container.mountCHARBUFInformation about a single mount, specified by number (e.g. container.mount[0]) or mount source (container.mount[/usr/local]). The pathname can be a glob (container.mount[/usr/local/*]), in which case the first matching mount will be returned. The information has the format <source>:<dest>:<mode>:<rdrw>:<propagation>. If there is no mount with the specified index or matching the provided source, returns the string "none" instead of a NULL value. In instances of userspace container engine lookup delays, this field may not be available yet.
container.mount.sourceCHARBUFThe mount source, specified by number (e.g. container.mount.source[0]) or mount destination (container.mount.source[/host/lib/modules]). The pathname can be a glob. In instances of userspace container engine lookup delays, this field may not be available yet.
container.mount.destCHARBUFThe mount destination, specified by number (e.g. container.mount.dest[0]) or mount source (container.mount.dest[/lib/modules]). The pathname can be a glob. In instances of userspace container engine lookup delays, this field may not be available yet.
container.mount.modeCHARBUFThe mount mode, specified by number (e.g. container.mount.mode[0]) or mount source (container.mount.mode[/usr/local]). The pathname can be a glob. In instances of userspace container engine lookup delays, this field may not be available yet.
container.mount.rdwrCHARBUFThe mount rdwr value, specified by number (e.g. container.mount.rdwr[0]) or mount source (container.mount.rdwr[/usr/local]). The pathname can be a glob. In instances of userspace container engine lookup delays, this field may not be available yet.
container.mount.propagationCHARBUFThe mount propagation value, specified by number (e.g. container.mount.propagation[0]) or mount source (container.mount.propagation[/usr/local]). The pathname can be a glob. In instances of userspace container engine lookup delays, this field may not be available yet.
container.image.repositoryCHARBUFThe container image repository (e.g. falcosecurity/falco). In instances of userspace container engine lookup delays, this field may not be available yet.
container.image.tagCHARBUFThe container image tag (e.g. stable, latest). In instances of userspace container engine lookup delays, this field may not be available yet.
container.image.digestCHARBUFThe container image registry digest (e.g. sha256:d977378f890d445c15e51795296e4e5062f109ce6da83e0a355fc4ad8699d27). In instances of userspace container engine lookup delays, this field may not be available yet.
container.healthcheckCHARBUFThe container's health check. Will be the null value ("N/A") if no healthcheck configured, "NONE" if configured but explicitly not created, and the healthcheck command line otherwise. In instances of userspace container engine lookup delays, this field may not be available yet.
container.liveness_probeCHARBUFThe container's liveness probe. Will be the null value ("N/A") if no liveness probe configured, the liveness probe command line otherwise. In instances of userspace container engine lookup delays, this field may not be available yet.
container.readiness_probeCHARBUFThe container's readiness probe. Will be the null value ("N/A") if no readiness probe configured, the readiness probe command line otherwise. In instances of userspace container engine lookup delays, this field may not be available yet.
container.start_tsUINT64Container start as epoch timestamp in nanoseconds based on proc.pidns_init_start_ts and extracted in the kernel and not from the container runtime socket / container engine.
container.durationRELTIMENumber of nanoseconds since container.start_ts.
container.ipCHARBUFThe container's / pod's primary ip address as retrieved from the container engine. Only ipv4 addresses are tracked. Consider container.cni.json (CRI use case) for logging ip addresses for each network interface. In instances of userspace container engine lookup delays, this field may not be available yet.
container.cni.jsonCHARBUFThe container's / pod's CNI result field from the respective pod status info. It contains ip addresses for each network interface exposed as unparsed escaped JSON string. Supported for CRI container engine (containerd, cri-o runtimes), optimized for containerd (some non-critical JSON keys removed). Useful for tracking ips (ipv4 and ipv6, dual-stack support) for each network interface (multi-interface support). In instances of userspace container engine lookup delays, this field may not be available yet.

Field Class: fd

Every syscall that has a file descriptor in its arguments has these fields set with information related to the file.

NameTypeDescription
fd.numINT64the unique number identifying the file descriptor.
fd.typeCHARBUFtype of FD. Can be 'file', 'directory', 'ipv4', 'ipv6', 'unix', 'pipe', 'event', 'signalfd', 'eventpoll', 'inotify' 'signalfd' or 'memfd'.
fd.typecharCHARBUFtype of FD as a single character. Can be 'f' for file, 4 for IPv4 socket, 6 for IPv6 socket, 'u' for unix socket, p for pipe, 'e' for eventfd, 's' for signalfd, 'l' for eventpoll, 'i' for inotify, 'b' for bpf, 'u' for userfaultd, 'r' for io_uring, 'm' for memfd ,'o' for unknown.
fd.nameCHARBUFFD full name. If the fd is a file, this field contains the full path. If the FD is a socket, this field contain the connection tuple.
fd.directoryCHARBUFIf the fd is a file, the directory that contains it.
fd.filenameCHARBUFIf the fd is a file, the filename without the path.
fd.ipIPADDRmatches the ip address (client or server) of the fd.
fd.cipIPADDRclient IP address.
fd.sipIPADDRserver IP address.
fd.lipIPADDRlocal IP address.
fd.ripIPADDRremote IP address.
fd.portPORTmatches the port (either client or server) of the fd.
fd.cportPORTfor TCP/UDP FDs, the client port.
fd.sportPORTfor TCP/UDP FDs, server port.
fd.lportPORTfor TCP/UDP FDs, the local port.
fd.rportPORTfor TCP/UDP FDs, the remote port.
fd.l4protoCHARBUFthe IP protocol of a socket. Can be 'tcp', 'udp', 'icmp' or 'raw'.
fd.sockfamilyCHARBUFthe socket family for socket events. Can be 'ip' or 'unix'.
fd.is_serverBOOL'true' if the process owning this FD is the server endpoint in the connection.
fd.uidCHARBUFa unique identifier for the FD, created by chaining the FD number and the thread ID.
fd.containernameCHARBUFchaining of the container ID and the FD name. Useful when trying to identify which container an FD belongs to.
fd.containerdirectoryCHARBUFchaining of the container ID and the directory name. Useful when trying to identify which container a directory belongs to.
fd.protoPORTmatches the protocol (either client or server) of the fd.
fd.cprotoCHARBUFfor TCP/UDP FDs, the client protocol.
fd.sprotoCHARBUFfor TCP/UDP FDs, server protocol.
fd.lprotoCHARBUFfor TCP/UDP FDs, the local protocol.
fd.rprotoCHARBUFfor TCP/UDP FDs, the remote protocol.
fd.netIPNETmatches the IP network (client or server) of the fd.
fd.cnetIPNETmatches the client IP network of the fd.
fd.snetIPNETmatches the server IP network of the fd.
fd.lnetIPNETmatches the local IP network of the fd.
fd.rnetIPNETmatches the remote IP network of the fd.
fd.connectedBOOLfor TCP/UDP FDs, 'true' if the socket is connected.
fd.name_changedBOOLTrue when an event changes the name of an fd used by this event. This can occur in some cases such as udp connections where the connection tuple changes.
fd.cip.nameCHARBUFDomain name associated with the client IP address.
fd.sip.nameCHARBUFDomain name associated with the server IP address.
fd.lip.nameCHARBUFDomain name associated with the local IP address.
fd.rip.nameCHARBUFDomain name associated with the remote IP address.
fd.devINT32device number (major/minor) containing the referenced file
fd.dev.majorINT32major device number containing the referenced file
fd.dev.minorINT32minor device number containing the referenced file
fd.inoINT64inode number of the referenced file
fd.namerawCHARBUFFD full name raw. Just like fd.name, but only used if fd is a file path. File path is kept raw with limited sanitization and without deriving the absolute path.
fd.typesCHARBUFList of FD types in used. Can be passed an fd number e.g. fd.types[0] to get the type of stdout as a single item list.

Field Class: fs.path

Every syscall that has a filesystem path in its arguments has these fields set with information related to the path arguments. This differs from the fd.* fields as it includes syscalls like unlink, rename, etc. that act directly on filesystem paths as compared to opened file descriptors.

NameTypeDescription
fs.path.nameCHARBUFFor any event type that deals with a filesystem path, the path the file syscall is operating on. This path is always fully resolved, prepending the thread cwd when needed.
fs.path.namerawCHARBUFFor any event type that deals with a filesystem path, the path the file syscall is operating on. This path is always the path provided to the syscall and may not be fully resolved.
fs.path.sourceCHARBUFFor any event type that deals with a filesystem path, and specifically for a source and target like mv, cp, etc, the source path the file syscall is operating on. This path is always fully resolved, prepending the thread cwd when needed.
fs.path.sourcerawCHARBUFFor any event type that deals with a filesystem path, and specifically for a source and target like mv, cp, etc, the source path the file syscall is operating on. This path is always the path provided to the syscall and may not be fully resolved.
fs.path.targetCHARBUFFor any event type that deals with a filesystem path, and specifically for a target and target like mv, cp, etc, the target path the file syscall is operating on. This path is always fully resolved, prepending the thread cwd when needed.
fs.path.targetrawCHARBUFFor any event type that deals with a filesystem path, and specifically for a target and target like mv, cp, etc, the target path the file syscall is operating on. This path is always the path provided to the syscall and may not be fully resolved.

Field Class: syslog

Content of Syslog messages.

NameTypeDescription
syslog.facility.strCHARBUFfacility as a string.
syslog.facilityUINT32facility as a number (0-23).
syslog.severity.strCHARBUFseverity as a string. Can have one of these values: emerg, alert, crit, err, warn, notice, info, debug
syslog.severityUINT32severity as a number (0-7).
syslog.messageCHARBUFmessage sent to syslog.

Field Class: fdlist

Poll event related fields.

NameTypeDescription
fdlist.numsCHARBUFfor poll events, this is a comma-separated list of the FD numbers in the 'fds' argument, returned as a string.
fdlist.namesCHARBUFfor poll events, this is a comma-separated list of the FD names in the 'fds' argument, returned as a string.
fdlist.cipsCHARBUFfor poll events, this is a comma-separated list of the client IP addresses in the 'fds' argument, returned as a string.
fdlist.sipsCHARBUFfor poll events, this is a comma-separated list of the server IP addresses in the 'fds' argument, returned as a string.
fdlist.cportsCHARBUFfor TCP/UDP FDs, for poll events, this is a comma-separated list of the client TCP/UDP ports in the 'fds' argument, returned as a string.
fdlist.sportsCHARBUFfor poll events, this is a comma-separated list of the server TCP/UDP ports in the 'fds' argument, returned as a string.

Field Class: k8s

Kubernetes context about pods and namespace name. These fields are populated with data gathered from the container runtime.

NameTypeDescription
k8s.ns.nameCHARBUFThe Kubernetes namespace name. This field is extracted from the container runtime socket simultaneously as we look up the 'container.*' fields. In cases of lookup delays, it may not be available yet.
k8s.pod.nameCHARBUFThe Kubernetes pod name. This field is extracted from the container runtime socket simultaneously as we look up the 'container.*' fields. In cases of lookup delays, it may not be available yet.
k8s.pod.idCHARBUF[LEGACY] The Kubernetes pod UID, e.g. 3e41dc6b-08a8-44db-bc2a-3724b18ab19a. This legacy field points to k8s.pod.uid; however, the pod ID typically refers to the pod sandbox ID. We recommend using the semantically more accurate k8s.pod.uid field. This field is extracted from the container runtime socket simultaneously as we look up the 'container.*' fields. In cases of lookup delays, it may not be available yet.
k8s.pod.uidCHARBUFThe Kubernetes pod UID, e.g. 3e41dc6b-08a8-44db-bc2a-3724b18ab19a. Note that the pod UID is a unique identifier assigned upon pod creation within Kubernetes, allowing the Kubernetes control plane to manage and track pods reliably. As such, it is fundamentally a different concept compared to the pod sandbox ID. This field is extracted from the container runtime socket simultaneously as we look up the 'container.*' fields. In cases of lookup delays, it may not be available yet.
k8s.pod.sandbox_idCHARBUFThe truncated Kubernetes pod sandbox ID (first 12 characters), e.g 63060edc2d3a. The sandbox ID is specific to the container runtime environment. It is the equivalent of the container ID for the pod / sandbox and extracted from the Linux cgroups. As such, it differs from the pod UID. This field is extracted from the container runtime socket simultaneously as we look up the 'container.' fields. In cases of lookup delays, it may not be available yet. In Kubernetes, pod sandbox container processes can exist where container.id matches k8s.pod.sandbox_id, lacking other 'container.' details.
k8s.pod.full_sandbox_idCHARBUFThe full Kubernetes pod / sandbox ID, e.g 63060edc2d3aa803ab559f2393776b151f99fc5b05035b21db66b3b62246ad6a. This field is extracted from the container runtime socket simultaneously as we look up the 'container.*' fields. In cases of lookup delays, it may not be available yet.
k8s.pod.labelCHARBUFThe Kubernetes pod label. The label can be accessed either with the familiar brackets notation, e.g. 'k8s.pod.label[foo]' or by appending a dot followed by the name, e.g. 'k8s.pod.label.foo'. The label name itself can include the original special characters such as '.', '-', '_' or '/' characters. For instance, 'k8s.pod.label[app.kubernetes.io/name]', 'k8s.pod.label.app.kubernetes.io/name' or 'k8s.pod.label[custom-label_one]' are all valid. This field is extracted from the container runtime socket simultaneously as we look up the 'container.*' fields. In cases of lookup delays, it may not be available yet.
k8s.pod.labelsCHARBUFThe Kubernetes pod comma-separated key/value labels. E.g. 'foo1:bar1,foo2:bar2'. This field is extracted from the container runtime socket simultaneously as we look up the 'container.*' fields. In cases of lookup delays, it may not be available yet.
k8s.pod.ipCHARBUFThe Kubernetes pod ip, same as container.ip field as each container in a pod shares the network stack of the sandbox / pod. Only ipv4 addresses are tracked. Consider k8s.pod.cni.json for logging ip addresses for each network interface. This field is extracted from the container runtime socket simultaneously as we look up the 'container.*' fields. In cases of lookup delays, it may not be available yet.
k8s.pod.cni.jsonCHARBUFThe Kubernetes pod CNI result field from the respective pod status info, same as container.cni.json field. It contains ip addresses for each network interface exposed as unparsed escaped JSON string. Supported for CRI container engine (containerd, cri-o runtimes), optimized for containerd (some non-critical JSON keys removed). Useful for tracking ips (ipv4 and ipv6, dual-stack support) for each network interface (multi-interface support). This field is extracted from the container runtime socket simultaneously as we look up the 'container.*' fields. In cases of lookup delays, it may not be available yet.