process_events

Track time/action process executions.

Table schema

Name Type Description
pid BIGINT Process (or thread) ID
path TEXT Path of executed file
mode TEXT File mode permissions
cmdline TEXT Command line arguments (argv)
cmdline_size BIGINT Actual size (bytes) of command line arguments
env TEXT Environment variables delimited by spaces
env_count BIGINT Number of environment variables
env_size BIGINT Actual size (bytes) of environment list
cwd TEXT The process current working directory
auid BIGINT Audit User ID at process start
uid BIGINT User ID at process start
euid BIGINT Effective user ID at process start
gid BIGINT Group ID at process start
egid BIGINT Effective group ID at process start
owner_uid BIGINT File owner user ID
owner_gid BIGINT File owner group ID
atime BIGINT File last access in UNIX time
mtime BIGINT File modification in UNIX time
ctime BIGINT File last metadata change in UNIX time
btime BIGINT File creation in UNIX time
overflows TEXT List of structures that overflowed
parent BIGINT Process parent’s PID
time BIGINT Time of execution in UNIX time
uptime BIGINT Time of execution in system uptime
status BIGINT OpenBSM Attribute: Status of the process
eid TEXT Event ID