Event Layout and Info Section
Every kunai event gets a set of common fields shared between all the events. These fields give various information which might be used for advanced purposes such as event identification, grouping or correlation.
For the general event layout, every event will have a data
section and an info
section. The data
section might be different for every event family while the info
section will always be common (contains the same fields) across all the event types. This page only explains the info
section as data
sections will be addressed separately for each event documented.
In the Linux kernel, there is no notion of process or thread, everything is a task. So in the rest of the documentation we will consider that a process is made of one or several tasks belonging to the same thread-group.
{
"data": "...",
"info": {
// Host related information
"host": {
// Unique host uuid
"uuid": "c030b40d-0eab-417b-b33a-22d952357984",
// Hostname of the host running kunai
"name": "whiterose",
// Container information if any, null otherwise
"container": {
// Name of the container
"name": "ubuntu-kunai-test",
// Type of container
"type": "docker"
}
},
// Event related information
"event": {
// A string which can be used by external tools to identify kunai's logs
"source": "kunai",
// Event type identifier
"id": 1,
// Event type name
"name": "execve",
// Unique identifier for an event
"uuid": "5c236371-d737-9deb-02ed-6964280720f1",
// Not relevant, here for diagnosis purposes
"batch": 44
},
// Information about the task generating this event
"task": {
// Task name
"name": "ls",
// Identifier of the task (process or thread)
"pid": 850464,
// Thread Group ID of the task (same for all threads of a process)
// When pid == tgid we are in the main thread.
"tgid": 850464,
// A uuid common to all the events generated by the same
// task group/process (i.e. all threads). You can search by
// this value in order to see the whole activity of a process
"guuid": "ba6b7593-a1ae-0000-373a-c0c420fa0c00",
// Effective uid of the task
"uid": 0,
// Effective gid of the task
"gid": 0,
// Information about Linux namespaces
"namespaces": {
// mnt namespace id
"mnt": 4026534135
},
// task_struct flags https://elixir.bootlin.com/linux/v6.6.5/source/include/linux/sched.h#L767
// combination of process flags https://elixir.bootlin.com/linux/v6.6.5/source/include/linux/sched.h#L1726
"flags": "0x400100"
},
// Information about the parent task. This section
// contains the same kind of information as the task section
"parent_task": {
"name": "containerd-shim",
"pid": 850441,
"tgid": 850441,
"guuid": "9584f090-a1ae-0000-373a-c0c409fa0c00",
"uid": 0,
"gid": 0,
"namespaces": {
"mnt": 4026531841
},
"flags": "0x400000"
},
"utc_time": "2024-02-14T13:56:19.519964995Z"
}
}
If you generated some activity within a container and the container type is not correct or empty please explain precisely your setup and we will fix this. Container identification is based on several string matching so every specific container implementation needs to be hardcoded. Even if the container type is not correct, all the rest of the event is correct and relative to your container.