Skip to main content
Version: 0.4.0

Event Layout and Info Section

Every kunai event gets a set of common fields shared between all the events. These fields give various information which might be used for advanced purposes such as event identification, grouping or correlation.

For the general event layout, every event will have a data section and an info section. The data section might be different for every event family while the info section will always be common (contains the same fields) across all the event types. This page only explains the info section as data sections will be addressed separately for each event documented.

Process and Threads in Linux

In the Linux kernel, there is no notion of process or thread, everything is a task. So in the rest of the documentation we will consider that a process is made of one or several tasks belonging to the same thread-group.

{
"data": "...",
"info": {
// Host related information
"host": {
// Unique host uuid
"uuid": "c030b40d-0eab-417b-b33a-22d952357984",
// Hostname of the host running kunai
"name": "hal",
// Container information if any, null otherwise
"container": {
// Name of the container
"name": "ubuntu-kunai-test",
// Type of container
"type": "docker"
}
},
// Event related information
"event": {
// A string which can be used by external tools to identify kunai's logs
"source": "kunai",
// Event type identifier
"id": 1,
// Event type name
"name": "execve",
// Unique identifier for an event
"uuid": "87f5cb64-11ca-fd34-26af-b47f84132543",
// Not relevant, here for diagnosis purposes
"batch": 131
},
// Information about the task generating this event
"task": {
// Task name
"name": "ls",
// Identifier of the task (process or thread)
"pid": 1981502,
// Thread Group ID of the task (same for all threads of a process)
// When pid == tgid we are in the main thread.
"tgid": 1981502,
// A uuid common to all the events generated by the same
// task group/process (i.e. all threads). You can search by
// this value in order to see the whole activity of a process
"guuid": "cd5415c4-7750-0000-7c85-4ef53e3c1e00",
// Effective uid of the task
"uid": 1000,
// Effective gid of the task
"gid": 1000,
// Information about Linux namespaces
"namespaces": {
// mnt namespace id
"mnt": 4026531841
},
// task_struct flags https://elixir.bootlin.com/linux/v6.6.5/source/include/linux/sched.h#L767
// combination of process flags https://elixir.bootlin.com/linux/v6.6.5/source/include/linux/sched.h#L1726
"flags": "0x400000",
// Indicates whether the task is in a zombie state
"zombie": true
},
// Information about the parent task. This section
// contains the same kind of information as the task section
"parent_task": {
"name": "3",
"pid": 1981500,
"tgid": 1981500,
"guuid": "a679f5c3-7750-0000-7c85-4ef53c3c1e00",
"uid": 1000,
"gid": 1000,
"namespaces": {
"mnt": 4026531841
},
"flags": "0x400000",
"zombie": false
},
// UTC timestamp of the event
"utc_time": "2024-11-19T09:55:53.138247256Z"
}
}
container type is not identified properly

If you generated some activity within a container and the container type is not correct or empty please explain precisely your setup and we will fix this. Container identification is based on several string matching so every specific container implementation needs to be hardcoded. Even if the container type is not correct, all the rest of the event is correct and relative to your container.