You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is a map of argument names and values. The keys are strings that are the names of the arguments, and the values are the actual values for each field.
Present when the event describes a network event that is an attempt to perform a network related action. This is the socket descriptor used to perform the action.
Present when the event describes a network event that is an attempt to perform a network related action that includes an address. This is that address.
Present when the event describes a network event that is the result of an attempted network related action. This is the return code from the system call.
The total amount of time that the event has been enabled in the sensor. This corresponds to PERF_FORMAT_TOTAL_TIME_ENABLED that is reported by the kernel with the event sample.
The total amount of time that the event subscription has been running in the sensor. This corresponds to PERF_FORMAT_TOTAL_TIME_RUNNING that is reported by the kernel with the event sample.
Sequence number from some unspecified starting point unique to the Sensor. Provides a strict linear ordering of events with the same sensor_id where no two events can have the same sequence number. If it is present, it must be greater than zero. A zero value indicates that there is no sequence number associated with the event.
Monotonic nanosecond timestamp from some unspecified starting point unique to the Sensor. Can only be used to calculate time intervals between events with the same sensor_id.
Process Lineage contains one process context for each process in the hierarchy, starting with the current process, up to the root of the process namespace.
This is a map of argument names and values. The keys are strings that are the names of the arguments, and the values are the actual values for each field.
LOST_RECORD_EVENT_TYPE_UNKNOWN is a lost record of unknown type.
LOST_RECORD_EVENT_TYPE_SUBSCRIPTION
1
LOST_RECORD_EVENT_TYPE_SUBSCRIPTION is a lost record from a subscription. It may include kprobes, uprobes, network events, syscalls, etc. but it does not include meta events like process, container, or file monitoring events. This type is only ever sent to a specific subscription that has lost a kernel generated event.
LOST_RECORD_EVENT_TYPE_PROCESS
2
LOST_RECORD_EVENT_TYPE_PROCESS is a lost record relating to process meta events. This type is broadcast to all subscriptions, regardless of whether they've explicitly subscribed to process events or not, because it affects everything.
LOST_RECORD_EVENT_TYPE_CONTAINER
3
LOST_RECORD_EVENT_TYPE_CONTAINER is a lost record relating to container meta events. This type is broadcast to all subscriptions, regardless of whether they've explicitly subscribed to process events or not, because it affects everything.
LOST_RECORD_EVENT_TYPE_FILE_CREATE
4
LOST_RECORD_EVENT_TYPE_FILE_CREATE is a lost record relating to file create events. It is only sent to subscriptions that are subscribed to file create events.
LOST_RECORD_EVENT_TYPE_FILE_DELETE
5
LOST_RECORD_EVENT_TYPE_FILE_DELETE is a lost record relating to file delete events. It is only sent to subscriptions that are subscribed to file delete events.
LOST_RECORD_EVENT_TYPE_FILE_LINK
6
LOST_RECORD_EVENT_TYPE_FILE_LINK is a lost record relating to file link events. It is only sent to subscriptions that are subscribed to file link events.
LOST_RECORD_EVENT_TYPE_FILE_SYMLINK
7
LOST_RECORD_EVENT_TYPE_FILE_SYMLINK is a lost record relating to file symlink events. It is only sent to subscriptions that are subscribed to file link events.
LOST_RECORD_EVENT_TYPE_FILE_OPEN_MODIFY
8
LOST_RECORD_EVENT_TYPE_FILE_OPEN_MODIFY is a lost record relating to file open modify events. It is only sent to subscriptions that are subscribed to file open modify events.
LOST_RECORD_EVENT_TYPE_FILE_CLOSE_MODIFY
9
LOST_RECORD_EVENT_TYPE_FILE_CLOSE_MODIY is a lost record relating to file close modify events. It is only sent to subscriptions that are subscribed to file close modify events.
LOST_RECORD_EVENT_TYPE_FILE_MODIFY
10
LOST_RECORD_EVENT_TYPE_FILE_MODIFY is a lost record relating to file modify events. It is only sent to subscriptions that are subscribed to file modify events.
LOST_RECORD_EVENT_TYPE_FILE_RENAME
11
LOST_RECORD_EVENT_TYPE_FILE_RENAME is a lost record relating to file rename events. It is only sent to subscriptions that are subscribed to file rename events.
LOST_RECORD_EVENT_TYPE_FILE_ATTRIBUTE_CHANGE
12
LOST_RECORD_EVENT_TYPE_FILE_ATTRIBUTE_CHANGE is a lost record relating to file attribute change events. It is only sent to subscriptions that are subscribed to file attribute change events.
An opaque ack for the event. If present, this ack must be sent to the PubsubService's Acknowledge method or else the TelemetryService will re-transmit the event.
The ContainerEventFilter specifies which container lifecycle events
to include in the Subscription. In order to restrict them to
specific containers, use the ContainerFilter.
The ContainerFilter restricts events in the Subscription to the
running containers indicated. All of the fields in this message are
effectively "ORed" together to create the list of containers to
monitor for the subscription.
Container image name (shell-style globs are supported). May be of the form "busybox", "foo/bar" or "sha256:d462265d362c919b7dd37f8ba80caa822d13704695f47c8fc42a1c2266ecd164"
The EventFilter specifies events to include. All of the specified
fields are effectively "ORed" together to create the list of events
included in the Subscription.
The FileEventFilter specifies which file events to include in the
Subscription. The specified fields are effectively "ANDed" to
specify a matching event.
The KernelFunctionCallFilter specifies which kernel function call
events to include in the Subscription. The arguments map defines
values that will be fetched at each call and returned along with
the event. In order to minimize event volume, a filter may be
included that filters the kernel function calls based on the
observed values of the specified arguments at the time of the
kernel function call.
Optional; the field names and data to be returned by the kernel when the event triggers. Note that this is a map. The keys are the names to assign to the returned fields, and the values are a string describing the data to return, usually an expression involving the register containing the desired data and a suffix indicating the type of the data (e.g., "s32", "string", "u64", etc.). This map is used to construct the "fetchargs" passed to the kernel when creating the kernel probe.
The LimitModifier cancels the subscription on each Sensor after the
specified number of events. The entire Subscription may return more
events than this depending on how many active Sensors there are.
Modifier specifies which stream modifiers to apply if any. For a given
stream, a modifier can apply a throttle or limit etc. Modifiers can be
used together.
The NetworkEventFilter specifies which network events to include in
the Subscription. The included filter can be used to specify
precisely which network events should be included.
Required; the performance event type's configuration, which is defined by the Linux perf interface. This corresponds to the config field in a struct perf_event_attr that is documented in the perf_event_open(2) man page.
The ProcessEventFilter specifies which process events to include in
the Subscription. The specified fields are effectively "ANDed" to
specify a matching event.
If not empty, then only return events that occurred after the specified relative duration subtracted from the current time (recorder time). If the resulting time is in the past, then the subscription will search for historic events before streaming live ones. Sensors do not honor this field.
If not empty, then only return events that occurred before the specified relative duration added to since_duration. If since_duration is not supplied, return events from now and until the specified relative duration is hit. Sensors do not honor this field.
The SyscallEventFilter specifies which system call events to
include in the Subscription. The specified fields are effectively
"ANDed" to specify a matching event.
The UserFunctionCallFilter specifies which user mode function call events to
include in the Subscription. User mode function call events are functions in
running user mode binaries that must be specified with both the executable
name and symbol to monitor. They otherwise work the same as kernel function
call events. The arguments map defines values that will be fetched at each
call and returned along with the event. In order to minimize event volume, a
filter may be included that filters the user function calls based on the
observed values of the specified arguments at the time of the user function
call.
Option; the field names and data to be returned by the kernel when the event triggers. Note that this is a map. The keys are the names to assign to the returned fields, and the values are a string describing the data to return, usually an expression involving the register containing the desired data and a suffix indicating the type of the data (e.g., "s32", "string", "u64", etc.). This map is used to construct the "fetchargs" passed to the kernel when creating the user probe.
SampleRateType describes the type of sample rate to use, either by the # of
generated events (SAMPLE_RATE_TYPE_PERIOD) or by time
(SAMPLE_RATE_TYPE_FREQUENCY), which is expressed in units of kernel timer
ticks.