Metadata and the meta Field

The meta configuration option enables fine-grained control over the metadata published by specific tasks, such as payload, payload2, syscalls, syswire, and capture. This option allows users to specify exactly which metadata fields should be included in the task output, replacing the previously used process field (though the process field remains for backward compatibility).

Overview

The meta field is a powerful feature that offers flexibility in publishing metadata for processes, containers, pods, and interfaces. With the meta option, you can choose from a predefined set of metadata groups or specify individual fields to publish. This feature is particularly useful for optimizing performance and output size by including only the necessary metadata.

Metadata is organized into four main categories:

  • process: Metadata related to the process.

  • container: Metadata related to the container.

  • pod: Metadata related to the pod.

  • interface: Metadata related to network interfaces (specific to the capture task).

Each category can be published in full, in a minimal set, or in individual fields, depending on the configuration specified in the meta option.

Configuring the meta Field

The meta option is a plus-sign-separated (+) list of strings, where each string represents a metadata field or a predefined group of fields.

The available groups are:

  • all: Publish all metadata fields.

  • all.min: Publish a minimal set of all metadata fields.

  • process: Publish all process-related metadata fields.

  • process.min: Publish a minimal set of process metadata fields.

  • container: Publish all container-related metadata fields.

  • container.min: Publish a minimal set of container metadata fields.

  • pod: Publish all pod-related metadata fields.

  • pod.min: Publish a minimal set of pod metadata fields.

  • interface: Publish all interface-related metadata fields (specific to capture task).

  • interface.min: Publish a minimal set of interface metadata fields.

You can also specify individual fields within these groups. For example, process.pid will publish only the process ID.

Example Configurations

Here are some examples of how you might configure the meta field:

  • meta: all - Publish all available metadata fields.

  • meta: process - Publish all process metadata fields.

  • meta: process.min+container.min - Publish minimal process and container metadata.

  • meta: container.labels+pod.namespace - Publish only the container labels and pod namespace.

Default Behavior

If the meta option is not specified, the task will publish metadata as it did previously, using the process field. However, if the meta option is provided, the process field will not be published, and all metadata will be organized under the meta field.

Metadata Fields

Below is a table listing the available metadata fields and their descriptions:

Field Description

process.pid

The process ID.

process.name

The process name.

process.cmd

The command line used to start the process.

process.exe

The full path of the executable file.

process.startedAt

The timestamp when the process started.

process.endedAt

The timestamp when the process ended.

process.ns

The namespace associated with the process.

process.caps

The capabilities of the process.

container.id

The container ID.

container.name

The container name.

container.cri

The container runtime interface.

container.labels

Labels associated with the container.

container.annotations

Annotations associated with the container.

container.image

The container image name.

container.status

The current status of the container.

container.createdAt

The timestamp when the container was created.

pod.id

The pod ID.

pod.name

The pod name.

pod.namespace

The namespace of the pod.

pod.labels

Labels associated with the pod.

pod.annotations

Annotations associated with the pod.

pod.createdAt

The timestamp when the pod was created.

interface.index

The index of the network interface.

interface.mtu

The Maximum Transmission Unit (MTU) of the interface.

interface.name

The name of the network interface.

interface.ns

The network namespace of the interface.

interface.type

The type of the interface (e.g., ethernet).

interface.state

The state of the interface (e.g., up, down).

interface.hrdaddr

The hardware address of the interface.

interface.flags

The flags associated with the interface (e.g., broadcast, multicast).

interface.addrs

IP addresses assigned to the interface.

Example Output

Here is an example of the JSON output with a configured meta field:

{
  "data": [
    {
      "data": {
        "meta": {
          "interface": {
            "index": 1,
            "mtu": 1500,
            "name": "eth0",
            "ns": "NSHandle(1)",
            "type": "eth",
            "state": "up",
            "hrdaddr": "00:00:00:00:00:00",
            "flags": ["up", "broadcast", "multicast"],
            "addrs": ["12.123.12.123/24"]
          },
          "pod": {
            "id": "a",
            "name": "mypod",
            "namespace": "myns",
            "labels": {
              "app": "myapp"
            },
            "annotations": {
              "app": "myapp"
            },
            "createdAt": "2224-08-21T16:49:15.291065"
          }
        }
      }
    }
  ]
}