From a249fdd678661250507801ef38cad01857c0b2ad Mon Sep 17 00:00:00 2001 From: "Eric D. Schabell" Date: Mon, 11 May 2026 20:57:37 +0200 Subject: [PATCH] docs: inputs: ebpf: document trace_exec - Add `trace_exec` to the `Trace` parameter example list. - Add `exec` to the `event_type` enumeration in the Common fields table. - Add a new `Exec trace fields` section documenting the fields produced by the exec trace. Note this is a fix for code changes without corresponding docs PR Signed-off-by: Eric D. Schabell --- pipeline/inputs/ebpf.md | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/pipeline/inputs/ebpf.md b/pipeline/inputs/ebpf.md index 163a07081..66dc19776 100644 --- a/pipeline/inputs/ebpf.md +++ b/pipeline/inputs/ebpf.md @@ -20,7 +20,7 @@ The plugin supports the following configuration parameters: |:----|:------------|:--------| | `poll_ms` | Set the polling interval in milliseconds for collecting events from the ring buffer. | `1000` | | `ringbuf_map_name` | Set the name of the eBPF ring buffer map to read events from. | `events` | -| `trace` | Set the eBPF trace to enable (for example, `trace_bind`, `trace_malloc`, `trace_signal`, `trace_tcp`, `trace_vfs`). This parameter can be set multiple times to enable multiple traces. | _none_ | +| `trace` | Set the eBPF trace to enable (for example, `trace_bind`, `trace_exec`, `trace_malloc`, `trace_signal`, `trace_tcp`, `trace_vfs`). This parameter can be set multiple times to enable multiple traces. | _none_ | ## System dependencies @@ -130,7 +130,7 @@ All traces include the following fields: | Field | Description | |:------|:------------| -| `event_type` | Type of event (`signal`, `malloc`, `bind`, `tcp`, or `vfs`). | +| `event_type` | Type of event (`signal`, `malloc`, `bind`, `exec`, `tcp`, or `vfs`). | | `pid` | Process ID that generated the event. | | `tid` | Thread ID that generated the event. | | `comm` | Command name (process name) that generated the event. | @@ -194,3 +194,19 @@ The `trace_vfs` trace includes these additional fields: | `mode` | File mode bits for the operation. | | `fd` | File descriptor returned by the operation. | | `error_raw` | Error code for the operation (`0` indicates success). | + +### Exec trace fields + +The `trace_exec` trace includes these additional fields: + +| Field | Description | +|:------|:------------| +| `stage` | Execution stage. One of `enter`, `exit`, or `unknown`. | +| `ppid` | Parent process ID. | +| `filename` | Path of the executable being run. | +| `argv` | First argument of the command (`argv[0]`). | +| `argv1` | Second argument of the command (`argv[1]`). | +| `argv2` | Third argument of the command (`argv[2]`). | +| `argv_last` | Final captured argument when more than three are present. | +| `argc` | Total number of arguments. | +| `error_raw` | Error code for the operation (`0` indicates success). |