Skip to content

stores

NAME

tracee --stores - Configure data stores for DNS cache and process tree

SYNOPSIS

tracee --stores [dns|dns.max-entries=size|process|process.max-processes=size|process.max-threads=size] [--stores ...]

DESCRIPTION

The --stores flag allows you to configure data stores for DNS cache and process tree functionality.

DNS Store Options

  • dns: Enable the DNS cache store with default settings. When enabled, Tracee will cache DNS query information for enrichment of network events.

  • dns.max-entries=size: Enable the DNS cache store and set the maximum number of DNS query trees to cache. Default is 5000. Further queries may be cached regardless once the limit is reached. Note: Using this option automatically enables DNS, so you don't need to also specify --stores dns.

Process Store Options

  • process: Enable the process tree store with default settings. When enabled, Tracee will maintain a tree of processes and threads for enrichment of events. Note: Process tree is enabled by default.

  • process.max-processes=size: Enable the process tree store and set the maximum number of processes to cache in the process tree. Default is 10000. This is an LRU cache that will evict least recently accessed entries when full. Note: Using this option automatically enables process, so you don't need to also specify --stores process.

  • process.max-threads=size: Enable the process tree store and set the maximum number of threads to cache in the process tree. Default is 0 (thread tracking disabled to save memory). This is an LRU cache that will evict least recently accessed entries when full. Note: Using this option automatically enables process, so you don't need to also specify --stores process.

Note: Procfs initialization happens automatically when the process tree is enabled. At startup, Tracee scans /proc to populate the process tree with all existing processes and threads, ensuring complete process ancestry information is available.

EXAMPLES

  1. Enable DNS cache: 

    --stores dns

  2. Enable DNS cache with custom size: 

    --stores dns.max-entries=10000

Note: dns.max-entries automatically enables DNS, so --stores dns is not needed.

  1. Enable process tree: 

    --stores process

  2. Enable process tree with custom cache sizes: 

    --stores process.max-processes=8192 --stores process.max-threads=16384

Note: process.max-processes and process.max-threads automatically enable process, so --stores process is not needed.

  1. Combine DNS and process stores: 
    --stores dns.max-entries=5000 --stores process.max-processes=8192

Note: Since dns.max-entries automatically enables DNS and process.max-processes automatically enables process, you don't need --stores dns or --stores process.

  1. Complete configuration example: 
    --stores dns.max-entries=5000 --stores process.max-processes=8192 --stores process.max-threads=16384

Note: All process options automatically enable process, and dns.max-entries automatically enables DNS, so you don't need --stores dns or --stores process.

Please refer to the DataStore API documentation for information about using these stores in detectors: