Output Options¶
Tracee supports different output options for customizing the way events are printed. For a complete list of available options.
Available options:
-
stack-addresses
Makes it possible to pick stack memory addresses from each event.
output: options: stack-addresses: true
-
parse-arguments
In order to have a better experience with the output provided by tracee, you may opt to parse event arguments to a human *readable format.
output: options: parse-arguments: true
-
exec-env
Sometimes it is also important to know the execution environment variables whenever an event is detected, specially when detecting execve event.
output: options: exec-env: true
-
exec-hash
This is a special output option for sched_process_exec so user can get the file hash and process ctime (particularly interesting if you would like to compare executed binaries from a list of known hashes, for example).
output: options: exec-hash: dev-inode
-
relative-time
The
relative-time
output option enables relative timestamp instead of wall timestamp for events.output: options: relative-time: true
-
sort-events
This makes it possible to sort the events as they happened. Especially in systems where Tracee tracks lots of events, it can happen that they are received unordered. More information is provided in the deep-dive section of the documentation.
output: options: sort-events: true