From c89152d64fb88c25d0a0520a22adc8c193b7845a Mon Sep 17 00:00:00 2001
From: davisshannon <williamshannondavis@gmail.com>
Date: Thu, 28 Jan 2021 12:37:07 +1100
Subject: [PATCH] Update to props.conf

Added field alias for columns.cmdline to map to the process field.
---
 default/props.conf | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/default/props.conf b/default/props.conf
index 45c1717..cfc2e41 100644
--- a/default/props.conf
+++ b/default/props.conf
@@ -9,7 +9,7 @@ pulldown_type = 1
 EXTRACT-severity,timestamp,threadid,file,line,message = ^(?P<severity>\w)(?P<timestamp>\d+\s+\d+:\d+:\d+\.\d+)\s+(?P<threadid>\d+)\s+(?P<file>[^:]+):(?P<line>\d+)\]\s+(?P<message>.+)
 TIME_FORMAT = %m%d %k:%M:%S.%6N
 TIME_PREFIX = ^\w
-MAX_TIMESTAMP_LOOKAHEAD = 20 
+MAX_TIMESTAMP_LOOKAHEAD = 20
 TRANSFORMS-kill_header = eliminate_header
 
 [osquery:info]
@@ -19,7 +19,7 @@ pulldown_type = 1
 EXTRACT-severity,timestamp,threadid,file,line,message = ^(?P<severity>\w)(?P<timestamp>\d+\s+\d+:\d+:\d+\.\d+)\s+(?P<threadid>\d+)\s+(?P<file>[^:]+):(?P<line>\d+)\]\s+(?P<message>.+)
 TIME_FORMAT = %m%d %k:%M:%S.%6N
 TIME_PREFIX = ^\w
-MAX_TIMESTAMP_LOOKAHEAD = 20 
+MAX_TIMESTAMP_LOOKAHEAD = 20
 TRANSFORMS-kill_header = eliminate_header
 
 [osquery:warning]
@@ -29,7 +29,7 @@ pulldown_type = 1
 EXTRACT-severity,timestamp,threadid,file,line,message = ^(?P<severity>\w)(?P<timestamp>\d+\s+\d+:\d+:\d+\.\d+)\s+(?P<threadid>\d+)\s+(?P<file>[^:]+):(?P<line>\d+)\]\s+(?P<message>.+)
 TIME_FORMAT = %m%d %k:%M:%S.%6N
 TIME_PREFIX = ^\w
-MAX_TIMESTAMP_LOOKAHEAD = 20 
+MAX_TIMESTAMP_LOOKAHEAD = 20
 TRANSFORMS-kill_header = eliminate_header
 
 ## Snapshots
@@ -86,3 +86,4 @@ EXTRACT-process_exec = .*path\":\"\\\/(.+?\/)*(?<process_exec>.+?)\"
 FIELDALIAS-process_id = columns.pid AS process_id
 FIELDALIAS-process_path = columns.path AS process_path
 FIELDALIAS-user_id = columns.uid AS user_id
+FIELDALIAS-process = columns.cmdline AS process