[auditbeat] Use shared process cache in add_session_metadata processor
#40934
+695
−420
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
botelastic
bot
added
the
needs_team
haesbaert
approved these changes
Oct 15, 2024
leehinman
approved these changes
Oct 15, 2024
andrewkroh
reviewed
Oct 15, 2024
x-pack/auditbeat/processors/sessionmd/docs/add_session_metadata.asciidoc
Outdated
Show resolved
Hide resolved
x-pack/auditbeat/processors/sessionmd/docs/add_session_metadata.asciidoc
Outdated
Show resolved
Hide resolved
x-pack/auditbeat/processors/sessionmd/provider/modernprovider/modernprovider_linux.go
Outdated
Show resolved
Hide resolved
x-pack/auditbeat/processors/sessionmd/provider/modernprovider/modernprovider_linux.go
Outdated
Show resolved
Hide resolved
x-pack/auditbeat/processors/sessionmd/provider/modernprovider/modernprovider_linux.go
Outdated
Show resolved
Hide resolved
x-pack/auditbeat/processors/sessionmd/provider/modernprovider/modernprovider_linux.go
Outdated
Show resolved
Hide resolved
x-pack/auditbeat/processors/sessionmd/provider/procfsprovider/procfsprovider.go
Outdated
Show resolved
Hide resolved
x-pack/auditbeat/processors/sessionmd/provider/procfsprovider/procfsprovider.go
Outdated
Show resolved
Hide resolved
x-pack/auditbeat/processors/sessionmd/provider/modernprovider/modernprovider_linux.go
Outdated
Show resolved
Hide resolved
|
@andrewkroh Thanks for the review! I've address all the comments now |
andrewkroh
reviewed
Oct 16, 2024
...auditbeat/processors/sessionmd/provider/kerneltracingprovider/kerneltracingprovider_linux.go
Outdated
Show resolved
Hide resolved
x-pack/auditbeat/processors/sessionmd/provider/procfsprovider/procfsprovider.go
Outdated
Show resolved
Hide resolved
...auditbeat/processors/sessionmd/provider/kerneltracingprovider/kerneltracingprovider_linux.go
Outdated
Show resolved
Hide resolved
...auditbeat/processors/sessionmd/provider/kerneltracingprovider/kerneltracingprovider_linux.go
Outdated
Show resolved
Hide resolved
...auditbeat/processors/sessionmd/provider/kerneltracingprovider/kerneltracingprovider_linux.go
Outdated
Show resolved
Hide resolved
...auditbeat/processors/sessionmd/provider/kerneltracingprovider/kerneltracingprovider_linux.go
Outdated
Show resolved
Hide resolved
andrewkroh
reviewed
Oct 16, 2024
andrewkroh
reviewed
Oct 16, 2024
There was a problem hiding this comment.
I did not review much of the logic kernel trace provider. I was focused mostly on general Go issues. Some areas to follow-up on:
- Multi-threaded testing with the Go race detector enabled.
- Review log verbosity while running the processor.
- Ensure the backoff/wait logic has full test coverage.
andrewkroh
reviewed
Oct 16, 2024
...auditbeat/processors/sessionmd/provider/kerneltracingprovider/kerneltracingprovider_linux.go
Outdated
Show resolved
Hide resolved
andrewkroh
approved these changes
Oct 16, 2024
mergify bot
pushed a commit
that referenced
this pull request
Oct 16, 2024
…sor (#40934) This changes to use a shared process cache in the add_session_metadata processor. This cache is provided by quark and go-quark. The are currently several process caches in auditbeat. The long term intention is to move all process caches to the shared cache provided by quark. This will reduce resource usage, and improve maintainability by not having multiple implementations of a process cache within Auditbeat. With this change, the process cache that was previously being used by the ebpf backend is no longer used, and quark will provide process data that's required for enrichment. Rather than needing to track processes from within this processor, quark handles everything, so the processor will now only need to request process data from quark when enrichment happens. The add_session_metadata process DB code isn't removed, since it's still used by the procfs backend. That backend is intended to be used on systems that aren't supported by the modern backend. Still, quark also supports as far back as CentOS 7, so there will be few systems that will actually use the procfs backend now. The procfs backend could potentially be removed entirely, along with the process DB cache code in the processor, in the future. (cherry picked from commit 9992eb5)
pierrehilbert
pushed a commit
that referenced
this pull request
Oct 16, 2024
…sor (#40934) (#41250) This changes to use a shared process cache in the add_session_metadata processor. This cache is provided by quark and go-quark. The are currently several process caches in auditbeat. The long term intention is to move all process caches to the shared cache provided by quark. This will reduce resource usage, and improve maintainability by not having multiple implementations of a process cache within Auditbeat. With this change, the process cache that was previously being used by the ebpf backend is no longer used, and quark will provide process data that's required for enrichment. Rather than needing to track processes from within this processor, quark handles everything, so the processor will now only need to request process data from quark when enrichment happens. The add_session_metadata process DB code isn't removed, since it's still used by the procfs backend. That backend is intended to be used on systems that aren't supported by the modern backend. Still, quark also supports as far back as CentOS 7, so there will be few systems that will actually use the procfs backend now. The procfs backend could potentially be removed entirely, along with the process DB cache code in the processor, in the future. (cherry picked from commit 9992eb5) Co-authored-by: Michael Wolf <[email protected]>
belimawr
pushed a commit
to belimawr/beats
that referenced
this pull request
Oct 18, 2024
…sor (elastic#40934) This changes to use a shared process cache in the add_session_metadata processor. This cache is provided by quark and go-quark. The are currently several process caches in auditbeat. The long term intention is to move all process caches to the shared cache provided by quark. This will reduce resource usage, and improve maintainability by not having multiple implementations of a process cache within Auditbeat. With this change, the process cache that was previously being used by the ebpf backend is no longer used, and quark will provide process data that's required for enrichment. Rather than needing to track processes from within this processor, quark handles everything, so the processor will now only need to request process data from quark when enrichment happens. The add_session_metadata process DB code isn't removed, since it's still used by the procfs backend. That backend is intended to be used on systems that aren't supported by the modern backend. Still, quark also supports as far back as CentOS 7, so there will be few systems that will actually use the procfs backend now. The procfs backend could potentially be removed entirely, along with the process DB cache code in the processor, in the future.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed commit message
This changes to use a shared process cache in the
add_session_metadataprocessor. This cache is provided by quark and go-quark.The are currently several process caches in auditbeat. The long term intention is to move all process caches to the shared cache provided by quark. This will reduce resource usage, and improve maintainability by not having multiple implementations of a process cache within Auditbeat.
With this change, the process cache that was previously being used by the ebpf backend is no longer used, and quark will provide process data that's required for enrichment. Rather than needing to track processes from within this processor, quark handles everything, so the processor will now only need to request process data from quark when enrichment happens.
The
add_session_metadataprocess DB code isn't removed, since it's still used by theprocfsbackend. That backend is intended to be used on systems that aren't supported by the modern backend. Still, quark also supports as far back as CentOS 7, so there will be few systems that will actually use the procfs backend now. The procfs backend could potentially be removed entirely, along with the process DB cache code in the processor, in the future.Checklist
I have made corresponding change to the default configuration filesCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Disruptive User Impact
In the
add_session_metadataprocessor config,modernbackend replacedebpf(autois still the preferred config setting, and does not change). Anyone that has manually setepbfbackend will need to change tomodern. This processor is in beta, so I think this change is OK.How to test this PR locally
For users, this change should be transparent, it can be tested in the same way as the existing
add_session_metadataprocessor.