[auditbeat] Use shared process cache in `add_session_metadata` processor #40934

mjwolf · 2024-09-20T22:09:45Z

Proposed commit message

This changes to use a shared process cache in the add_session_metadata processor. This cache is provided by quark and go-quark.

The are currently several process caches in auditbeat. The long term intention is to move all process caches to the shared cache provided by quark. This will reduce resource usage, and improve maintainability by not having multiple implementations of a process cache within Auditbeat.

With this change, the process cache that was previously being used by the ebpf backend is no longer used, and quark will provide process data that's required for enrichment. Rather than needing to track processes from within this processor, quark handles everything, so the processor will now only need to request process data from quark when enrichment happens.

The add_session_metadata process DB code isn't removed, since it's still used by the procfs backend. That backend is intended to be used on systems that aren't supported by the modern backend. Still, quark also supports as far back as CentOS 7, so there will be few systems that will actually use the procfs backend now. The procfs backend could potentially be removed entirely, along with the process DB cache code in the processor, in the future.

Checklist

My code follows the style guidelines of this project
I have commented my code, particularly in hard-to-understand areas
I have made corresponding changes to the documentation
~~I have made corresponding change to the default configuration files~~
I have added tests that prove my fix is effective or that my feature works
I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

In the add_session_metadata processor config, modern backend replaced ebpf (auto is still the preferred config setting, and does not change). Anyone that has manually set epbf backend will need to change to modern. This processor is in beta, so I think this change is OK.

How to test this PR locally

For users, this change should be transparent, it can be tested in the same way as the existing add_session_metadata processor.

x-pack/auditbeat/processors/sessionmd/docs/add_session_metadata.asciidoc

x-pack/auditbeat/processors/sessionmd/provider/modernprovider/modernprovider_linux.go

x-pack/auditbeat/processors/sessionmd/provider/procfsprovider/procfsprovider.go

x-pack/auditbeat/processors/sessionmd/provider/modernprovider/modernprovider_linux.go

x-pack/auditbeat/processors/sessionmd/add_session_metadata.go

mjwolf · 2024-10-16T01:02:41Z

@andrewkroh Thanks for the review! I've address all the comments now

...auditbeat/processors/sessionmd/provider/kerneltracingprovider/kerneltracingprovider_linux.go

x-pack/auditbeat/processors/sessionmd/provider/procfsprovider/procfsprovider.go

x-pack/auditbeat/processors/sessionmd/add_session_metadata.go

...auditbeat/processors/sessionmd/provider/kerneltracingprovider/kerneltracingprovider_linux.go

x-pack/auditbeat/processors/sessionmd/add_session_metadata.go

andrewkroh

I did not review much of the logic kernel trace provider. I was focused mostly on general Go issues. Some areas to follow-up on:

Multi-threaded testing with the Go race detector enabled.
Review log verbosity while running the processor.
Ensure the backoff/wait logic has full test coverage.

...auditbeat/processors/sessionmd/provider/kerneltracingprovider/kerneltracingprovider_linux.go

…sor (#40934) This changes to use a shared process cache in the add_session_metadata processor. This cache is provided by quark and go-quark. The are currently several process caches in auditbeat. The long term intention is to move all process caches to the shared cache provided by quark. This will reduce resource usage, and improve maintainability by not having multiple implementations of a process cache within Auditbeat. With this change, the process cache that was previously being used by the ebpf backend is no longer used, and quark will provide process data that's required for enrichment. Rather than needing to track processes from within this processor, quark handles everything, so the processor will now only need to request process data from quark when enrichment happens. The add_session_metadata process DB code isn't removed, since it's still used by the procfs backend. That backend is intended to be used on systems that aren't supported by the modern backend. Still, quark also supports as far back as CentOS 7, so there will be few systems that will actually use the procfs backend now. The procfs backend could potentially be removed entirely, along with the process DB cache code in the processor, in the future. (cherry picked from commit 9992eb5)

…sor (#40934) (#41250) This changes to use a shared process cache in the add_session_metadata processor. This cache is provided by quark and go-quark. The are currently several process caches in auditbeat. The long term intention is to move all process caches to the shared cache provided by quark. This will reduce resource usage, and improve maintainability by not having multiple implementations of a process cache within Auditbeat. With this change, the process cache that was previously being used by the ebpf backend is no longer used, and quark will provide process data that's required for enrichment. Rather than needing to track processes from within this processor, quark handles everything, so the processor will now only need to request process data from quark when enrichment happens. The add_session_metadata process DB code isn't removed, since it's still used by the procfs backend. That backend is intended to be used on systems that aren't supported by the modern backend. Still, quark also supports as far back as CentOS 7, so there will be few systems that will actually use the procfs backend now. The procfs backend could potentially be removed entirely, along with the process DB cache code in the processor, in the future. (cherry picked from commit 9992eb5) Co-authored-by: Michael Wolf <[email protected]>

…sor (elastic#40934) This changes to use a shared process cache in the add_session_metadata processor. This cache is provided by quark and go-quark. The are currently several process caches in auditbeat. The long term intention is to move all process caches to the shared cache provided by quark. This will reduce resource usage, and improve maintainability by not having multiple implementations of a process cache within Auditbeat. With this change, the process cache that was previously being used by the ebpf backend is no longer used, and quark will provide process data that's required for enrichment. Rather than needing to track processes from within this processor, quark handles everything, so the processor will now only need to request process data from quark when enrichment happens. The add_session_metadata process DB code isn't removed, since it's still used by the procfs backend. That backend is intended to be used on systems that aren't supported by the modern backend. Still, quark also supports as far back as CentOS 7, so there will be few systems that will actually use the procfs backend now. The procfs backend could potentially be removed entirely, along with the process DB cache code in the processor, in the future.

mjwolf added 28 commits May 24, 2024 11:19

WIP

517ca28

rename packages

fc949de

Get provider working

0dab06c

Add pgid and tty info

f0c76b2

use default attr

2d6054f

WIP

07b9d79

Enrich parent, group leader, session leader with info from quark events

1f83306

WIP

c630b75

Merge branch 'quark2' of github.com:mjwolf/beats into quark2

8c5da38

WIP

0f701dc

WIP

c2fa815

formatting

d7e5d99

Merge branch 'quark2' of github.com:mjwolf/beats into quark2

8f1cf0b

redo sync

a08abf0

Merge remote-tracking branch 'upstream/main' into quark2

ee4f252

Use quark entryleader

6019016

Merge branch 'quark2' of github.com:mjwolf/beats into quark2

0bc0666

Use quark entryleader

2feebe1

Send end time

298d59c

Update timestamp calculations

4dfeb9f

Merge remote-tracking branch 'upstream/main' into quark2

77ea6f3

update quark ref

3fa6dd3

Use new quark version

590c0eb

protect quark calls with lock

5cca22f

Set more things correctly

743d15f

Replace legacy ebpf provider with modern provider

cb255eb

format

c49bfe5

use quark package

f3ace30

botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Sep 20, 2024

mergify bot assigned mjwolf Sep 20, 2024

mjwolf added 2 commits October 14, 2024 22:11

Use published elastic/go-quark

2da7e36

Merge branch 'main' into modern-session-view

8f427cb

mjwolf requested a review from AndersonQ October 15, 2024 05:14

mjwolf added 3 commits October 15, 2024 09:49

upgrade to go-quark v0.1.1

48c510d

Merge remote-tracking branch 'upstream/main' into modern-session-view

4aee1ed

stop enrichment on error

07b8576

haesbaert approved these changes Oct 15, 2024

View reviewed changes

mjwolf enabled auto-merge (squash) October 15, 2024 17:27

leehinman approved these changes Oct 15, 2024

View reviewed changes

mjwolf disabled auto-merge October 15, 2024 18:18

update to go-quark v0.1.2

71e9d27

mjwolf enabled auto-merge (squash) October 15, 2024 18:46

andrewkroh reviewed Oct 15, 2024

View reviewed changes

mjwolf added 2 commits October 15, 2024 15:41

Merge remote-tracking branch 'upstream/main' into modern-session-view

fc7671e

rework from code review feedback

87a33cf

change to pointer receiver

b2eb7dd

andrewkroh reviewed Oct 16, 2024

View reviewed changes

x-pack/auditbeat/processors/sessionmd/add_session_metadata.go Show resolved Hide resolved

andrewkroh reviewed Oct 16, 2024

View reviewed changes

more review feedback changes

874902c

andrewkroh reviewed Oct 16, 2024

View reviewed changes

...auditbeat/processors/sessionmd/provider/kerneltracingprovider/kerneltracingprovider_linux.go Outdated Show resolved Hide resolved

Merge branch 'main' into modern-session-view

0fb5dc0

andrewkroh approved these changes Oct 16, 2024

View reviewed changes

mjwolf merged commit 9992eb5 into elastic:main Oct 16, 2024
143 checks passed

mergify bot mentioned this pull request Oct 16, 2024

[8.x](backport #40934) [auditbeat] Use shared process cache in add_session_metadata processor #41250

Merged

6 tasks

mjwolf deleted the modern-session-view branch October 16, 2024 04:46

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[auditbeat] Use shared process cache in `add_session_metadata` processor #40934

[auditbeat] Use shared process cache in `add_session_metadata` processor #40934

mjwolf commented Sep 20, 2024 •

edited

Loading

mjwolf commented Oct 16, 2024

andrewkroh left a comment

[auditbeat] Use shared process cache in add_session_metadata processor #40934

[auditbeat] Use shared process cache in add_session_metadata processor #40934

Conversation

mjwolf commented Sep 20, 2024 • edited Loading

Proposed commit message

Checklist

Disruptive User Impact

How to test this PR locally

mjwolf commented Oct 16, 2024

andrewkroh left a comment

Choose a reason for hiding this comment

[auditbeat] Use shared process cache in `add_session_metadata` processor #40934

[auditbeat] Use shared process cache in `add_session_metadata` processor #40934

mjwolf commented Sep 20, 2024 •

edited

Loading