Add input metrics to Auditbeat #36945
Assignees
Labels
Comments
botelastic
bot
added
the
needs_team
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
botelastic
bot
removed
the
needs_team
|
As discussed with with @andrewkroh. |
6 tasks
andrewkroh
added a commit
to andrewkroh/beats
that referenced
this issue
Oct 26, 2023
Make metrics published by "inputs" available through the /inputs/ route on the HTTP monitoring endpoint of Auditbeat and Metricbeat. For Agent, include a snapshot of those metrics within the Agent diagnostics bundle as "input_metrics.json". When running under Agent, each module instance is configured with only a single metricset. That module is given a unique `id`. That ID is what will be used as the `id` within the /inputs/ data. And that `id` will also be added as context to the logger that is passed into every metricset so that any log messages from a metricset can be associated back to the agent stream ID). Relates elastic#36945
|
The metricbeat framework that Auditbeat is built upon provides each MetricSet instance with its own Line 145 in 2bdc35b You can begin instrumenting auditbeat dataset by doing something like this: diff --git a/x-pack/auditbeat/module/system/socket/socket_linux.go b/x-pack/auditbeat/module/system/socket/socket_linux.go
index c7b7a97945..b267422174 100644
--- a/x-pack/auditbeat/module/system/socket/socket_linux.go
+++ b/x-pack/auditbeat/module/system/socket/socket_linux.go
@@ -32,6 +32,7 @@ import (
"github.com/elastic/beats/v7/x-pack/auditbeat/tracing"
"github.com/elastic/elastic-agent-libs/logp"
"github.com/elastic/elastic-agent-libs/mapstr"
+ "github.com/elastic/elastic-agent-libs/monitoring"
"github.com/elastic/go-perf"
"github.com/elastic/go-sysinfo"
"github.com/elastic/go-sysinfo/providers/linux"
@@ -77,6 +78,8 @@ type MetricSet struct {
isDebug bool
isDetailed bool
terminated sync.WaitGroup
+
+ cacheSize *monitoring.Uint
}
func init() {
@@ -138,6 +141,7 @@ func newSocketMetricset(config Config, base mb.BaseMetricSet) (*MetricSet, error
detailLog: logp.NewLogger(detailSelector),
isDetailed: logp.HasSelector(detailSelector),
sniffer: sniffer,
+ cacheSize: monitoring.NewUint(base.Metrics(), "cache_size"),
}
// Setup the metricset before Run() so that startup can be halted in case of
// error.Assuming your auditbeat.yml config contains http.host: 127.0.0.1
http.port: 6060then that new metric would be visible when you query |
|
The metrics registered by the beats/auditbeat/module/auditd/audit_linux.go Lines 66 to 72 in ee864b5 For example, I think this would work fine: |
|
Another issue I noticed is that the Metricbeat framework provides a logger to each MetricSet instance, but Auditbeat is not using that logger. Instead it creates its own which might result in inconsistencies, particularly after #36971 merges which adds the Fleet stream We should make sure that we use that logger as the starting point for any loggers within out modules. For example diff --git a/auditbeat/module/file_integrity/metricset.go b/auditbeat/module/file_integrity/metricset.go
index bcada27db9..d2a0a18d6d 100644
--- a/auditbeat/module/file_integrity/metricset.go
+++ b/auditbeat/module/file_integrity/metricset.go
@@ -171,7 +171,7 @@ func (ms *MetricSet) init(reporter mb.PushReporterV2) bool {
ms.scanStart = time.Now().UTC()
if ms.config.ScanAtStart {
- ms.scanner, err = NewFileSystemScanner(ms.config, ms.findNewPaths())
+ ms.scanner, err = NewFileSystemScanner(ms.Logger(), ms.config, ms.findNewPaths())
if err != nil {
err = fmt.Errorf("failed to initialize file scanner: %w", err)
reporter.Error(err)
diff --git a/auditbeat/module/file_integrity/scanner.go b/auditbeat/module/file_integrity/scanner.go
index cef40df630..5b2933d056 100644
--- a/auditbeat/module/file_integrity/scanner.go
+++ b/auditbeat/module/file_integrity/scanner.go
@@ -52,9 +52,9 @@ type scanner struct {
// NewFileSystemScanner creates a new EventProducer instance that scans the
// configured file paths. Files and directories in new paths are recorded with
// the action `found`.
-func NewFileSystemScanner(c Config, newPathsInConfig map[string]struct{}) (EventProducer, error) {
+func NewFileSystemScanner(logger *logp.Logger, c Config, newPathsInConfig map[string]struct{}) (EventProducer, error) {
return &scanner{
- log: logp.NewLogger(moduleName).With("scanner_id", atomic.AddUint32(&scannerID, 1)),
+ log: logger.With("scanner_id", atomic.AddUint32(&scannerID, 1)),
config: c,
newPaths: newPathsInConfig,
eventC: make(chan Event, 1), |
andrewkroh
added a commit
to andrewkroh/beats
that referenced
this issue
Oct 26, 2023
Make metrics published by "inputs" available through the /inputs/ route on the HTTP monitoring endpoint of Auditbeat and Metricbeat. For Agent, include a snapshot of those metrics within the Agent diagnostics bundle as "input_metrics.json". When running under Agent, each module instance is configured with only a single metricset. That module is given a unique `id`. That ID is what will be used as the `id` within the /inputs/ data. And that `id` will also be added as context to the logger that is passed into every metricset so that any log messages from a metricset can be associated back to the agent stream ID). Relates elastic#36945
andrewkroh
added a commit
that referenced
this issue
Oct 27, 2023
Make metrics published by "inputs" available through the /inputs/ route on the HTTP monitoring endpoint of Auditbeat and Metricbeat. For Agent, include a snapshot of those metrics within the Agent diagnostics bundle as "input_metrics.json". When running under Agent, each module instance is configured with only a single metricset. That module is given a unique `id`. That ID is what will be used as the `id` within the /inputs/ data. And that `id` will also be added as context to the logger that is passed into every metricset so that any log messages from a metricset can be associated back to the agent stream ID). Relates #36945 Remove module and metricset keys from metricset metrics. For the `/inputs/` API, `input` is they key used to identify the type of "input" running. The `module` and `metricset` keys become redundant with the addition of `input`. I don't know of anything that relies on those fields.
norrietaylor
added
Team:Security-Linux Platform
|
Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform) |
Scholar-Li
pushed a commit
to Scholar-Li/beats
that referenced
this issue
Feb 5, 2024
…tic#36971) Make metrics published by "inputs" available through the /inputs/ route on the HTTP monitoring endpoint of Auditbeat and Metricbeat. For Agent, include a snapshot of those metrics within the Agent diagnostics bundle as "input_metrics.json". When running under Agent, each module instance is configured with only a single metricset. That module is given a unique `id`. That ID is what will be used as the `id` within the /inputs/ data. And that `id` will also be added as context to the logger that is passed into every metricset so that any log messages from a metricset can be associated back to the agent stream ID). Relates elastic#36945 Remove module and metricset keys from metricset metrics. For the `/inputs/` API, `input` is they key used to identify the type of "input" running. The `module` and `metricset` keys become redundant with the addition of `input`. I don't know of anything that relies on those fields.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Set up Auditbeat to use libbeat's
inputmonpackage to collect metrics, as is already done for Packetbeat and Filebeat.It will be important to ensure that a suitable unique, persistent ID is used to refer to each Auditbeat process.
Make sure the Agent integration pulls these metrics from Auditbeat.
Use case:
Once Auditbeat is set up for metric collection, the
system.socketdataset can be instrumented to better understand memory usage in certain reported cases.The text was updated successfully, but these errors were encountered: