-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
packetbeat: add support for NFS v3 and v4 protocols #1231
Conversation
Jenkins standing by to test this. If you aren't a maintainer, you can ignore this comment. Someone with commit access, please review this and clear it for Jenkins to run; then say 'jenkins, test it'. |
The one of the questions I would like to know: the other beats use field names with dots, but elasticsearch 2.0 does not allow that. So is it ok in beats? |
Ok. Now it's in the shape, that others can use it as well, IOW - this is a real pull request now. |
xdr Xdr | ||
vers uint32 | ||
proc uint32 | ||
event *common.MapStr |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would recommend not using a pointer here. Maps are reference types so they are always passed by reference.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed.
Thanks for the contribution! Very cool screen shot. A couple miscellaneous points:
|
I have addresses all issues you pointed out.. With style it was not clear, the code used mixed style in various places, like tcptuple.Dst_ip.String(). Any way, Tests added, rebased to current master, branch updated. |
Because field names containing dots are not allowed in ES 2.0 we do not use them in Beats. We use nested maps which gives the appearance of field names with dots because you can use dot-notation to Kibana and ES to reference the fields. For example:
It appears that you figured this out. 👍 I neglected to see the question until now. |
|
||
assert o["type"] == "nfs" | ||
assert o["rpc.auth_flavor"] == "unix" | ||
assert "rpc.time" in o |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There appears to be a few tabs here that are throwing off the indentation. Please convert them to spaces. Thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry about that. fixed.
Looks good. I would like to get at least one more reviewer on this. @elastic/beats |
I will create a separate PR for dashboard later on. |
@@ -1288,6 +1288,74 @@ trans_event: | |||
description: > | |||
The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. | |||
|
|||
- name: rpc |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please run make update
to re-generate the packetbeat/docs/fields.asciidoc
document.
@kofemann Thank you for the complete PR and the nice dashboard. I have only a small concern. I think it would be easier for the users to understand if we rename the Packetbeat module to |
@monicasarbu I had the same idea during prototyping was renaming it already several times :). The reason to call it rpc is that it will be easy to add other oncrpc/sunrpc based protocols as well. Nevertheless, I am fine to rename it. @andrewkroh any strong opinion? |
I would rename to |
updated. The fields are still rpc.xxx and nfs.xxx. This makes more sense. You don't put tcp relates staff into http namspace |
Signed-off-by: Tigran Mkrtchyan <[email protected]>
@kofemann Ok, I agree with you that it makes more sense to have |
thanks! About dashboard: shold it go into packetbeat/etc/kibana ? Is there any conventions? |
@kofemann I am working now at a simple way to import and export the Kibana dashboard. For now, you can only export all the Kibana dashboards and dependencies (visualizations, searches, index-patterns) using the python script from https://github.com/elastic/beats-dashboards/tree/master/save. Please send us a PR against the beats-dashboards repo with all the exported dashboards and dependencies. I can help you to sort them out once the PR is opened. Thanks! |
This pull request is more an RFC. We will run it bit in production go get more experience. Comments are welcome. The example output: