From 1e02d03da19032c990bb88526fe077f2215e8f8b Mon Sep 17 00:00:00 2001 From: Michael Wolf Date: Wed, 23 Oct 2024 23:29:05 -0700 Subject: [PATCH] [add_session_metadata] Always use correct code for backend in use. (#41410) With the add_session_metadata processor, the config backend option and actual backend in use doesn't always match; the 'auto' option doesn't match a real backend (kernel_tracing, procfs). This fixes some logic so that when the 'auto' option is used, the processor will always follow the code path intended for whatever the actual backend is use is. (cherry picked from commit 0024b2ce327285e22b369ebae42eaa5e9e132f2c) --- .../sessionmd/add_session_metadata.go | 52 +++++++++++-------- 1 file changed, 30 insertions(+), 22 deletions(-) diff --git a/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go b/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go index a4646b6b6685..a01c80643256 100644 --- a/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go +++ b/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go @@ -26,8 +26,10 @@ import ( ) const ( - processorName = "add_session_metadata" - logName = "processor." + processorName + processorName = "add_session_metadata" + logName = "processor." + processorName + procfsType = "procfs" + kernelTracingType = "kernel_tracing" ) // InitializeModule initializes this module. @@ -36,13 +38,14 @@ func InitializeModule() { } type addSessionMetadata struct { - ctx context.Context - cancel context.CancelFunc - config config - logger *logp.Logger - db *processdb.DB - provider provider.Provider - backend string + ctx context.Context + cancel context.CancelFunc + config config + logger *logp.Logger + db *processdb.DB + provider provider.Provider + backend string + providerType string } func New(cfg *cfg.C) (beat.Processor, error) { @@ -61,51 +64,56 @@ func New(cfg *cfg.C) (beat.Processor, error) { return nil, fmt.Errorf("failed to create DB: %w", err) } - if c.Backend != "kernel_tracing" { - backfilledPIDs := db.ScrapeProcfs() - logger.Infof("backfilled %d processes", len(backfilledPIDs)) - } - var p provider.Provider + var pType string switch c.Backend { case "auto": p, err = kerneltracingprovider.NewProvider(ctx, logger) if err != nil { // Most likely cause of error is not supporting ebpf or kprobes on system, try procfs + backfilledPIDs := db.ScrapeProcfs() + logger.Infof("backfilled %d processes", len(backfilledPIDs)) p, err = procfsprovider.NewProvider(ctx, logger, db, reader, c.PIDField) if err != nil { cancel() return nil, fmt.Errorf("failed to create provider: %w", err) } logger.Info("backend=auto using procfs") + pType = procfsType } else { logger.Info("backend=auto using kernel_tracing") + pType = kernelTracingType } case "procfs": + backfilledPIDs := db.ScrapeProcfs() + logger.Infof("backfilled %d processes", len(backfilledPIDs)) p, err = procfsprovider.NewProvider(ctx, logger, db, reader, c.PIDField) if err != nil { cancel() return nil, fmt.Errorf("failed to create procfs provider: %w", err) } + pType = procfsType case "kernel_tracing": p, err = kerneltracingprovider.NewProvider(ctx, logger) if err != nil { cancel() return nil, fmt.Errorf("failed to create kernel_tracing provider: %w", err) } + pType = kernelTracingType default: cancel() return nil, fmt.Errorf("unknown backend configuration") } return &addSessionMetadata{ - ctx: ctx, - cancel: cancel, - config: c, - logger: logger, - db: db, - provider: p, - backend: c.Backend, + ctx: ctx, + cancel: cancel, + config: c, + logger: logger, + db: db, + provider: p, + backend: c.Backend, + providerType: pType, }, nil } @@ -161,7 +169,7 @@ func (p *addSessionMetadata) enrich(ev *beat.Event) (*beat.Event, error) { } var fullProcess types.Process - if p.backend == "kernel_tracing" { + if p.providerType == kernelTracingType { // kernel_tracing doesn't enrich with the processor DB; process info is taken directly from quark cache proc, err := p.provider.GetProcess(pid) if err != nil {