Skip to content

[8.x](backport #41410) [add_session_metadata] Always use correct code for backend in use. #41413

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mjwolf merged 1 commit into from
Oct 24, 2024
Merged

[8.x](backport #41410) [add_session_metadata] Always use correct code for backend in use. #41413

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 30 additions & 22 deletions x-pack/auditbeat/processors/sessionmd/add_session_metadata.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,10 @@ import (
)

const (
processorName = "add_session_metadata"
logName = "processor." + processorName
processorName = "add_session_metadata"
logName = "processor." + processorName
procfsType = "procfs"
kernelTracingType = "kernel_tracing"
)

// InitializeModule initializes this module.
Expand All @@ -36,13 +38,14 @@ func InitializeModule() {
}

type addSessionMetadata struct {
ctx context.Context
cancel context.CancelFunc
config config
logger *logp.Logger
db *processdb.DB
provider provider.Provider
backend string
ctx context.Context
cancel context.CancelFunc
config config
logger *logp.Logger
db *processdb.DB
provider provider.Provider
backend string
providerType string
}

func New(cfg *cfg.C) (beat.Processor, error) {
Expand All @@ -61,51 +64,56 @@ func New(cfg *cfg.C) (beat.Processor, error) {
return nil, fmt.Errorf("failed to create DB: %w", err)
}

if c.Backend != "kernel_tracing" {
backfilledPIDs := db.ScrapeProcfs()
logger.Infof("backfilled %d processes", len(backfilledPIDs))
}

var p provider.Provider
var pType string

switch c.Backend {
case "auto":
p, err = kerneltracingprovider.NewProvider(ctx, logger)
if err != nil {
// Most likely cause of error is not supporting ebpf or kprobes on system, try procfs
backfilledPIDs := db.ScrapeProcfs()
logger.Infof("backfilled %d processes", len(backfilledPIDs))
p, err = procfsprovider.NewProvider(ctx, logger, db, reader, c.PIDField)
if err != nil {
cancel()
return nil, fmt.Errorf("failed to create provider: %w", err)
}
logger.Info("backend=auto using procfs")
pType = procfsType
} else {
logger.Info("backend=auto using kernel_tracing")
pType = kernelTracingType
}
case "procfs":
backfilledPIDs := db.ScrapeProcfs()
logger.Infof("backfilled %d processes", len(backfilledPIDs))
p, err = procfsprovider.NewProvider(ctx, logger, db, reader, c.PIDField)
if err != nil {
cancel()
return nil, fmt.Errorf("failed to create procfs provider: %w", err)
}
pType = procfsType
case "kernel_tracing":
p, err = kerneltracingprovider.NewProvider(ctx, logger)
if err != nil {
cancel()
return nil, fmt.Errorf("failed to create kernel_tracing provider: %w", err)
}
pType = kernelTracingType
default:
cancel()
return nil, fmt.Errorf("unknown backend configuration")
}
return &addSessionMetadata{
ctx: ctx,
cancel: cancel,
config: c,
logger: logger,
db: db,
provider: p,
backend: c.Backend,
ctx: ctx,
cancel: cancel,
config: c,
logger: logger,
db: db,
provider: p,
backend: c.Backend,
providerType: pType,
}, nil
}

Expand Down Expand Up @@ -161,7 +169,7 @@ func (p *addSessionMetadata) enrich(ev *beat.Event) (*beat.Event, error) {
}

var fullProcess types.Process
if p.backend == "kernel_tracing" {
if p.providerType == kernelTracingType {
// kernel_tracing doesn't enrich with the processor DB; process info is taken directly from quark cache
proc, err := p.provider.GetProcess(pid)
if err != nil {
Expand Down