-
Notifications
You must be signed in to change notification settings - Fork 5k
[Auditbeat Host] Add host, packages, and processes metricsets #8436
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 18 commits
b9de5c6
687f54b
0b89b90
4315796
621bc34
ee76d3b
066a9b0
6085e69
5ad0e56
fcab22c
e99c4db
018828c
05b8ab4
ecfe354
e9452ff
681cc68
973241c
92e1d72
d6548ef
637d3df
30ef25e
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| /auditbeat | ||
| /auditbeat.test | ||
| /data | ||
| /fields.yml |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| BEAT_NAME=auditbeat | ||
| ES_BEATS=../.. | ||
| XPACK_BEAT_PATH?=github.com/elastic/beats/x-pack/${BEAT_NAME} | ||
| GOPACKAGES=$(shell go list ${BEAT_PATH}/... ${XPACK_BEAT_PATH}/... | grep -v /vendor/ | grep -v /scripts/cmd/ ) | ||
| FIND=. ${PYTHON_ENV}/bin/activate; find . ${ES_BEATS}/${BEAT_NAME} -type f -not -path "*/vendor/*" -not -path "*/build/*" -not -path "*/.git/*" | ||
|
|
||
| # Include main auditbeat Makefile | ||
| include ${ES_BEATS}/${BEAT_NAME}/Makefile | ||
|
|
||
| # Overwrite check-headers - check for Apache license in | ||
| # auditbeat/ and Elastic license in xpack/auditbeat/ | ||
| .PHONY: check-headers | ||
| check-headers: | ||
| ifndef CHECK_HEADERS_DISABLED | ||
| @go get -u github.com/elastic/go-licenser | ||
| @go-licenser -d -license ${LICENSE} ${ES_BEATS}/${BEAT_NAME} | ||
| @go-licenser -d -license Elastic . | ||
| endif | ||
|
|
||
| # Overwrite check-headers - insert Apache license in | ||
| # auditbeat/ and Elastic license in xpack/auditbeat/ | ||
| .PHONY: add-headers | ||
| add-headers: | ||
| ifndef CHECK_HEADERS_DISABLED | ||
| @go get github.com/elastic/go-licenser | ||
| @go-licenser -license ${LICENSE} ${ES_BEATS}/${BEAT_NAME} | ||
| @go-licenser -license Elastic . | ||
| endif |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
| // or more contributor license agreements. Licensed under the Elastic License; | ||
| // you may not use this file except in compliance with the Elastic License. | ||
|
|
||
| package cache | ||
|
|
||
| // Cache is just a map being used as a cache. | ||
| type Cache struct { | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I wonder if the Cache doesn't need a mutex? Is it always called only from a single go-routine? If yes, then it's fine.
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
| hashMap map[uint64]Cacheable | ||
| } | ||
|
|
||
| // Cacheable is the interface items stored in Cache need to implement. | ||
| type Cacheable interface { | ||
| Hash() uint64 | ||
| } | ||
|
|
||
| // New creates a new cache. | ||
| func New() *Cache { | ||
| return &Cache{ | ||
| hashMap: make(map[uint64]Cacheable), | ||
| } | ||
| } | ||
|
|
||
| // IsEmpty checks if the cache is empty. | ||
| func (cache *Cache) IsEmpty() bool { | ||
| return len(cache.hashMap) == 0 | ||
| } | ||
|
|
||
| // DiffAndUpdateCache takes a list of new items to cache, compares them to the current | ||
| // cache contents, and returns both items new to the cache and items that are in the cache | ||
| // but missing in the new data. | ||
| func (cache *Cache) DiffAndUpdateCache(current []Cacheable) (new, missing []interface{}) { | ||
| // Check for and delete missing - what is no longer in current that was in the cache | ||
| for cacheKey, cacheValue := range cache.hashMap { | ||
| found := false | ||
| for _, currentValue := range current { | ||
| if currentValue.Hash() == cacheKey { | ||
| found = true | ||
| break | ||
| } | ||
| } | ||
|
|
||
| if !found { | ||
| missing = append(missing, cacheValue) | ||
| delete(cache.hashMap, cacheKey) | ||
| } | ||
| } | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You appear to be doing an O(n^2) operation here (n before and after is roughly equal). Since the new state ( Then you can find "new" and "missing" result sets by:
Each of these loops is an O(n), and so is the work for building a map out of Note that you can check for presence by assigning to a second, optional var when searching the map: _, found := cache[key]
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Just wanted to loop back here. I won't push too hard on the O(n^2), since I'm a total Go noob, so I may be missing something in your code or in the Map initialization. But my computer currently runs 500-ish processes. This means each time it's comparing the new list of processes with the last state, it's doing a multiple of 250 000 operations (500^2) instead of doing a multiple of 500 operations... This may be irrelevant, since typically servers run way less stuff than workstations. So I just wanted to put that out there, but we can keep things as they are for now. This may be premature optimization. |
||
|
|
||
| // Check for new - what is in current but not in cache | ||
| for _, currentValue := range current { | ||
| if _, contains := cache.hashMap[currentValue.Hash()]; !contains { | ||
| new = append(new, currentValue) | ||
| cache.hashMap[currentValue.Hash()] = currentValue | ||
| } | ||
| } | ||
|
|
||
| return | ||
| } | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| // Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
| // or more contributor license agreements. Licensed under the Elastic License; | ||
| // you may not use this file except in compliance with the Elastic License. | ||
|
|
||
| package cache | ||
|
|
||
| import ( | ||
| "testing" | ||
|
|
||
| "github.com/OneOfOne/xxhash" | ||
| "github.com/stretchr/testify/assert" | ||
| ) | ||
|
|
||
| type CacheTestItem struct { | ||
| s string | ||
| } | ||
|
|
||
| func (item CacheTestItem) Hash() uint64 { | ||
| h := xxhash.New64() | ||
| h.WriteString(item.s) | ||
| return h.Sum64() | ||
| } | ||
|
|
||
| func TestCache(t *testing.T) { | ||
| c := New() | ||
|
|
||
| assert.True(t, c.IsEmpty()) | ||
|
|
||
| oldItems := []Cacheable{ | ||
| CacheTestItem{"item1"}, | ||
| CacheTestItem{"item2"}, | ||
| } | ||
|
|
||
| newItems := []Cacheable{ | ||
| CacheTestItem{"item1"}, | ||
| CacheTestItem{"item3"}, | ||
| } | ||
|
|
||
| new, missing := c.DiffAndUpdateCache(oldItems) | ||
|
|
||
| assert.Equal(t, 2, len(new)) | ||
| assert.Equal(t, 0, len(missing)) | ||
| assert.False(t, c.IsEmpty()) | ||
|
|
||
| new, missing = c.DiffAndUpdateCache(newItems) | ||
|
|
||
| assert.Equal(t, 1, len(new)) | ||
| assert.Equal(t, 1, len(missing)) | ||
|
|
||
| new, missing = c.DiffAndUpdateCache([]Cacheable{}) | ||
|
|
||
| assert.Equal(t, 0, len(new)) | ||
| assert.Equal(t, 2, len(missing)) | ||
| assert.True(t, c.IsEmpty()) | ||
| } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Curious: why is this metricbeat test being modified?
libbeat/tests/system/beat/beat.pydoesn't appear to have been modified in this PR...There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since Auditbeat with X-Pack is in its own
xpack/auditbeatdirectory,beat_pathneeds to point to that. It was being overwritten sinceAuditbeatXPackTestinauditbeat_xpack.pyultimately extendsBaseTestfrommetricbeat.py.