[Packetbeat] Refactor packetbeat for use with Elastic Agent #22134
Conversation
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
botelastic
bot
added
needs_team
|
Pinging @elastic/ingest-management (Team:Ingest Management) |
botelastic
bot
removed
the
needs_team
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
|
There was a problem hiding this comment.
We must decide, if packetbeat should be packaged by default or not. @ph @mostlyjason
andrewstucki
force-pushed
the
packetbeat-config-rebase
branch
from
67fdce1
to
c18fed9
Compare
andrewstucki
changed the title
|
Would it be possible to support In general, I think this PR is update to the team to get reviewed and merged as it does not tackle Agent yet, thanks for taking it out. |
|
@ruflin quick question about that--right now the agent configuration files do a lot more than just moving some keys around. That includes:
having the I stripped out any additions to the transpiler that would have been required to massage this into standard packetbeat configuration, but I would think that any of the above would likely be beyond the scope of getting packetbeat functioning with agent. So, just want to clarify--just want me to un-nest |
Just checked our telemetry and packetbeat is used by a small percentage of clusters. Would save a lot of bandwidth if it was downloaded on demand. This requires an internet connection or proxy though. |
|
For the config and inputs: My favorite solution would be that Elastic Agent just forwards the policy to packetbeat and packetbeat adds all the processors and data needed. The processors are to add important fields but packetbeat actually exactly knows which fields have to be added without Agent sending it. It would be nice if you could check on your end, how big the effort would be to directly go this step. This is what we do with apm-server and plan to also do for filebeat / metricbeat. If we don't go this step directly, we need to migrate to it at one stage. Perhaps you can provide some examples on what config is put into the agent and what the config looks like when sent to packetbeat as yaml here. This could simplify the discussion and making sure we talk about exactly the same thing. |
|
Ok, so I wound up going and swapping the configuration to what I mentioned here #22227 (comment) The changes involve some additional normalization code to inject processors into each stream. On the plus side, the reloading code becomes much simpler since it just wraps
A demo package I've been using to test all of this stuff is here: andrewstucki/integrations@28455c5 @ruflin this approach pretty much completely removes all transpiler rules in the packetbeat spec apart from filtering and injecting agent version information (see updated #22145). We'll still need to figure out how to inject additional configuration at the UPDATE: Added support for up to 100 sniffers/integrations, appears to work like a charm with minimal configuration. The thought would be then that we could use the above format for integrating packetbeat with whatever package we want. For example, MySQL could have a |
💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
|
@andrewstucki Read your comment above last after going through all the other comments 🤦♂️ We should probably have all the config discussions in a single place :-) Great to hear you solved the sniffer limitation issue. How do we get all the conversations into a single place and can drive it there to a conclusion? |
|
@ruflin I'm fine with doing the rest of the config discussion here and using the added unit test file The issue I created and linked to (#22227) is still valid though and can be a follow up to the initial implementation, as there's still work to be done to figure out how to configure shared, sniffer-specific options. |
| return nil, err | ||
| } | ||
|
|
||
| watcher := procs.ProcessesWatcher{} |
There was a problem hiding this comment.
Would the process watcher be something that benefits from being shared across each processor?
There was a problem hiding this comment.
So the process watcher has traditionally been a global. I more or less kept it that way--making it a singleton for the entirety of the agent-level "input" (meaning 1 sniffer + 1 process watcher). I would imagine eventually we could potentially scope this based on a protocol-by-protocol basis (moving from "input" level, to "stream" level), but we'd probably need to see if that had a performance impact.
In general I tried to keep the traditionally global configuration options scoped to a single input run (1 sniffer, etc.) to make things a bit more flexible for the future and avoid introducing three different levels of configuration (global, input-level, stream-level) when configured via agent. Instead we just have input-level and stream-level, so nothing is shared across multiple inputs.
Hope that answers the question/makes sense.
…22134) * Refactor packetbeat to support agent-based configuration * Add documentation changes and a Changelog entry * Update reference template * Fix funny merge * Incorporate feedback * use streams instead of inputs * support multiple sniffers * fix shutdown_timeout behavior (cherry picked from commit 8c05a41)
…ith Elastic Agent (#22546) * [Packetbeat] Refactor packetbeat for use with Elastic Agent (#22134) * Refactor packetbeat to support agent-based configuration * Add documentation changes and a Changelog entry * Update reference template * Fix funny merge * Incorporate feedback * use streams instead of inputs * support multiple sniffers * fix shutdown_timeout behavior (cherry picked from commit 8c05a41) * Fix up changelog
What does this PR do?
This PR refactors packetbeat to support for agent-based configuration. In order to facilitate control by agent, it does a few things:
packetbeat.inputsare provided.Follow ups
We'll likely want to do a few things in the future, I can create issues if we want:
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Related issues