Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Elastic Agent] Enable log shipping of endpoint-security by Elastic Agent #22526

Merged
merged 5 commits into from
Nov 11, 2020
Merged

[Elastic Agent] Enable log shipping of endpoint-security by Elastic Agent #22526

merged 5 commits into from
Nov 11, 2020

Conversation

blakerouse
Copy link
Contributor

@blakerouse blakerouse commented Nov 10, 2020
edited
Loading

What does this PR do?

Starts shipping the logs of endpoint-security to elasticsearch.

This also refactors the code some to pass the program.Spec around instead of needing to keep checking for it from the SupportedMap. This is how the code path determines the path for the endpoint-security log paths.

Why is it important?

So all log information from an Elastic Agent running endpoint-security can be observed.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

Build the Elastic Agent with endpoint-security manually placed in the download folder. Enable Endpoint Security in Fleet and notice that all the Endpoint Security logs show up with event.dataset: elastic_agent.endpoint-security

Related issues

@blakerouse blakerouse self-assigned this Nov 10, 2020
@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Nov 10, 2020
@blakerouse blakerouse marked this pull request as ready for review November 10, 2020 18:48
@elasticmachine
Copy link
Collaborator

Pinging @elastic/ingest-management (Team:Ingest Management)

@elasticmachine
Copy link
Collaborator

elasticmachine commented Nov 10, 2020
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Pull request #22526 updated]

  • Start Time: 2020-11-11T14:47:29.245+0000

  • Duration: 23 min 27 sec

Test stats 🧪

Test Results
Failed 0
Passed 1396
Skipped 4
Total 1400

@elasticmachine
Copy link
Collaborator

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 1396
Skipped 4
Total 1400

@ph
Copy link
Contributor

ph commented Nov 11, 2020

@blakerouse do we have everything we need in the data send from endpoint to make sure we can display the log of the endpoint in the logstream UI made by @jen-huang. ?

@blakerouse
Copy link
Contributor Author

@ph Yes it included the agent ID in the events so the LogStream component can show these logs.

@ph ph added the review label Nov 11, 2020
michalpristas
michalpristas approved these changes Nov 11, 2020
View reviewed changes
Copy link
Contributor

@michalpristas michalpristas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the change, probably will make future changes simpler.
i left a comments but they are related to segmented imports. nothing critical

x-pack/elastic-agent/pkg/agent/application/upgrade/upgrade.go Outdated Show resolved Hide resolved
x-pack/elastic-agent/pkg/artifact/install/tar/tar_installer.go Outdated Show resolved Hide resolved
x-pack/elastic-agent/pkg/agent/operation/operator.go Outdated Show resolved Hide resolved
x-pack/elastic-agent/pkg/core/plugin/process/app.go Outdated Show resolved Hide resolved
@blakerouse blakerouse merged commit 4c2c647 into elastic:master Nov 11, 2020
@blakerouse blakerouse deleted the agent-log-endpoint branch November 11, 2020 16:12
@blakerouse blakerouse mentioned this pull request Nov 11, 2020
Merged
4 tasks
blakerouse added a commit to blakerouse/beats that referenced this pull request Nov 11, 2020
@blakerouse
[Elastic Agent] Enable log shipping of endpoint-security by Elastic A…
b3c561c 
…gent (elastic#22526)

* Refactor to pass program.Spec around so custom log paths can be defined in a program spec.

* Fix code.

* Fix formatting.

* Add changelog.

* Fixes from code review.

(cherry picked from commit 4c2c647)
@ph
Copy link
Contributor

ph commented Nov 11, 2020
edited
Loading

@blakerouse Can add details on the following for testing that change:

AC:

  • When endpoint integration is installed and runnings.
  • Endpoint will write logs at :
    darwin: "/Library/Elastic/Endpoint/state/log/endpoint-.log"
    linux: "/opt/Elastic/Endpoint/state/log/endpoint-    .log"
    windows: "C:\Program Files\Elastic\Endpoint\state\log\endpoint-*.log"
    - Endploint Log events will be sent to the datastream XXXX
  • The events will have show up in the Logs UI. Easiest to filter by event.dataset: elastic_agent.endpoint-security

Fyi @EricDavisX

@blakerouse
Copy link
Contributor Author

Should really need to worry about the log location, well unless it doesn't work ;-)

The events will have show up in the Logs UI. Easiest to filter by event.dataset: elastic_agent.endpoint-security

@ph
Copy link
Contributor

ph commented Nov 11, 2020

@blakerouse but there are sent to a distinct datastream right?

@blakerouse
Copy link
Contributor Author

@ph Yes should be similar to dataset name logs-elastic_agent-endpoint-security-default.

@EricDavisX EricDavisX mentioned this pull request Nov 11, 2020
Closed
16 tasks
@EricDavisX
Copy link
Contributor

The PR and the issue are closed (which is ok!) so I've logged a test tracking issue for any remaining discussion questions about test coverage. #22549

@ph
Copy link
Contributor

ph commented Nov 11, 2020

@blakerouse We can't use logs-elastic_agent-endpoint-security-default this will cause issue when we are extracting dataset and namespace. I will create an issue. I think the other datastreams too are problematic.

@ph ph mentioned this pull request Nov 11, 2020
Closed
@ph
Copy link
Contributor

ph commented Nov 11, 2020

Created this issue as a followup #22551

blakerouse added a commit that referenced this pull request Nov 16, 2020
@blakerouse
[Elastic Agent] Enable log shipping of endpoint-security by Elastic A…
ed07adb 
…gent (#22526) (#22547)

* Refactor to pass program.Spec around so custom log paths can be defined in a program spec.

* Fix code.

* Fix formatting.

* Add changelog.

* Fixes from code review.

(cherry picked from commit 4c2c647)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michalpristas michalpristas michalpristas approved these changes

Assignees

@blakerouse blakerouse

Labels
review v7.11.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Elastic Agent] Allow the agent to collect and send the log of endpoint.
5 participants
@blakerouse @elasticmachine @ph @EricDavisX @michalpristas