[Auditbeat] Update host metricset #9421
Conversation
|
Pinging @elastic/secops |
| mapstr.Delete("uptime") | ||
| mapstr.Delete("boottime") | ||
| h.WriteString(host.info.Timezone) | ||
| h.WriteString(strconv.Itoa(host.info.TimezoneOffsetSec)) |
There was a problem hiding this comment.
Rather than converting the number to a string (which requires allocation) I think you can use
binary.Write(h, binary.BigEndian, int32(host.Info.TimezoneOffsetSec))
which will write the bytes directly into the hash. It should not fallback to reflection if you cast from int to int32 (or any sized integer type).
There was a problem hiding this comment.
Makes sense. Does it matter if it writes big-endian or little-endian? I see us using both quite heavily in the Beats code.
There was a problem hiding this comment.
Endian doesn’t matter. It only matters that it’s hard-coded so that the hash doesn’t change between architectures.
| "github.com/elastic/go-sysinfo" | ||
| "github.com/elastic/go-sysinfo/types" | ||
| ) | ||
|
|
||
| const ( | ||
| moduleName = "system" | ||
| metricsetName = "host" |
There was a problem hiding this comment.
@andrewkroh @tsg Should this be audit.host?
There was a problem hiding this comment.
I'm planning to rename the module in a separate PR.
There was a problem hiding this comment.
Got it, so the module name will be system.audit?
There was a problem hiding this comment.
I was planning to namespace the fields only:
func init() {
mb.Registry.MustAddMetricSet(moduleName, metricsetName, New,
mb.DefaultMetricSet(),
mb.WithNamespace("system.audit")
)
}
There was a problem hiding this comment.
With #9393 it will become important that event.dataset is unique, meaning it should be system.audit.process here. Let's see what tricks we can apply here.
There was a problem hiding this comment.
+1 on getting the PR in and then as soon as #9393 is also merged, will figure it out.
There was a problem hiding this comment.
I see how having data from two different metricsets having the same event.dataset can be confusing. But I don't think that is different from having the same event.module and event.metricset.
Still, I could see value in having unique dataset names. Who knows, maybe sometime in the future we might have only datasets, and no more modules/metricsets.
I opened #9499 for namespacing the system module, we can discuss any changes there.
Updates the `host` metricset to be in line with the other metricsets in the `system` module: 1. Adds regular state reporting based on `state.period`/`host.state.period` 2. Persists state between restarts in `beat.db` 3. Detects changes in host information 4. Changes to using `system.host.ip`/`system.host.mac` instead of `system.host.network.interfaces`
Similar to #9139, this updates the
hostmetricset to be in line with the other metricsets in thesystemmodule.High-level changes:
state.period/host.state.periodbeat.dbevent.action:3.1
host_id_changed(whensystem.host.idchanges)3.2
reboot(whensystem.host.boottimechanges)3.3
host_changed(for all other changes, e.g. hostname, IPs)system.host.ip/system.host.macinstead ofsystem.host.network.interfaces- theadd_host_metadataprocessor reports IPs and MACs only, too, and I don't see value at the moment of reporting the full network information. We can always add it later.In contrast to the other metricsets, this one maintains its own
system.hostnamespace instead of using the top-levelhost. This is becausehostis filled by theadd_host_metadataprocessor. The processor uses cached values, and so a change event would be accompanied by unchanged data.