Migrate system socket fields metricset to ECS #10339
Conversation
jsoriano
added
module
review
Metricbeat
There was a problem hiding this comment.
Love where this is going. Left a few comments. Some small things to change.
One of my biggest hopes in life (with regards to this module) would be to get one data.json file for each state we can observe... Hoping the tooling we have for this file allows for this? :-)
| "user": { | ||
| "id": 1000, | ||
| "name": "Jaime Soriano Pastor" | ||
| "cmdline": "/tmp/go-build661675341/b001/socket.test -data" |
There was a problem hiding this comment.
Are you getting rid of system.socket.local.port?
I agree with keeping system.socket.process.cmdline around, since there's no direct match to it in ECS.
There was a problem hiding this comment.
Do you have a data file for incoming or outgoing? Wanted to see the different stats there. You have incoming/outgoing bytes/packets on them, right?
There was a problem hiding this comment.
It's kind of odd to keep this here. Could we come up with a name that is not in ECS but still put it under the top level process?
There was a problem hiding this comment.
Are you getting rid of system.socket.local.port?
It is moved in this case to server.port as it is a listening socket.
Do you have a data file for incoming or outgoing? Wanted to see the different stats there. You have incoming/outgoing bytes/packets on them, right?
I will try to generate one data.json for each case.
Regarding bytes/packets, I think we don't have this information at this level. I'll take a look but we may need to explicitly enable collection and we would end-up in packetbeat lands. In any case we weren't collecting this before here, we can leave this for a possible future enhancement.
It's kind of odd to keep this here. Could we come up with a name that is not in ECS but still put it under the top level process?
Regarding cmdline, I kept it as is for backwards compatibility, also in the process metricset. I was thinking on removing it because on linux we are just joining args, what is not always accurate, and now we also collect args. But on windows there is a cmdline value in the processes objects.
Maybe cmdline should be in process.cmdline in ECS, and we should rethink how we collect it on Linux.
| } | ||
|
|
||
| if c.RemotePort != 0 { | ||
| // Aliases for this are not going to be possible, keeping | ||
| // duplicated fields by now for backwards comatibility |
There was a problem hiding this comment.
Why? Do other datasets use it?
There was a problem hiding this comment.
I think we should keep BC at least for a time if we cannot offer an alternative with aliases.
There was a problem hiding this comment.
Right, the local/remote pair. Gotcha.
There was a problem hiding this comment.
Btw, one advantage of local/remote vs source/destination is that you know that local refers to local resources. You can also obtain this info from source/destination, but you need to check direction to know which one is the local one.
| "ip": c.RemoteIP.String(), | ||
| "port": c.RemotePort, | ||
| } | ||
| } |
There was a problem hiding this comment.
This made me think to outline the exact mapping I would like to see, in terms of address/ip for the 3 possible states we can observe.
Also made me realize that ECS currently doesn't support sockets that well (noted for later) :-)
listening
- local.ip => server.ip
- local.port => server.port
incoming
- local.ip => server.ip
- local.port => server.port
- remote.ip => client.ip
- remote.port => client.port
outgoing
- local.ip => client.ip
- local.port => client.port
- remote.ip => server.ip
- remote.port => server.port
There was a problem hiding this comment.
For listening I think we can be quite sure that this is a server, but for incoming/outgoing connections I am not sure we can assume this is a client-server protocol, source/destination doesn't assume protocols.
(Actually local/remote is the terminology used on Linux for this.)
There was a problem hiding this comment.
Yes, right now ECS defines the client/server and source/destination pairs. I think there's some contexts where local/remote would also be clearer.
If you're not comfortable using client/server in some of these situations, can you use source/destination? Note that ECS assumes that event sources fill in source/destination all of the time, and client/server only when it makes sense.
So in all the places where you have client/server, you should also duplicate these field sets to source/destination. src/dest are considered the "baseline" that you can always rely on being there.
There was a problem hiding this comment.
Yes, using source/destination now, and server only for listening sockets.
I still keep system.socket.local/remote becase we'd need N-N aliases for migration.
| @@ -1211,6 +1211,43 @@ | |||
|
|
|||
| ## Modules | |||
|
|
|||
| ### System | |||
|
|
|||
| - from: system.socket.direction | |||
There was a problem hiding this comment.
@simianhacker Could you see that and of the fields change in this file could have an effect on Infra UI?
| "user": { | ||
| "id": 1000, | ||
| "name": "Jaime Soriano Pastor" | ||
| "cmdline": "/tmp/go-build661675341/b001/socket.test -data" |
There was a problem hiding this comment.
It's kind of odd to keep this here. Could we come up with a name that is not in ECS but still put it under the top level process?
Add elastic#6958 also for V2 reporters. When destination path is not a directory, use it as file.
jsoriano
force-pushed
the
mb-system-socket-ecs
branch
from
1d44926 to
5027a5b
Compare
| @@ -77,29 +77,25 @@ func WriteEventsCond(f mb.EventsFetcher, t testing.TB, cond func(e common.MapStr | |||
| return fmt.Errorf("no events were generated") | |||
There was a problem hiding this comment.
Changes in this file moved to its own PR #10367
There was a problem hiding this comment.
Thanks for doing the work to have more than one data.json. Super helpful here, and will no doubt be helpful in other places too :-)
Still a few details, only two small things which require changes:
- Resolve ambiguity around user name (see review)
- Please always populate source/destination.
Notes
- It's ok to populate client/server only when it makes sense (as long as src/dst are present)
- It's ok to keep local/remote around.
- No in/out metrics for the sockets: agree this is out of scope. Was only mentioning in case you already had it available.
- Ok with error.code. It's in line with current convention.
- I'd prefer keeping cmdline where it is. We don't have that defined in ECS, but
argsis extremely similar. I've taken a note to potentially add it to ECS in the future, but I don't think we should rush it for 7.0.- If opinions to move are strongly in favour, I could be convinced ;-)
| } | ||
|
|
||
| if c.RemotePort != 0 { | ||
| // Aliases for this are not going to be possible, keeping | ||
| // duplicated fields by now for backwards comatibility |
There was a problem hiding this comment.
Right, the local/remote pair. Gotcha.
There was a problem hiding this comment.
Test failures are legit: this test file needs to be adjusted for the Inbound/Outbound value renames.
After this, I think we're good.
Thanks for filling out source and destination, and for resolving the name ambiguity 👍
|
Ouch 🤦♂️ variable names in test fixed. |
jsoriano
force-pushed
the
mb-system-socket-ecs
branch
from
456b146 to
c2bdef3
Compare
|
Waiting for #10516 to update and retest this |
|
CI failures not related, merging. |
Removes `ecsDirectionString()` from the Auditbeat `socket` dataset following #10339.
No description provided.