[Auditbeat] Memory leak in 7.5.2

[andrewstucki]

What does this PR do?

1. Adds cache timeout policies for sockets, processes, and the short-term thread cache for tracing kprobe call/return pairs.
2. Refactors a lot of the auditbeat code so it's a bit more ergonomic.

Why is it important?

Without the timeout-based cache eviction, we're leaking memory.

Checklist

• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works

Related issues

• Closes [Auditbeat] Memory leak in 7.5.2 #16877

Original Issue at: https://discuss.elastic.co/t/auditbeat-memory-leak-in-7-5-2/218335

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[adriansr]

Looking good, but there's some issues.

I'm also worried about process expiration. Expiring a socket or flow is not an issue because further traffic will just re-create them. The worst that can happen is to have a network flow split in two output events.

But with processes, once they expire they won't be recreated and we lose the ability to enrich flows with process information. So for example any process that doesn't perform network i/o for 30s will not be detected.

Given that PIDs, unlike socket pointers, are reused, if they're not expired the cache will max out at whatever the system limit is (/proc/sys/kernel/pid_max seems to default at 32768). So I think maybe it's safe to not expire processes, WDYT?

[adriansr]

This is setting the socket timeout to 2*inactiveTimeout, which is config.FlowInactiveTimeout, but at config.go says that InactiveTimeout is used for both sockets and processes.

[adriansr]

All public declarations should have a comment starting with the type/function/variable name:

// Endpoint blah blah.

We have a bot that reviews all this automatically, seems that it's been broken for some weeks now.

[adriansr]

It seems that during the refactor the logic in here was messed up. The second call to validIPv4Headers below should only happen if the first call returns false. It's a workaround for the case where e.IPHdr/e.UDPHdr are (the lowest 16bit) of pointers instead of indices inside e.Packet.

[adriansr]

Also, it needs an entry in CHANGELOG.next.asciidoc and a rebase to pass CI.

[andrewstucki]

rebased from #17500

[botelastic]

Hi!
We just realized that we haven't looked into this PR in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it in as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

[botelastic]

Hi!
This PR has been stale for a while and we're going to close it as part of our cleanup procedure.
We appreciate your contribution and would like to apologize if we have not been able to review it, due to the current heavy load of the team.
Feel free to re-open this PR if you think it should stay open and is worth rebasing.
Thank you for your contribution!