Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

system/socket: Allow running multiple instances by grouping kprobes by PID #20325

Merged
merged 1 commit into from
Jul 30, 2020
Merged

system/socket: Allow running multiple instances by grouping kprobes by PID #20325

merged 1 commit into from
Jul 30, 2020

Conversation

adriansr
Copy link
Contributor

@adriansr adriansr commented Jul 29, 2020
edited
Loading

What does this PR do?

This updates the system/socket dataset to group installed kprobes by PID instead of using a generic auditbeat group.

This allows multiple instances of Auditbeat to run with the system/socket dataset enabled (default) avoiding collision of kprobes.

Why is it important?

Currently is not possible to run more than one Auditbeat instance under Linux due to kprobes colliding.

Checklist

I've tested this in Ubuntu 18.04 / kernel 4.15 and it can run multiple instances without trouble.

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • [ ] I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

Closes #20303

@adriansr
Auditbeat: Allow multiple instances by grouping kprobes by PID
5792f73 
This updates the system/socket dataset to group installed kprobes by
PID instead of using a generic `auditbeat` group.

This allows multiple instances of Auditbeat to run with the
system/socket dataset enabled (default) avoiding collision of kprobes.
@adriansr adriansr requested a review from a team as a code owner July 29, 2020 17:29
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Jul 29, 2020
@adriansr adriansr mentioned this pull request Jul 29, 2020
Closed
@elasticmachine
Copy link
Collaborator

elasticmachine commented Jul 29, 2020
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Pull request #20325 updated]

  • Start Time: 2020-07-30T08:52:33.977+0000

  • Duration: 59 min 38 sec

Test stats 🧪

Test Results
Failed 0
Passed 230
Skipped 49
Total 279

marc-gr
marc-gr approved these changes Jul 30, 2020
View reviewed changes
Copy link
Contributor

@marc-gr marc-gr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, not sure if there is an easy way (or is worth it) to have an integration test for this though? mostly to prevent a regression

andrewkroh
andrewkroh approved these changes Jul 30, 2020
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great! No more conflicts.

@andrewkroh andrewkroh added the needs_backport PR is waiting to be backported to other branches. label Jul 30, 2020
@adriansr adriansr merged commit 2abf87f into elastic:master Jul 30, 2020
adriansr added a commit to adriansr/beats that referenced this pull request Jul 30, 2020
@adriansr
Auditbeat: Allow multiple instances by grouping kprobes by PID (elast…
6964158 
…ic#20325)

This updates the system/socket dataset to group installed kprobes by
PID instead of using a generic `auditbeat` group.

This allows multiple instances of Auditbeat to run with the
system/socket dataset enabled (default) avoiding collision of kprobes.

(cherry picked from commit 2abf87f)
@adriansr adriansr mentioned this pull request Jul 30, 2020
Merged
3 tasks
@adriansr adriansr added v7.10.0 and removed needs_backport PR is waiting to be backported to other branches. labels Jul 30, 2020
adriansr added a commit to adriansr/beats that referenced this pull request Jul 30, 2020
@adriansr
Auditbeat: Allow multiple instances by grouping kprobes by PID (elast…
bcb6cc2 
…ic#20325)

This updates the system/socket dataset to group installed kprobes by
PID instead of using a generic `auditbeat` group.

This allows multiple instances of Auditbeat to run with the
system/socket dataset enabled (default) avoiding collision of kprobes.

(cherry picked from commit 2abf87f)
@adriansr adriansr mentioned this pull request Jul 30, 2020
Merged
3 tasks
adriansr added a commit to adriansr/beats that referenced this pull request Jul 30, 2020
@adriansr
Auditbeat: Allow multiple instances by grouping kprobes by PID (elast…
3879971 
…ic#20325)

This updates the system/socket dataset to group installed kprobes by
PID instead of using a generic `auditbeat` group.

This allows multiple instances of Auditbeat to run with the
system/socket dataset enabled (default) avoiding collision of kprobes.

(cherry picked from commit 2abf87f)
@adriansr adriansr mentioned this pull request Jul 30, 2020
Merged
3 tasks
v1v added a commit to v1v/beats that referenced this pull request Jul 30, 2020
@v1v
Merge remote-tracking branch 'upstream/master' into feature/ci-pipeli…
ac360da 
…ne-2.0

* upstream/master:
  [Elastic Agent] Add skeleton for client/server for agent control protocol (elastic#20163)
  Auditbeat: Allow multiple instances by grouping kprobes by PID (elastic#20325)
  [Filebeat][Fortinet] Remove pre populated event.timezone (elastic#20273)
v1v added a commit to v1v/beats that referenced this pull request Jul 31, 2020
@v1v
Merge remote-tracking branch 'upstream/master' into fix/ci-tools-inst…
8f9d230 
…allation

* upstream/master:
  Check expand_event_list_from_field when json in map[string]interface{} format (elastic#20370)
  [docs] Remove deprecated security roles (elastic#20162)
  Modify doc in app_insights metricset (elastic#20185)
  [Elastic Agent] Add skeleton for client/server for agent control protocol (elastic#20163)
  Auditbeat: Allow multiple instances by grouping kprobes by PID (elastic#20325)
  [Filebeat][Fortinet] Remove pre populated event.timezone (elastic#20273)
  Add an explicit system test for processes on unix systems (elastic#20320)
adriansr added a commit that referenced this pull request Jul 31, 2020
@adriansr
Auditbeat: Allow multiple instances by grouping kprobes by PID (#20325)…
1cacf43 
… (#20353)

This updates the system/socket dataset to group installed kprobes by
PID instead of using a generic `auditbeat` group.

This allows multiple instances of Auditbeat to run with the
system/socket dataset enabled (default) avoiding collision of kprobes.

(cherry picked from commit 2abf87f)
adriansr added a commit that referenced this pull request Jul 31, 2020
@adriansr
Auditbeat: Allow multiple instances by grouping kprobes by PID (#20325)…
3e9fa6b 
… (#20354)

This updates the system/socket dataset to group installed kprobes by
PID instead of using a generic `auditbeat` group.

This allows multiple instances of Auditbeat to run with the
system/socket dataset enabled (default) avoiding collision of kprobes.

(cherry picked from commit 2abf87f)
adriansr added a commit that referenced this pull request Aug 3, 2020
@adriansr
Auditbeat: Allow multiple instances by grouping kprobes by PID (#20325)…
19c961b 
… (#20355)

This updates the system/socket dataset to group installed kprobes by
PID instead of using a generic `auditbeat` group.

This allows multiple instances of Auditbeat to run with the
system/socket dataset enabled (default) avoiding collision of kprobes.

(cherry picked from commit 2abf87f)
melchiormoulin pushed a commit to melchiormoulin/beats that referenced this pull request Oct 14, 2020
@adriansr @melchiormoulin
Auditbeat: Allow multiple instances by grouping kprobes by PID (elast…
481b3ad 
…ic#20325)

This updates the system/socket dataset to group installed kprobes by
PID instead of using a generic `auditbeat` group.

This allows multiple instances of Auditbeat to run with the
system/socket dataset enabled (default) avoiding collision of kprobes.
@adriansr adriansr mentioned this pull request May 5, 2021
Closed
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
@adriansr
Auditbeat: Allow multiple instances by grouping kprobes by PID (elast…
5ab2c79 
…ic#20325) (elastic#20354)

This updates the system/socket dataset to group installed kprobes by
PID instead of using a generic `auditbeat` group.

This allows multiple instances of Auditbeat to run with the
system/socket dataset enabled (default) avoiding collision of kprobes.

(cherry picked from commit 30de776)
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
@adriansr
Auditbeat: Allow multiple instances by grouping kprobes by PID (elast…
c248d8f 
…ic#20325) (elastic#20355)

This updates the system/socket dataset to group installed kprobes by
PID instead of using a generic `auditbeat` group.

This allows multiple instances of Auditbeat to run with the
system/socket dataset enabled (default) avoiding collision of kprobes.

(cherry picked from commit 30de776)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marc-gr marc-gr marc-gr approved these changes

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
Auditbeat bug review v7.8.2 v7.9.0 v7.10.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Auditbeat][test failures] master branch got some test failures for the last few days
4 participants
@adriansr @elasticmachine @andrewkroh @marc-gr