-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x-pack/filebeat/input/etw: New input #36915
Conversation
This pull request does not have a backport label.
To fixup this pull request, you need to add the backport labels for the needed
|
💔 Build Failed
Expand to view the summary
Build stats
Test stats 🧪
Steps errorsExpand to view the steps failures
|
fafbbd9
to
e854e35
Compare
This pull request is now in conflicts. Could you fix it? 🙏
|
e854e35
to
bdf547b
Compare
bdf547b
to
0e34d50
Compare
💔 Tests Failed
Expand to view the summary
Build stats
Test stats 🧪
Test errorsExpand to view the tests failures
|
0e34d50
to
83b3975
Compare
💔 Tests Failed
Expand to view the summary
Build stats
Test stats 🧪
Test errorsExpand to view the tests failures
|
83b3975
to
ec4235a
Compare
💔 Build Failed
Expand to view the summary
Build stats
Pipeline error
❕ Flaky test reportNo test was executed to be analysed. 🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
ec4235a
to
ff6e00a
Compare
💔 Tests Failed
Expand to view the summary
Build stats
Test stats 🧪
Test errorsExpand to view the tests failures
|
❕ Build Aborted
Expand to view the summary
Build stats
🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. 🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested manually with this config and it was working. I notice some of the debug message were not clear so I have made some suggestion that can be addressed in a follow-up PR. I also think the input's Run
func can be cleaned up a bit by using sync.OnceFunc
and golang.org/x/sync/errgroup
.
- type: etw
provider.name: Microsoft-Windows-DNS-Client
errChan <- fmt.Errorf("failed to start consumer: %w", err) // Send error to channel | ||
return | ||
} | ||
e.log.Debug("stopped to read ETW events from session") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This message is confusing to me. I think it's just telling that the consumer stopped.
e.log.Debug("stopped to read ETW events from session") | |
e.log.Debug("ETW consumer stopped") |
return 1 | ||
} | ||
|
||
e.log.Debugf("received event %d with length %d", record.EventHeader.EventDescriptor.Id, record.UserDataLength) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some context about the parameters is missing IMO.
e.log.Debugf("received event %d with length %d", record.EventHeader.EventDescriptor.Id, record.UserDataLength) | |
e.log.Debugf("received event with ID %d and user-data length %d", record.EventHeader.EventDescriptor.Id, record.UserDataLength) |
PR to skip the unrelated flaky test: #37988 |
This pull request is now in conflicts. Could you fix it? 🙏
|
💚 Build Succeeded
History
|
💚 Build Succeeded
History
|
💚 Build Succeeded
History
|
💚 Build Succeeded
History
|
💔 Build Failed
Failed CI StepsHistory
|
💚 Build Succeeded
History
|
We are not blocked by Buildkite failures, but I did open #37998 for the failing filestream input test. |
Use errgroup to wait on the ETW consumer routine. Use sync.OnceFunc to wrap the Close() func for the ETW session. Clarify a few log messages (follow-up to #36915) - #36915 (comment) - #36915 (comment)
following - case no. 01567791 |
Description
This pull request adds a new Filebeat input to collect ETW events. It is the second stage of #36914 where the ETW reader is added to Libbeat.
The ETW input provides support to Filebeat to collect ETW events and publish them in JSON format. Available configuration options are:
file
provider.name
provider.guid
session_name
trace_level
match_any_keyword
match_all_keyword
session
How to use these options is detailed in the docs file for the input.
Checklist
CHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.Author's Checklist
How to test this PR locally
Next steps can be followed to test the input locally:
Prepare environment
In case we want test the collection of DNS Server analytical logs next steps should be followed, otherwise the test can be done with a current provider.
Build Filebeat
In my case, it is built from macOS by running
GOOS=windows GOARCH=amd64 mage build
. Then move the binaryfilebeat.exe
and the config filefilebeat.yml
to the Windows host.Configure the input
To configure the input, follow the examples provides in the input doc file included in this PR. For instance, to collect DNS Server analytical logs add the following configuration:
To simplify the testing I also configure the console output:
Run Filebeat
Execute
.\filebeat.exe -e
to start collecting ETW logs. If a provider were configured, a new session should be created which can be queried by runninglogman query -ets
.That session should be closed once Filebeat is stopped.
You can also configure the input to read from a different provider, an existing session or a log file. See the doc file to apply the proper configuration for these cases.
Related issues
Logs
An ETW record delivered by the input looks like:
Some info and debug logs during the input execution: