New windows service metricset

[martinscholz83]

As discussed in #5256, i created a new metricset to collect information about windows services.
To do

• uptime for services

[elasticmachine]

Can one of the admins verify this patch?

[martinscholz83]

@andrewkroh, currently i find no way to open the processes to get the uptime without to run as administrator or give the current user SeDebugPrivileges. Even with PROCESS_QUERY_LIMITED_INFORMATION i can't call OpenProcess. Do you have any other ideas?

[andrewkroh]

Looks like you are off to a good start. I left comments and will take a closer look after you do some more cleanup and refactoring. Some tests would be helpful too.

[andrewkroh]

Rather than duplicating this can you move it up a level and share it between both metricsets.

[andrewkroh]

If it's not used it should be removed.

[andrewkroh]

It seems to be conventional in Go to put the error check on the immediately following line. Please remove the newline separator.

[andrewkroh]

Please don't start methods with a newline. We try to not do this in Beats (with one exception for functions where the params span multiple lines).

[andrewkroh]

All github.com/elastic imports should be in the third group (it goes stdlib, third-party, elastic).

[andrewkroh]

Writing sizeof instead of sizeOf is most common (b/c that's the name of the C operator that generates the value).

[andrewkroh]

This function is quite long. I recommend breaking some of the pieces into smaller functions then calling those from this function.

[andrewkroh]

It's definitely better now, but it still scores a 13 by gocyclo (<= 10 is what I would aim for). Can you see if you can do a bit more refactoring to this method. Thanks

[andrewkroh]

This is what the system process metricset does so you can reuses the same code. See ProcTime.Get() in elastic/gosigar. They system module has logic for attempting to enable the SeDebugPrivilege. We'll need to figure out how to reuse code and only activate it once. But if the system module is used along side this metricset it should work (assuming the appropriate privs exist).

[martinscholz83]

What about to move the logic from system_windows.go into a helper class ...\metricebeat\helper\windows.go?

[andrewkroh]

This probably shouldn't hard fail on a permission issue. I think it would be better to gracefully degrade such that the uptime info isn't available.

[andrewkroh]

Nice progress.

What about to move the logic from system_windows.go into a helper class ...\metricebeat\helper\windows.go?

Yeah, but how about privileges_windows.go. I think the helper function should have some kind of logic such that only the first call does any real work. This way if both the system module and the windows-services metricset are used that this code only runs once.

There's a metricbeat/debug file in your PR that looks to have been accidentally added. Can you please remove that.

[andrewkroh]

Unused?

[martinscholz83]

You are right. I delete this one

[andrewkroh]

Unused?

[andrewkroh]

I recommend encapsulating the logic for the uptime calculation into this helper function. I would change the return params to be (time.Duration, error).

[martinscholz83]

You mean privileges_windows.go? Or should we create another helper function.
Sorry. I misunderstood you 🙈

[andrewkroh]

It's definitely better now, but it still scores a 13 by gocyclo (<= 10 is what I would aim for). Can you see if you can do a bit more refactoring to this method. Thanks

[andrewkroh]

What are the units for this? I would embed them into the field name like uptime.ms. (This needs to be a nested object rather than a field name containing a dot.)

[andrewkroh]

Can you please update this to include all of the fields being sent.

For an example of how to use a field formatter for the uptime field see ./metricbeat/module/system/uptime/_meta/fields.yml. This will cause the uptime field to be rendered nicely in Kibana (like "2 days").

[andrewkroh]

Can you add a TestData function (example) to the package that will generate this file when you run go test -data . from within this package's directory.

[martinscholz83]

I think the helper function should have some kind of logic such that only the first call does any real work.

You mean some simple bool if the check has already run?

[andrewkroh]

Looks good. I think it needs only a few more things

• make update - To regenerate the docs.
• make fmt - To fix the imports. Then you probably need to manually fix things to ensure they are grouped as stdlib, third-party, then elastic.

[andrewkroh]

You mean some simple bool if the check has already run?

I'm thinking this should be checkAndEnableSeDebugPrivilege() and a separate method named CheckAndEnableSeDebugPrivilege exists that calls checkAndEnableSeDebugPrivilege() only once by using sync.Once.

This way only the system module or the windows module will do the initialization, but not both.

[andrewkroh]

I'm not sure if this is any more clear, but there is the time.Since() function for the purpose of calculating elapsed times.

uptime := time.Since(time.Unix(0, int64(processCreationTime.StartTime) * int64(time.Millisecond)))

[martinscholz83]

Thanks!

[andrewkroh]

Remove newline from beginning of method. (BTW I built a tool to find these called nonewlines.)

[andrewkroh]

Can you please remove the commented out code.

[martinscholz83]

In commit make fmt i removed in line 111 the -local switch from .../libbeat/scripts/Makefile because goimport doesn't know this switch. Can you confirm this?!

[andrewkroh]

goimports has a -local flags. Try updating go get -u golang.org/x/tools/cmd/goimports.

[andrewkroh]

Looks good. Almost there.

I recommend trying gometalinter. It helps me catch things in my code.

go get -u github.com/alecthomas/gometalinter
gometalinter --install
cd to/your/package/directory
gometalinter --deadline=30s --disable=gotype

[andrewkroh]

Don't divide by time.Milliseconds. Leave the value stored as nanoseconds because this is what a time.Duration value is defined as. Do the conversion to ms later when you need to write the value to an event.

[andrewkroh]

We generally try to avoid named result parameters. https://github.com/golang/go/wiki/CodeReviewComments#named-result-parameters

[andrewkroh]

The function name should be lower-case now.

[andrewkroh]

This can be simplified if you use a dotted key name. The tooling with expand it for the purposes of the index template.

  fields:
    - name: uptime.ms
      type: long
      format: duration
      input_format: milliseconds
      description: >
        The service uptime in milliseconds.

    - name: service_name

[andrewkroh]

If service.Uptime is 0 then let's not add it to the event. It should only be zero if an error occurred which would mean the data is invalid, right?

[martinscholz83]

Or the service is stopped. So maybe a check for 0 should help.

[andrewkroh]

For the fields that are enums it would be nice to document what the possible values are. I would simply add a sentence that says "The possible values are x, y, and z".

[martinscholz83]

Some special format for the values like x, y and z?

[andrewkroh]

If you like 👍

[andrewkroh]

I believe we adhere to the "Oxford comma" rule in our documentation. As such there should be a comma before the "and". Same for the other lists.

[andrewkroh]

Use ev.Put("uptime.ms", service.Uptime). It will automatically do the right thing.

[andrewkroh]

I assume this needs to be updated now that 0 values are filtered.

[andrewkroh]

There are some formatting issues that Travis CI is detecting. See https://travis-ci.org/elastic/beats/jobs/292592948#L590-L593

Also can you please squash your commits. Then rebase it on master (make sure your master is up-to-date with the remote first). There were some changes in master that are missing from your branch to allow Jenkins CI to run. Let me know if you need help with the git stuff.

[martinscholz83]

These formatting errors are really frustating. I have run gometalinter and goimports over these files. @andrewkroh, can you take a look what's wrong. Thank you!

[andrewkroh]

Use make fmt then view the git diff locally. After you commit the changes do one last make check.

[martinscholz83]

I've figured out why goimports was not working. I had a ubuntu package installed golang-golang-x-tools 😒

[andrewkroh]

jenkins, test it

[martinscholz83]

@andrewkroh, before you merge. One problem i actually run into is the part here. Sometimes i get an error from sys.UTF16BytesToUTF8Bytes input buffer must have an even length. This is different from machine to machine. That's why i have to do lastOffset = uintptr(len(servicesBuffer)) - 1 to make it even. Do you have any ideas. From understadnig i think its the same as in pdh_windows.go that the service name are appended to the end of the buffer.

[andrewkroh]

Sometimes i get an error from sys.UTF16BytesToUTF8Bytes input buffer must have an even length

It looks like Windows appends a single byte 0x00 to ensure the buffer is null-terminated. This is why the overall buffer length is odd. I made some changes in andrewkroh@7ea1e2f. Can you pull that commit into this branch or apply the change yourself.

[andrewkroh]

As I read through these keys I am thinking we should call this the windows service metricset (not plural). Similar to how the system process metricset is not plural. Then the field names here make more sense.

Additionally, if it is renamed then I would change windows.services.service_name to windows.service.name to removing the stuttering.

[andrewkroh]

LGTM. Can you please fix the one typo I just found then we can merge this. 🎉

[andrewkroh]

s/ServiceRuning/ServiceRunning/

[andrewkroh]

You'll need a make update to rebuild the docs from fields.yml.

[martinscholz83]

Jap. Switch to my linux machine

[andrewkroh]

jenkins, test it

[andrewkroh]

@maddin2016 Thanks for another great Windows monitoring contribution!

[martinscholz83]

Anytime! 👍