diff --git a/auditbeat/auditbeat.reference.yml b/auditbeat/auditbeat.reference.yml index 536d7a8481e3..09841c40bad9 100644 --- a/auditbeat/auditbeat.reference.yml +++ b/auditbeat/auditbeat.reference.yml @@ -581,6 +581,15 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + + # Enables restarting auditbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -720,6 +729,14 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + # Enables restarting auditbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # The number of times to retry publishing an event after a publishing failure. # After the specified number of retries, the events are typically dropped. # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting @@ -925,6 +942,14 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + # Enables restarting auditbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/filebeat/beater/filebeat.go b/filebeat/beater/filebeat.go index ad28e293efd0..37b3be870616 100644 --- a/filebeat/beater/filebeat.go +++ b/filebeat/beater/filebeat.go @@ -440,7 +440,17 @@ func (fb *Filebeat) Run(b *beat.Beat) error { } // Stop the manager and stop the connection to any dependent services. - b.Manager.Stop() + // The Manager started to have a working implementation when + // https://github.com/elastic/beats/pull/34416 was merged. + // This is intended to enable TLS certificates reload on a long + // running Beat. + // + // However calling b.Manager.Stop() here messes up the behavior of the + // --once flag because it makes Filebeat exit early. + // So if --once is passed, we don't call b.Manager.Stop(). + if !*once { + b.Manager.Stop() + } return nil } diff --git a/filebeat/filebeat.reference.yml b/filebeat/filebeat.reference.yml index e6935b569bbf..5b1127fd51f6 100644 --- a/filebeat/filebeat.reference.yml +++ b/filebeat/filebeat.reference.yml @@ -1664,6 +1664,15 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + + # Enables restarting filebeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -1803,6 +1812,14 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + # Enables restarting filebeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # The number of times to retry publishing an event after a publishing failure. # After the specified number of retries, the events are typically dropped. # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting @@ -2008,6 +2025,14 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + # Enables restarting filebeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/heartbeat/heartbeat.reference.yml b/heartbeat/heartbeat.reference.yml index 9b52eb7fe5d5..7063ef63a2db 100644 --- a/heartbeat/heartbeat.reference.yml +++ b/heartbeat/heartbeat.reference.yml @@ -673,6 +673,15 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + + # Enables restarting heartbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -812,6 +821,14 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + # Enables restarting heartbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # The number of times to retry publishing an event after a publishing failure. # After the specified number of retries, the events are typically dropped. # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting @@ -1017,6 +1034,14 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + # Enables restarting heartbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/libbeat/_meta/config/output-elasticsearch.reference.yml.tmpl b/libbeat/_meta/config/output-elasticsearch.reference.yml.tmpl index 32c2c56a9b8b..84ab9ab4381a 100644 --- a/libbeat/_meta/config/output-elasticsearch.reference.yml.tmpl +++ b/libbeat/_meta/config/output-elasticsearch.reference.yml.tmpl @@ -81,6 +81,15 @@ output.elasticsearch: #allow_older_versions: false {{include "ssl.reference.yml.tmpl" . | indent 2 }} + + # Enables restarting {{.BeatName}} if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/libbeat/_meta/config/output-kafka.reference.yml.tmpl b/libbeat/_meta/config/output-kafka.reference.yml.tmpl index 04d17899f659..e3356f63061b 100644 --- a/libbeat/_meta/config/output-kafka.reference.yml.tmpl +++ b/libbeat/_meta/config/output-kafka.reference.yml.tmpl @@ -129,6 +129,14 @@ #client_id: beats {{include "ssl.reference.yml.tmpl" . | indent 2 }} + # Enables restarting {{.BeatName}} if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/libbeat/_meta/config/output-logstash.reference.yml.tmpl b/libbeat/_meta/config/output-logstash.reference.yml.tmpl index f315099ba89f..c5a6ca0dc6e6 100644 --- a/libbeat/_meta/config/output-logstash.reference.yml.tmpl +++ b/libbeat/_meta/config/output-logstash.reference.yml.tmpl @@ -56,6 +56,14 @@ #proxy_use_local_resolver: false {{include "ssl.reference.yml.tmpl" . | indent 2 }} + # Enables restarting {{.BeatName}} if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # The number of times to retry publishing an event after a publishing failure. # After the specified number of retries, the events are typically dropped. # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting diff --git a/libbeat/cmd/instance/beat.go b/libbeat/cmd/instance/beat.go index b651ed2cc2f2..6b5011417af4 100644 --- a/libbeat/cmd/instance/beat.go +++ b/libbeat/cmd/instance/beat.go @@ -67,6 +67,7 @@ import ( "github.com/elastic/beats/v7/libbeat/version" "github.com/elastic/elastic-agent-libs/config" "github.com/elastic/elastic-agent-libs/file" + "github.com/elastic/elastic-agent-libs/filewatcher" "github.com/elastic/elastic-agent-libs/keystore" kbn "github.com/elastic/elastic-agent-libs/kibana" "github.com/elastic/elastic-agent-libs/logp" @@ -76,6 +77,7 @@ import ( "github.com/elastic/elastic-agent-libs/monitoring/report/buffer" "github.com/elastic/elastic-agent-libs/paths" svc "github.com/elastic/elastic-agent-libs/service" + "github.com/elastic/elastic-agent-libs/transport/tlscommon" libversion "github.com/elastic/elastic-agent-libs/version" "github.com/elastic/elastic-agent-system-metrics/metric/system/host" metricreport "github.com/elastic/elastic-agent-system-metrics/report" @@ -96,6 +98,9 @@ type Beat struct { processing processing.Supporter InputQueueSize int // Size of the producer queue used by most queues. + + // shouldReexec is a flag to indicate the Beat should restart + shouldReexec bool } type beatConfig struct { @@ -139,6 +144,32 @@ type beatConfig struct { TimestampPrecision *config.C `config:"timestamp"` } +type certReloadConfig struct { + tlscommon.Config `config:",inline" yaml:",inline"` + Reload cfgfile.Reload `config:"restart_on_cert_change" yaml:"restart_on_cert_change"` +} + +func (c certReloadConfig) Validate() error { + if c.Reload.Period < time.Second { + return errors.New("'restart_on_cert_change.period' must be equal or greather than 1s") + } + + if c.Reload.Enabled && runtime.GOOS == "windows" { + return errors.New("'restart_on_cert_change' is not supported on Windows") + } + + return nil +} + +func defaultCertReloadConfig() certReloadConfig { + return certReloadConfig{ + Reload: cfgfile.Reload{ + Enabled: false, + Period: time.Minute, + }, + } +} + var debugf = logp.MakeDebug("beat") func init() { @@ -488,7 +519,19 @@ func (b *Beat) launch(settings Settings, bt beat.Creator) error { // Allow the manager to stop a currently running beats out of bound. b.Manager.SetStopCallback(beater.Stop) - return beater.Run(&b.Beat) + err = beater.Run(&b.Beat) + if b.shouldReexec { + if err := b.reexec(); err != nil { + return fmt.Errorf("could not restart %s: %w", b.Info.Beat, err) + } + } + + return err +} + +// reexec restarts the Beat, it calls the OS-specific implementation. +func (b *Beat) reexec() error { + return b.doReexec() } // registerMetrics registers metrics with the internal monitoring API. This data @@ -980,11 +1023,106 @@ func (b *Beat) makeOutputFactory( } } +func (b *Beat) reloadOutputOnCertChange(cfg config.Namespace) error { + logger := logp.L().Named("ssl.cert.reloader") + // Here the output is created and we have access to the Beat struct (with the manager) + // as a workaround we can unpack the new settings and trigger the reload-watcher from here + + // We get an output config, so we extract the 'SSL' bit from it + rawTLSCfg, err := cfg.Config().Child("ssl", -1) + if err != nil { + var e ucfg.Error + if errors.As(err, &e) { + if errors.Is(e.Reason(), ucfg.ErrMissing) { + // if the output configuration does not contain a `ssl` section + // do nothing and return no error + return nil + } + } + return fmt.Errorf("could not extract the 'ssl' section of the output config: %w", err) + } + + extendedTLSCfg := defaultCertReloadConfig() + if err := rawTLSCfg.Unpack(&extendedTLSCfg); err != nil { + return fmt.Errorf("unpacking 'ssl' config: %w", err) + } + + if !extendedTLSCfg.Reload.Enabled { + return nil + } + logger.Debug("exit on CA certs change enabled") + + possibleFilesToWatch := append( + extendedTLSCfg.CAs, + extendedTLSCfg.Certificate.Certificate, + extendedTLSCfg.Certificate.Key, + ) + + filesToWatch := []string{} + for _, f := range possibleFilesToWatch { + if f == "" { + continue + } + if tlscommon.IsPEMString(f) { + // That's an embedded cert, we're only interested in files + continue + } + + logger.Debugf("watching '%s' for changes", f) + filesToWatch = append(filesToWatch, f) + } + + // If there are no files to watch, don't do anything. + if len(filesToWatch) == 0 { + logger.Debug("no files to watch, filewatcher will not be started") + return nil + } + + watcher := filewatcher.New(filesToWatch...) + // Ignore the first scan as it will always return + // true for files changed. The output has not been + // started yet, so even if the files have changed since + // the Beat started, they don't need to be reloaded + _, _, _ = watcher.Scan() + + // Watch for file changes while the Beat is alive + go func() { + //nolint:staticcheck // this is an endless function + ticker := time.Tick(extendedTLSCfg.Reload.Period) + + for { + <-ticker + files, changed, err := watcher.Scan() + if err != nil { + logger.Warnf("could not scan certificate files: %s", err.Error()) + } + + if changed { + logger.Infof( + "some of the following files have been modified: %v, restarting %s.", + files, b.Info.Beat) + + b.shouldReexec = true + b.Manager.Stop() + + // we're done, finish the goroutine just for the sake of it + return + } + } + }() + + return nil +} + func (b *Beat) createOutput(stats outputs.Observer, cfg config.Namespace) (outputs.Group, error) { if !cfg.IsSet() { return outputs.Group{}, nil } + if err := b.reloadOutputOnCertChange(cfg); err != nil { + return outputs.Group{}, fmt.Errorf("could not setup output certificates reloader: %w", err) + } + return outputs.Load(b.IdxSupporter, b.Info, stats, cfg.Name(), cfg.Config()) } diff --git a/libbeat/cmd/instance/beat_reexec_unix.go b/libbeat/cmd/instance/beat_reexec_unix.go new file mode 100644 index 000000000000..3e67a6b51d1b --- /dev/null +++ b/libbeat/cmd/instance/beat_reexec_unix.go @@ -0,0 +1,43 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +//go:build !windows +// +build !windows + +package instance + +import ( + "fmt" + "os" + "path/filepath" + + "golang.org/x/sys/unix" +) + +func (b *Beat) doReexec() error { + pwd, err := os.Getwd() + if err != nil { + return fmt.Errorf("could not get working directory: %w", err) + } + + binary := filepath.Join(pwd, os.Args[0]) + if err := unix.Exec(binary, os.Args, os.Environ()); err != nil { + return fmt.Errorf("could not exec '%s', err: %w", binary, err) + } + + return nil +} diff --git a/libbeat/cmd/instance/beat_reexec_windows.go b/libbeat/cmd/instance/beat_reexec_windows.go new file mode 100644 index 000000000000..ffc963b2f791 --- /dev/null +++ b/libbeat/cmd/instance/beat_reexec_windows.go @@ -0,0 +1,32 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +//go:build windows +// +build windows + +package instance + +import ( + "github.com/elastic/elastic-agent-libs/logp" +) + +// doReexec is a noop on Windows, it only logs a message explaining it. +func (b *Beat) doReexec() error { + logger := logp.L().Named("ssl.cert.reloader") + logger.Info("reloading certs/reexecing is not supported on Windows. %s will not restart", b.Info.Beat) + return nil +} diff --git a/libbeat/common/seccomp/policy_linux_386.go b/libbeat/common/seccomp/policy_linux_386.go index 5a7227010601..724666987201 100644 --- a/libbeat/common/seccomp/policy_linux_386.go +++ b/libbeat/common/seccomp/policy_linux_386.go @@ -39,6 +39,7 @@ func init() { "clone3", "close", "dup", + "execve", "dup2", "epoll_create", "epoll_create1", diff --git a/libbeat/common/seccomp/policy_linux_amd64.go b/libbeat/common/seccomp/policy_linux_amd64.go index 54a2ec86ad13..0a05bdde9275 100644 --- a/libbeat/common/seccomp/policy_linux_amd64.go +++ b/libbeat/common/seccomp/policy_linux_amd64.go @@ -49,6 +49,7 @@ func init() { "epoll_ctl", "epoll_pwait", "epoll_wait", + "execve", "exit", "exit_group", "fchdir", diff --git a/libbeat/common/seccomp/policy_linux_arm.go b/libbeat/common/seccomp/policy_linux_arm.go index 78a8f68bb710..aae2b1dd6d09 100644 --- a/libbeat/common/seccomp/policy_linux_arm.go +++ b/libbeat/common/seccomp/policy_linux_arm.go @@ -26,7 +26,6 @@ func init() { { Action: seccomp.ActionErrno, Names: []string{ - "execve", "execveat", "fork", "vfork", diff --git a/libbeat/common/seccomp/policy_linux_arm64.go b/libbeat/common/seccomp/policy_linux_arm64.go index f7b914c5dd7e..bcd6e0ae9159 100644 --- a/libbeat/common/seccomp/policy_linux_arm64.go +++ b/libbeat/common/seccomp/policy_linux_arm64.go @@ -26,7 +26,6 @@ func init() { { Action: seccomp.ActionErrno, Names: []string{ - "execve", "execveat", }, }, diff --git a/libbeat/common/seccomp/seccomp-profiler-allow.txt b/libbeat/common/seccomp/seccomp-profiler-allow.txt index 237144d907cb..34e31cbfe126 100644 --- a/libbeat/common/seccomp/seccomp-profiler-allow.txt +++ b/libbeat/common/seccomp/seccomp-profiler-allow.txt @@ -26,3 +26,6 @@ readlink rename unlink wait4 + +# Reexec +execve diff --git a/libbeat/common/seccomp/seccomp-profiler-blacklist.txt b/libbeat/common/seccomp/seccomp-profiler-blacklist.txt index f8d2f0cc56c9..1f5f5aa10f88 100644 --- a/libbeat/common/seccomp/seccomp-profiler-blacklist.txt +++ b/libbeat/common/seccomp/seccomp-profiler-blacklist.txt @@ -3,7 +3,6 @@ chroot clock_adjtime create_module delete_module -execve execveat fork init_module diff --git a/libbeat/docs/shared-ssl-config.asciidoc b/libbeat/docs/shared-ssl-config.asciidoc index 80fe208093a3..1b27c3b217f8 100644 --- a/libbeat/docs/shared-ssl-config.asciidoc +++ b/libbeat/docs/shared-ssl-config.asciidoc @@ -567,6 +567,28 @@ Allows a remote server to request renegotiation repeatedly. + The default value is `never`. +[float] +[[exit_on_cert_change_enabled]] +==== `restart_on_cert_change.enabled` +If set to `true` {beatname_uc} will restart if any file listed by `key`, +`certificate`, or `certificate_authorities` is modified. + +NOTE: This feature is NOT supported on Windows. The default value is +`false`. + +NOTE: This feature requres the `execve` system call to be enabled. If +you have a custom seccomp policy in place, make sure to allow for +`execve`. + +[float] +[[restart_on_cert_change_period]] +==== `restart_on_cert_change.period` +Specifies how often the files are checked for changes. Do not set the +period to less than 1s because the modification time of files is often +stored in seconds. Setting the period to less than 1s will result in +validation error and {beatname_uc} will not start. The default value +is 1m. + ifeval::["{beatname_lc}" == "filebeat"] [float] [[server-client-renegotiation]] diff --git a/libbeat/management/management.go b/libbeat/management/management.go index a8eacd45147d..bac6a4d23594 100644 --- a/libbeat/management/management.go +++ b/libbeat/management/management.go @@ -60,8 +60,6 @@ var Namespace = "libbeat.management" // DebugK used as key for all things central management var DebugK = "centralmgmt" -var centralMgmtKey = "x-pack-cm" - // StatusReporter provides a method to update current status of the beat. type StatusReporter interface { // UpdateStatus called when the status of the beat has changed. @@ -142,40 +140,26 @@ func Factory(cfg *config.C) FactoryFunc { return nilFactory } -type modeConfig struct { - Mode string `config:"mode" yaml:"mode"` -} - -func defaultModeConfig() *modeConfig { - return &modeConfig{ - Mode: centralMgmtKey, - } -} - -// nilManager, fallback when no manager is present -type nilManager struct { +// fallbackManager, fallback when no manager is present +type fallbackManager struct { logger *logp.Logger lock sync.Mutex status Status msg string stopFunc func() + stopOnce sync.Once } func nilFactory(*config.C, *reload.Registry, uuid.UUID) (Manager, error) { log := logp.NewLogger("mgmt") - return &nilManager{ + return &fallbackManager{ logger: log, status: Unknown, msg: "", }, nil } -func (*nilManager) SetStopCallback(func()) {} -func (*nilManager) Enabled() bool { return false } -func (*nilManager) Start() error { return nil } -func (*nilManager) Stop() {} -func (*nilManager) CheckRawConfig(cfg *config.C) error { return nil } -func (n *nilManager) UpdateStatus(status Status, msg string) { +func (n *fallbackManager) UpdateStatus(status Status, msg string) { n.lock.Lock() defer n.lock.Unlock() if n.status != status || n.msg != msg { @@ -185,8 +169,33 @@ func (n *nilManager) UpdateStatus(status Status, msg string) { } } -func (n *nilManager) RegisterAction(action client.Action) {} +func (n *fallbackManager) SetStopCallback(f func()) { + n.lock.Lock() + n.stopFunc = f + n.lock.Unlock() +} -func (n *nilManager) UnregisterAction(action client.Action) {} +func (n *fallbackManager) Stop() { + n.lock.Lock() + defer n.lock.Unlock() + if n.stopFunc != nil { + // I'm not sure we really need the sync.Once here, but + // because different Beats can have different requirements + // for their stup function, it's better to make sure it will + // only be called once. + n.stopOnce.Do(func() { + n.stopFunc() + }) + } +} -func (n *nilManager) SetPayload(map[string]interface{}) {} +// Enabled returns false because management is disabled. +// the nilManager is still used for shutdown on some cases, +// but that does not mean the Beat is being managed externally, +// hence it will always return false. +func (n *fallbackManager) Enabled() bool { return false } +func (n *fallbackManager) Start() error { return nil } +func (n *fallbackManager) CheckRawConfig(cfg *config.C) error { return nil } +func (n *fallbackManager) RegisterAction(action client.Action) {} +func (n *fallbackManager) UnregisterAction(action client.Action) {} +func (n *fallbackManager) SetPayload(map[string]interface{}) {} diff --git a/metricbeat/metricbeat.reference.yml b/metricbeat/metricbeat.reference.yml index d04774809f5c..92352d136c7f 100644 --- a/metricbeat/metricbeat.reference.yml +++ b/metricbeat/metricbeat.reference.yml @@ -1400,6 +1400,15 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + + # Enables restarting metricbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -1539,6 +1548,14 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + # Enables restarting metricbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # The number of times to retry publishing an event after a publishing failure. # After the specified number of retries, the events are typically dropped. # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting @@ -1744,6 +1761,14 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + # Enables restarting metricbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/packetbeat/packetbeat.reference.yml b/packetbeat/packetbeat.reference.yml index 0a2fb775ad3b..0601676dca1f 100644 --- a/packetbeat/packetbeat.reference.yml +++ b/packetbeat/packetbeat.reference.yml @@ -1028,6 +1028,15 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + + # Enables restarting packetbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -1167,6 +1176,14 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + # Enables restarting packetbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # The number of times to retry publishing an event after a publishing failure. # After the specified number of retries, the events are typically dropped. # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting @@ -1372,6 +1389,14 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + # Enables restarting packetbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/winlogbeat/winlogbeat.reference.yml b/winlogbeat/winlogbeat.reference.yml index 24447bf42ed1..120afa9b6045 100644 --- a/winlogbeat/winlogbeat.reference.yml +++ b/winlogbeat/winlogbeat.reference.yml @@ -463,6 +463,15 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + + # Enables restarting winlogbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -602,6 +611,14 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + # Enables restarting winlogbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # The number of times to retry publishing an event after a publishing failure. # After the specified number of retries, the events are typically dropped. # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting @@ -807,6 +824,14 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + # Enables restarting winlogbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/x-pack/auditbeat/auditbeat.reference.yml b/x-pack/auditbeat/auditbeat.reference.yml index 2245d15ee6a7..5d3bf6bb2f12 100644 --- a/x-pack/auditbeat/auditbeat.reference.yml +++ b/x-pack/auditbeat/auditbeat.reference.yml @@ -637,6 +637,15 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + + # Enables restarting auditbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -776,6 +785,14 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + # Enables restarting auditbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # The number of times to retry publishing an event after a publishing failure. # After the specified number of retries, the events are typically dropped. # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting @@ -981,6 +998,14 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + # Enables restarting auditbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index fe35d2e21af1..4deebbc7dd3a 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -4018,6 +4018,15 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + + # Enables restarting filebeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -4157,6 +4166,14 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + # Enables restarting filebeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # The number of times to retry publishing an event after a publishing failure. # After the specified number of retries, the events are typically dropped. # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting @@ -4362,6 +4379,14 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + # Enables restarting filebeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/x-pack/functionbeat/functionbeat.reference.yml b/x-pack/functionbeat/functionbeat.reference.yml index 43af468e10cd..0d7ca3a8d26a 100644 --- a/x-pack/functionbeat/functionbeat.reference.yml +++ b/x-pack/functionbeat/functionbeat.reference.yml @@ -705,6 +705,15 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + + # Enables restarting functionbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -844,6 +853,14 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + # Enables restarting functionbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # The number of times to retry publishing an event after a publishing failure. # After the specified number of retries, the events are typically dropped. # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting diff --git a/x-pack/heartbeat/heartbeat.reference.yml b/x-pack/heartbeat/heartbeat.reference.yml index 9b52eb7fe5d5..7063ef63a2db 100644 --- a/x-pack/heartbeat/heartbeat.reference.yml +++ b/x-pack/heartbeat/heartbeat.reference.yml @@ -673,6 +673,15 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + + # Enables restarting heartbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -812,6 +821,14 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + # Enables restarting heartbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # The number of times to retry publishing an event after a publishing failure. # After the specified number of retries, the events are typically dropped. # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting @@ -1017,6 +1034,14 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + # Enables restarting heartbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/x-pack/metricbeat/metricbeat.reference.yml b/x-pack/metricbeat/metricbeat.reference.yml index 90cd46f423fb..f99ac10cb786 100644 --- a/x-pack/metricbeat/metricbeat.reference.yml +++ b/x-pack/metricbeat/metricbeat.reference.yml @@ -1946,6 +1946,15 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + + # Enables restarting metricbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -2085,6 +2094,14 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + # Enables restarting metricbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # The number of times to retry publishing an event after a publishing failure. # After the specified number of retries, the events are typically dropped. # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting @@ -2290,6 +2307,14 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + # Enables restarting metricbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/x-pack/osquerybeat/osquerybeat.reference.yml b/x-pack/osquerybeat/osquerybeat.reference.yml index 3e9ded31cc22..e970ef632e60 100644 --- a/x-pack/osquerybeat/osquerybeat.reference.yml +++ b/x-pack/osquerybeat/osquerybeat.reference.yml @@ -424,6 +424,15 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + + # Enables restarting osquerybeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -563,6 +572,14 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + # Enables restarting osquerybeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # The number of times to retry publishing an event after a publishing failure. # After the specified number of retries, the events are typically dropped. # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting diff --git a/x-pack/packetbeat/packetbeat.reference.yml b/x-pack/packetbeat/packetbeat.reference.yml index 0a2fb775ad3b..0601676dca1f 100644 --- a/x-pack/packetbeat/packetbeat.reference.yml +++ b/x-pack/packetbeat/packetbeat.reference.yml @@ -1028,6 +1028,15 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + + # Enables restarting packetbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -1167,6 +1176,14 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + # Enables restarting packetbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # The number of times to retry publishing an event after a publishing failure. # After the specified number of retries, the events are typically dropped. # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting @@ -1372,6 +1389,14 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + # Enables restarting packetbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true diff --git a/x-pack/winlogbeat/winlogbeat.reference.yml b/x-pack/winlogbeat/winlogbeat.reference.yml index 01c5c670935a..28954b37e0b6 100644 --- a/x-pack/winlogbeat/winlogbeat.reference.yml +++ b/x-pack/winlogbeat/winlogbeat.reference.yml @@ -465,6 +465,15 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + + # Enables restarting winlogbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true @@ -604,6 +613,14 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + # Enables restarting winlogbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # The number of times to retry publishing an event after a publishing failure. # After the specified number of retries, the events are typically dropped. # Some Beats, such as Filebeat and Winlogbeat, ignore the max_retries setting @@ -809,6 +826,14 @@ output.elasticsearch: # only one in the list. Then the normal SSL validation happens. #ssl.ca_trusted_fingerprint: "" + # Enables restarting winlogbeat if any file listed by `key`, + # `certificate`, or `certificate_authorities` is modified. + # This feature IS NOT supported on Windows. + #ssl.restart_on_cert_change.enabled: false + + # Period to scan for changes on CA certificate files + #ssl.restart_on_cert_change.period: 1m + # Enable Kerberos support. Kerberos is automatically enabled if any Kerberos setting is set. #kerberos.enabled: true