-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use fingerprint
file identity by default and migrate file state from native
or path
#41762
Use fingerprint
file identity by default and migrate file state from native
or path
#41762
Conversation
The `sourceStore.UpdateIdentifiers` has always been part of the fileProspector.Init, its purpose is to update the identifiers in the registry if the file identity has changed, however it was generating the wrong key and not updating the in memory registry (store.ephemeralStore). This commit fixes it and also removes `sourceStore.FixUpIdentifiers` because it just a working version of `sourceStore.UpdateIdentifiers`. Now there is a single method to manipulate identifiers in the `sourceStore`.
This commit checks if 'source' matches the real file by calculating the registry key using the old identifier, if they match, then update the registry.
This pull request does not have a backport label.
To fixup this pull request, you need to add the backport labels for the needed
|
|
A working test that migrated the file identity from inode to fingerprint.
…-migrate-file-identity
This commit adds a test to validate the case when there are multiple registry entries from different files but with the same path. That's the case when there is log rotation.
…-migrate-file-identity
Let's make sure it's also tested with dynamic config reload and with the Elastic Agent control protocol. When I worked on I'm not saying it's not handled here, just we need to include this into testing procedures. |
Thanks Denis! Do you mean at least a manual test or an integration test? The prospector initialisation happens much after any code path for starting/configuring an input, it should be totally agnostic from how the input was configured started. So I believe those cases are also covered. However, I do agree it is good to at least perform some manual test, just to be on the safe side. |
…-migrate-file-identity
The Windows test failure is unrelated to this PR, I created a flaky test issue: #42059 |
…-migrate-file-identity
I merged |
This will be breaking for somebody, let's only keep the change of default identity in 9.0. It would likely be helpful to backport the code here but keep the default identity in 8.x unchanged to make future backports easier. |
Looks like only the linter is unhappy. |
I touched too many files, all those warnings are from bits of code I didn't touch. Because this PR is rather large, I wasn't planning on fixing all those lint warnings to reduce the changes that need reviewing. However, if you insist, I can fix them. |
This is not what I said 👍🏼 I am merging this as you didn't touch the code yelling at you. |
I've been thinking about the best way to do this:
|
fingerprint
file identity by default and migrate file state from native or
path`fingerprint
file identity by default and migrate file state from native
or path
I've enabled auto merge, it should get merged after CI runs :D |
…-migrate-file-identity
// do not match, log it at debug level and do nothing. | ||
if previousIdentifierKey != registryKey { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to the comment it is missing a debug log here.
…m `native` or `path` (#41762) This commit changes the default `file_identity` from `native` to `fingerprint`, any previous state from `native` (or `path`) is automatically migrated to `fingerprint` whe Filestream is starting. The Filestream input has always had the [ability to update file identifiers](https://github.com/elastic/beats/blob/4278366ab03221e8b62183dc06f9505f6ccc5209/filebeat/input/filestream/prospector.go#L104-L122), however it never worked as expected, leading to full data duplication when changing the file identity. This commit fixes it to allow changing the file identity from `native` (inode + device ID) and `path` to `fingerprint` without any data duplication. (cherry picked from commit 78fe7a5) # Conflicts: # filebeat/tests/integration/filestream_test.go
…`fingerprint` for Filestream inputs (#42126) The Filestream input has always had the [ability to update file identifiers](https://github.com/elastic/beats/blob/4278366ab03221e8b62183dc06f9505f6ccc5209/filebeat/input/filestream/prospector.go#L104-L122), however it never worked as expected, leading to full data duplication when changing the file identity. This commit fixes it to allow changing the file identity from `native` (inode + device ID) and `path` to `fingerprint` without any data duplication. --------- Co-authored-by: Tiago Queiroz <tiago.queiroz@elastic.co> Co-authored-by: Julien Lind <julien.lind@elastic.co>
Proposed commit message
This commit changes the default
file_identity
fromnative
tofingerprint
, any previous state fromnative
(orpath
) isautomatically migrated to
fingerprint
whe Filestream is starting.The Filestream input has always had the ability to update file identifiers,
however it never worked as expected, leading to full data duplication
when changing the file identity. This commit fixes it to allow
changing the file identity from
native
(inode + device ID) andpath
tofingerprint
without any data duplication.Checklist
I have made corresponding change to the default configuration filesCHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.Disruptive User Impact
Because the
fingerprint
is the new default file identity, files are now only ingested when they reach at least 1024 bytes. The old default behaviour can be enabled by setting the file identity tonative
and disabling the fingerprint in the scanner.Author's Checklist
Regarding the Elastic-Agent integration tests, most tests actually use the
log
input because when they were written, Filestream was not available as an integration package. The very few other test that use Filestrem either generate a log file large enough or are skipped as flaky.How to test this PR locally
Create a log file with at least a few log lines and more than 1kb (e.g:
/tmp/flog.log
, 15 log lines), you can useflog
with Docker:Start Filebeat with the following configuration
filebeat.yml (native)
Wait until the file is fully ingested (wait for
End of file reached: /tmp/flog.log; Backoff now.
in the logs)Ensure all events have been published to the output (
wc -l ./output-file*
should return 15)Stop Filebeat
Change the file identity to
fingerprint
. It's the new default, hence it's not explicitly set.filebeat.yml (fingerprint)
Start Filebeat
Wait until the Filebeat "finds the end of the file" (wait for
End of file reached: /tmp/flog.log; Backoff now.
in the logs)Ensure no extra event was published ((
wc -l ./output-file*
should still return 15)Add 10 more lines to the file:
Wait until the new lines are ingested (wait for
End of file reached: /tmp/flog.log; Backoff now.
in the logs)Ensure all events have been published to the output with no duplication (
wc -l ./output-file*
should return 25)Related issues
Use cases
Dealing with identity reuse (e.g: inode reuse) without facing re-ingestion of data with Filestream input
## ScreenshotsLogs