Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Metricbeat] Windows Module add wmi metricset #42017

Open
wants to merge 42 commits into
base: main
Choose a base branch
from
Open

[Metricbeat] Windows Module add wmi metricset #42017

wants to merge 42 commits into from

Conversation

herrBez
Copy link
Contributor

@herrBez herrBez commented Dec 12, 2024

Proposed commit message

[Metricbeat][Windows] Add experimental wmi metricset

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

This PR does not have impact to existing use-cases

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Use cases

As a windows user I want to leverage WMI (and in particular WQL, SQL for WMI) to extract detailed system information and metrics.

Screenshots

Logs

@herrBez herrBez self-assigned this Dec 12, 2024
@herrBez herrBez requested review from a team as code owners December 12, 2024 15:57
@herrBez herrBez requested review from faec and VihasMakwana December 12, 2024 15:57
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Dec 12, 2024
@botelastic
Copy link

botelastic bot commented Dec 12, 2024

This pull request doesn't have a Team:<team> label.

@mergify Mergify
Copy link
Contributor

mergify bot commented Dec 12, 2024

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @herrBez? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit

@mergify Mergify
Copy link
Contributor

mergify bot commented Dec 12, 2024

backport-8.x has been added to help with the transition to the new branch 8.x.
If you don't need it please use backport-skip label and remove the backport-8.x label.

@mergify mergify bot added the backport-8.x Automated backport to the 8.x branch with mergify label Dec 12, 2024
@strawgate
Copy link
Contributor

One of the challenges with running arbitrary WMI queries is that WMI queries can be extremely slow and certain WMI queries can actually result in changes to the system -- have we considered whether or how we might provide timeout functionality for running WMI queries?

@herrBez
Copy link
Contributor Author

herrBez commented Dec 13, 2024
edited
Loading

Hi, good points! Thank you for the comment :).

One of the challenges with running arbitrary WMI queries is that WMI queries can be extremely slow and certain WMI queries can actually result in changes to the system -- have we considered whether or how we might provide timeout functionality for running WMI queries?

About the timing issues: I don't see a parameter in the library to stop a query after X seconds (I would need to understand if the underlying library/WMI have a similar mechanism). Maybe by leveraging an ExecAsyncQuery (there is no "exposed" method for this) we can stop after a timeout. Similarly to what is done here: https://github.com/microsoft/wmi/blob/v0.25.0/pkg/wmiinstance/WmiEventSink_test.go#L66. Not sure it's actually stopping the underlying query after some time.

About the "can actually result in changes to the system": with the current implementation we can only build queries of type SELECT * FROM Class WHERE .... This should prevent changes to the system, right?

herrBez added 14 commits December 24, 2024 12:32
@herrBez
Add namespace at the query level and add a structure to index queries…
bf9c088 
… on the namespace. Add logic to create a single connection per Namespace
@herrBez
Rename the config method to be more explicit
c54eca0
@herrBez
Add Primitives to deal with the type convrsion for strings
3e232f2
@herrBez
Add unit test for the conversion function
7ff8b88
@herrBez
Add heuristic to determine if fetching the CIMType is needed
f1e67e4
@herrBez
Add type conversion
c4f7101
@herrBez
Improve comments to explicitly state what are the config parameters u…
1e00ac9 
…sed for
@herrBez
Add license header to wmi and utils test
54e6642
@herrBez
Run mage fmt
0cced56
@herrBez
Update the reference config after the final implementation
9661c45
@herrBez
Remove the dummy field definition
ab3c5e6
@herrBez
Add sample data in the data.json file
6c3c55f
@herrBez
Fix go.mod and change NOTICE.txt to reflect the fact that go-ole is n…
969b7cc 
…ow directly used in the WMI module
@herrBez
Make sure that the wmi tests run only on windows
be95605
@herrBez herrBez requested a review from ishleenk17 December 24, 2024 15:22
@herrBez
Copy link
Contributor Author

herrBez commented Dec 24, 2024

Hi @ishleenk17, @tommyers-elastic , I implemented all changes we discussed offline and the dataset is ready for review.

I am having a very hard-time in making the CI/CD pipeline work. Could you help me shred some lights? In particular, I am not able to understand how to fix the error reported here https://github.com/elastic/beats/actions/runs/12483185235/job/34838540533?pr=42017.

@ishleenk17
Copy link
Contributor

@herrBez

  • To make this module part of the Agent, please add the module to agenbeat.spec.yml .
  • Please run make update BEATS=metricbeat in the beats directory.

@herrBez
Copy link
Contributor Author

herrBez commented Jan 2, 2025

Hi Ishleen, thank you for the help.

Please run make update BEATS=metricbeat in the beats directory.

I receive the error as part of the execution of the command and I don't understand how to fix it.

@mergify Mergify
Copy link
Contributor

mergify bot commented Jan 2, 2025

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b wmi upstream/wmi
git merge upstream/main
git push upstream wmi

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lalit-satapathy lalit-satapathy Awaiting requested review from lalit-satapathy

@tommyers-elastic tommyers-elastic Awaiting requested review from tommyers-elastic

@faec faec Awaiting requested review from faec faec is a code owner automatically assigned from elastic/elastic-agent-data-plane

@VihasMakwana VihasMakwana Awaiting requested review from VihasMakwana VihasMakwana is a code owner automatically assigned from elastic/elastic-agent-data-plane

@ishleenk17 ishleenk17 Awaiting requested review from ishleenk17

At least 1 approving review is required to merge this pull request.

Assignees

@herrBez herrBez

Labels
backport-8.x Automated backport to the 8.x branch with mergify needs_team Indicates that the issue/PR needs a Team:* label
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@herrBez @strawgate @ishleenk17