Packetbeat process monitor enhancements #7135
Conversation
| procGetExtendedTcpTable = modiphlpapi.NewProc("GetExtendedTcpTable") | ||
| ) | ||
|
|
||
| func _GetExtendedTcpTable(pTcpTable uintptr, pdwSize *uint32, bOrder bool, ulAf uint32, tableClass uint32, reserved uint32) (code syscall.Errno, err error) { |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
| var ( | ||
| modiphlpapi = windows.NewLazySystemDLL("iphlpapi.dll") | ||
|
|
||
| procGetExtendedTcpTable = modiphlpapi.NewProc("GetExtendedTcpTable") |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
| ) | ||
|
|
||
| var ( | ||
| errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING) |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
| // Do the interface allocations only once for common | ||
| // Errno values. | ||
| const ( | ||
| errnoERROR_IO_PENDING = 997 |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
packetbeat/procs/syscall_windows.go
Outdated
| localScopeId uint32 | ||
| localPort uint32 | ||
| remoteAddr [16]byte | ||
| remoteScopeId uint32 |
There was a problem hiding this comment.
struct field remoteScopeId should be remoteScopeID
packetbeat/procs/procs_windows.go
Outdated
| e(uint32FieldToPort(row.localPort), int(row.owningPID)) | ||
| } | ||
|
|
||
| func (_ TCPRowOwnerPIDExtractor) Size() int { |
There was a problem hiding this comment.
exported method TCPRowOwnerPIDExtractor.Size should have comment or be unexported
receiver name should not be an underscore, omit the name if it is unused
packetbeat/procs/procs_windows.go
Outdated
| return TCP6RowOwnerPIDExtractor(fn) | ||
| } | ||
|
|
||
| func (e TCPRowOwnerPIDExtractor) Extract(ptr unsafe.Pointer) { |
There was a problem hiding this comment.
exported method TCPRowOwnerPIDExtractor.Extract should have comment or be unexported
packetbeat/procs/procs_windows.go
Outdated
| {windows.AF_INET6, _GetExtendedTcpTable, TCP_TABLE_OWNER_PID_ALL, extractTCP6RowOwnerPID}, | ||
| } | ||
|
|
||
| func (proc *ProcessesWatcher) GetLocalPortToPIDMapping() (ports map[uint16]int, err error) { |
There was a problem hiding this comment.
exported method ProcessesWatcher.GetLocalPortToPIDMapping should have comment or be unexported
packetbeat/procs/procs_windows.go
Outdated
| type extractorFactory func(fn callbackFn) extractor | ||
|
|
||
| type TCPRowOwnerPIDExtractor callbackFn | ||
| type TCP6RowOwnerPIDExtractor callbackFn |
There was a problem hiding this comment.
exported type TCP6RowOwnerPIDExtractor should have comment or be unexported
packetbeat/procs/procs_windows.go
Outdated
| type callbackFn func(uint16, int) | ||
| type extractorFactory func(fn callbackFn) extractor | ||
|
|
||
| type TCPRowOwnerPIDExtractor callbackFn |
There was a problem hiding this comment.
exported type TCPRowOwnerPIDExtractor should have comment or be unexported
adriansr
force-pushed
the
packetbeat/feature/procs
branch
3 times, most recently
from
070f64b
to
8a519bf
Compare
packetbeat/procs/procs_other.go
Outdated
|
|
||
| package procs | ||
|
|
||
| func (proc *ProcessesWatcher) GetLocalPortToPIDMapping() (ports map[uint16]int, err error) { |
There was a problem hiding this comment.
exported method ProcessesWatcher.GetLocalPortToPIDMapping should have comment or be unexported
packetbeat/procs/procs_linux.go
Outdated
| inode uint64 | ||
| } | ||
|
|
||
| func (proc *ProcessesWatcher) GetLocalPortToPIDMapping() (ports map[uint16]int, err error) { |
There was a problem hiding this comment.
exported method ProcessesWatcher.GetLocalPortToPIDMapping should have comment or be unexported
packetbeat/procs/procs.go
Outdated
|
|
||
| return false | ||
| func (proc *ProcessesWatcher) GetLocalIPs() ([]net.IP, error) { |
There was a problem hiding this comment.
exported method ProcessesWatcher.GetLocalIPs should have comment or be unexported
packetbeat/procs/procs.go
Outdated
| if ip.Equal(addr) { | ||
| return true | ||
| } | ||
| func (proc *ProcessesWatcher) GetProcessCommandLine(pid int) (cmdLine string) { |
There was a problem hiding this comment.
exported method ProcessesWatcher.GetProcessCommandLine should have comment or be unexported
| SrcIP, DstIP net.IP | ||
| SrcPort, DstPort uint16 | ||
| } | ||
|
|
||
| type IPPortTuple struct { |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
| @@ -15,10 +15,15 @@ const MaxIPPortTupleRawSize = 16 + 16 + 2 + 2 | |||
|
|
|||
| type HashableIPPortTuple [MaxIPPortTupleRawSize]byte | |||
|
|
|||
| type IPPortTuple struct { | |||
| IPLength int | |||
| type BaseTuple struct { | |||
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
adriansr
force-pushed
the
packetbeat/feature/procs
branch
from
8a519bf
to
76d7080
Compare
packetbeat/procs/procs.go
Outdated
|
|
||
| logp.Debug("procsdetailed", "UpdateMappingEntry(): port=%d pid=%d", port, p.name) | ||
| logp.Debug("procsdetailed", "UpdateMappingEntry(): port=%d pid=%d process='%s' name=%s", |
There was a problem hiding this comment.
Looks like that should “updateMappingEntry()”.
|
I wonder if we should make this an autodiscovery provider instead so we can reuse it in all Beats? |
| class uint32 | ||
| extractor extractorFactory | ||
| }{ | ||
| {windows.AF_INET, _GetExtendedTcpTable, TCP_TABLE_OWNER_PID_ALL, extractTCPRowOwnerPID}, |
There was a problem hiding this comment.
These TCP table structures look fun to work with [read with sarcastic tone].
adriansr
force-pushed
the
packetbeat/feature/procs
branch
from
76d7080
to
5d9b954
Compare
This patch extends the functionality of the processes monitor in packetbeat: - report the full command-line for all processes (not only those configured as `monitored`. - Add support for Windows process monitoring. - Disable the monitor when using file input. - Get rid of refresh delays. Closes elastic#541
adriansr
force-pushed
the
packetbeat/feature/procs
branch
from
5d9b954
to
c5c3a1a
Compare
|
Updated CHANGELOG |
|
jenkins, test it |
This patch extends the functionality of the processes monitor in packetbeat:
monitored).Closes #541
Updated functionality
The original monitor will only track those processes that match a pattern specified in the configuration:
Will result in the following fields being added to generated events:
"proc": "mysqld"when the process is detected to be on the server-side of a stream, and"client_proc": "mysqld"when the process is detected on the client-side.While maintaining this behavior, this patch will add:
"cmdline": "/usr/bin/mysqld --bind-address=0.0.0.0 --data-dir=/var/lib/mysql"and the same for
client_cmdlinewhen the process is on the client-side of a connection.The
cmdlineandclient_cmdlinefields will be added to events generated by any running process. Theprocandclient_procfields will be added only to those processes in themonitoredsection, so the original behavior is maintained.Windows support
Added support for Windows using IP Helper functions (see issue #541).
Gosigar dependency
The original feature was tailored to Linux. To make it multiplatform, gosigar is used to get process information. This also means that it is no longer required to run packetbeat as root to access the command-line from processes belonging to other users.
Get rid of processes/sockets polling
The original implementation would refresh the process list with a specified frequency (
refreshPidsFreq). The mapping of TCP ports to processes would also be updated after a specified interval (maxReadFreq). This caused the feature to frequently miss process information for an event, specially with short-lived processes and connections.In this implementation, such delays are removed. The list of processes and active sockets is updated as necessary. While this is a somewhat expensive operation, ranging from ~10ms under Linux and ~100ms in Windows, it is only performed when an event is being populated, and the source or destination of this traffic is a local port for which we don't have any information yet.
As the processes monitor is an opt-in feature, disabled by default, I find it more important to aim for more reliable behavior in the expense of some delays.
Missing features
Some limitations of the original implementation have not been addressed by this PR: