[8.13](backport #38776) [Auditbeat] fim(kprobes): enrich file events by coupling add_process_metadata processor #38916
Conversation
![mergify[bot]](https://avatars.githubusercontent.com/in/10562?s=60&v=4){kind=small}
…metadata processor (#38776) * feat(processors/process_metadata): support reporting group id and name * feat(processors/process_metadata): support reporting process entity_id * feat(fim/kprobes): allow metricsSets to expose beat processors after initialisation * doc: update CHANGELOG.next.asciidoc * fix(linter): SA1015 prevent leaking the ticker * fix(linter): SA1019 mark metricbeat/mb deprecation warnings that are not removed yet * fix(linter): check for return err * fix(linter): prealloc slices * fix(linter): remove unused field * fix(linter): G601 prevent implicit memory aliasing in for loop * doc: update CHANGELOG.next.asciidoc * fix: update filebaet fields.asciidoc (unrelated to this work) * doc: remove irrelevant changes from CHANGELOG.next.asciidoc * feat(processor/metadata): introduce new type based allocation func * feat(fim/kprobe): instantiate new processor alongside a new kprobes event reader * fix(fim): remove redundant whitespace * doc(metricbeat): enrich documentation about Processors attached to a Metricbeat * fix(fim): gofumpt eventreader_kprobes.go * fix(add_process_metadata): gofmt add_process_metadata.go gosysinfo_provider.go * fix(lint): goimports eventreader_kprobes.go * fix(winlogbeat): generate include list [unrelated to this PR] (cherry picked from commit ca4adce) # Conflicts: # libbeat/processors/add_process_metadata/add_process_metadata.go # libbeat/processors/add_process_metadata/config.go # libbeat/processors/add_process_metadata/gosysinfo_provider.go # metricbeat/mb/module/configuration.go
mergify
bot
added
backport
conflicts
|
Cherry-pick of ca4adce has failed: To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally |
botelastic
bot
added
the
needs_team
|
This pull request doesn't have a |
💔 Build Failed
Expand to view the summary
Build stats
Test stats 🧪
Steps errors
Expand to view the steps failures
|
kprobes FIM BE is part of 8.13 so this enhancement can go in 8.13.x series? |
|
do you think we should skip backporting this to 8.13 @andrewkroh? 🙂 |
|
Ok, I see where you are coming from. With this being an enhancement instead of a pure bugfix I would prefer to leave it for the next minor version rather than including it in the next 8.13.x patch. Sound good? I try to follow https://semver.org/ as much as possible. Sometimes there are exceptions, but I don't think this is one. Plus there isn't another 8.13.x planned. |
Following semver as close as possible, music to my ears 🎶! I totally agree with you @andrewkroh , thanks for catching that. Let's leave this available only for 8.14 |
Proposed commit message
This PR adds reporting of process.group.id, process.group.name and process.entity_id in
add_process_metadataprocessor. Also it changes the factory of MetricSets to allow the latter to specify Processors after successful instantiation; this is required as FIM has 3 different available backends, namelyfsnotify,kprobes,ebpfand only thekprobesone requires to haveadd_process_metadataprocessor. Utilising the former,kprobesbackend always adds a properly configuredadd_process_metadataprocessor. As a result, enriching kprobes file events with process-related data exhibits the same robustness levels of the currentadd_process_metadataprocessor. However, the current design is aligned with @nick-alayil and thesec-linux-platformwhich plan to increase the robustness ofadd_process_metadataprocessor in a separate effort.Checklist
I have made corresponding change to the default configuration filesI have added tests that prove my fix is effective or that my feature worksCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Author's Checklist
How to test this PR locally
Related issues
Screenshots
This is an automatic backport of pull request #38776 done by [Mergify](https://mergify.com).