Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[8.x](backport #40934) [auditbeat] Use shared process cache in add_session_metadata processor #41250

Merged
merged 1 commit into from
Oct 16, 2024
Merged

[8.x](backport #40934) [auditbeat] Use shared process cache in add_session_metadata processor #41250

merged 1 commit into from
Oct 16, 2024

Conversation

mergify[bot]
Copy link
Contributor

@mergify mergify bot commented Oct 16, 2024
edited by zube bot
Loading

Proposed commit message

This changes to use a shared process cache in the add_session_metadata processor. This cache is provided by quark and go-quark.

The are currently several process caches in auditbeat. The long term intention is to move all process caches to the shared cache provided by quark. This will reduce resource usage, and improve maintainability by not having multiple implementations of a process cache within Auditbeat.

With this change, the process cache that was previously being used by the ebpf backend is no longer used, and quark will provide process data that's required for enrichment. Rather than needing to track processes from within this processor, quark handles everything, so the processor will now only need to request process data from quark when enrichment happens.

The add_session_metadata process DB code isn't removed, since it's still used by the procfs backend. That backend is intended to be used on systems that aren't supported by the modern backend. Still, quark also supports as far back as CentOS 7, so there will be few systems that will actually use the procfs backend now. The procfs backend could potentially be removed entirely, along with the process DB cache code in the processor, in the future.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

In the add_session_metadata processor config, modern backend replaced ebpf (auto is still the preferred config setting, and does not change). Anyone that has manually set epbf backend will need to change to modern. This processor is in beta, so I think this change is OK.

How to test this PR locally

For users, this change should be transparent, it can be tested in the same way as the existing add_session_metadata processor.

This is an automatic backport of pull request #40934 done by Mergify.

@mjwolf @mergify
[auditbeat] Use shared process cache in add_session_metadata proces…
78e3ddb 
…sor (#40934)

This changes to use a shared process cache in the add_session_metadata processor. This cache is provided by quark and go-quark.

The are currently several process caches in auditbeat. The long term intention is to move all process caches to the shared cache provided by quark. This will reduce resource usage, and improve maintainability by not having multiple implementations of a process cache within Auditbeat.

With this change, the process cache that was previously being used by the ebpf backend is no longer used, and quark will provide process data that's required for enrichment. Rather than needing to track processes from within this processor, quark handles everything, so the processor will now only need to request process data from quark when enrichment happens.

The add_session_metadata process DB code isn't removed, since it's still used by the procfs backend. That backend is intended to be used on systems that aren't supported by the modern backend. Still, quark also supports as far back as CentOS 7, so there will be few systems that will actually use the procfs backend now. The procfs backend could potentially be removed entirely, along with the process DB cache code in the processor, in the future.

(cherry picked from commit 9992eb5)
@mergify mergify bot requested a review from a team as a code owner October 16, 2024 04:44
@mergify mergify bot added the backport label Oct 16, 2024
@mergify mergify bot requested review from a team as code owners October 16, 2024 04:44
@mergify mergify bot requested review from belimawr and rdner and removed request for a team October 16, 2024 04:44
@mergify mergify bot assigned mjwolf Oct 16, 2024
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Oct 16, 2024
@botelastic
Copy link

botelastic bot commented Oct 16, 2024

This pull request doesn't have a Team:<team> label.

@pierrehilbert pierrehilbert merged commit 6b65bb8 into 8.x Oct 16, 2024
143 checks passed
@pierrehilbert pierrehilbert deleted the mergify/bp/8.x/pr-40934 branch October 16, 2024 07:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pierrehilbert pierrehilbert pierrehilbert approved these changes

@belimawr belimawr Awaiting requested review from belimawr belimawr is a code owner automatically assigned from elastic/elastic-agent-data-plane

@rdner rdner Awaiting requested review from rdner rdner is a code owner automatically assigned from elastic/elastic-agent-data-plane

Assignees

@mjwolf mjwolf

Labels
backport needs_team Indicates that the issue/PR needs a Team:* label
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pierrehilbert @mjwolf