Auditbeat: Propagate output backpressure in socket dataset #32191

adriansr · 2022-07-04T17:45:10Z

Describe the enhancement:

The socket dataset tracks network flows to/from processes on a Linux system using kprobe tracepoints on the kernel's TCP/IP stack.

Currently, an unbounded linked list is used to store flows ready to be reported to the output. A system with a lot of network I/O can generate events faster than they can be delivered to the output, meaning this linked list grows without limits causing more and more memory to be used by the Auditbeat process.

The dataset needs to receive backpressure from the output to avoid using too much memory.

elasticmachine · 2022-07-04T18:10:11Z

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

adriansr added enhancement Auditbeat labels Jul 4, 2022

botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jul 4, 2022

adriansr added the Team:Security-External Integrations label Jul 4, 2022

botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jul 4, 2022

adriansr mentioned this issue Jul 4, 2022

system/socket: propagate backpressure from output #32192

Merged

4 tasks

adriansr closed this as completed in #32192 Jul 25, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Auditbeat: Propagate output backpressure in socket dataset #32191

Auditbeat: Propagate output backpressure in socket dataset #32191

adriansr commented Jul 4, 2022

elasticmachine commented Jul 4, 2022

Auditbeat: Propagate output backpressure in socket dataset #32191

Auditbeat: Propagate output backpressure in socket dataset #32191

Comments

adriansr commented Jul 4, 2022

elasticmachine commented Jul 4, 2022