From 361397309add25dcedfc354351b5978f38defad9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20P=C3=A9rez-Aradros=20Herce?= Date: Fri, 24 Jan 2020 10:38:42 +0100 Subject: [PATCH 1/2] Do not collect Google Cloud metadata Compute instances metadata may contain sensitive info, so we should not collect them. In the future we can enable this again with some kind of whitelisting, to only report the metadata we want. --- .../metricbeat/module/googlecloud/_meta/docs.asciidoc | 2 +- .../module/googlecloud/stackdriver/compute/metadata.go | 10 +++++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/x-pack/metricbeat/module/googlecloud/_meta/docs.asciidoc b/x-pack/metricbeat/module/googlecloud/_meta/docs.asciidoc index 865d8160053..bd0698f43d6 100644 --- a/x-pack/metricbeat/module/googlecloud/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/googlecloud/_meta/docs.asciidoc @@ -49,7 +49,7 @@ You can play in IAM pretty much with your service accounts and Instance level ac Google Cloud Platform offers the https://cloud.google.com/monitoring/api/metrics_gcp[Stackdriver Monitoring API] to fetch metrics from its services. *Those metrics are retrieved one by one*. -If you also want to *extract service metadata and labels* (by setting `exclude_labels` to false, which is the default state). You also make a new API check on the corresponding service. Service labels requires a new API call to extract those metrics. In the worst case the number of API calls will be doubled. In the best case, all metrics come from the same GCP entity and 100% of the required information is included in the first API call (which is cached for subsequent calls). +If you also want to *extract service labels* (by setting `exclude_labels` to false, which is the default state). You also make a new API check on the corresponding service. Service labels requires a new API call to extract those metrics. In the worst case the number of API calls will be doubled. In the best case, all metrics come from the same GCP entity and 100% of the required information is included in the first API call (which is cached for subsequent calls). A recommended `period` value between fetches is between 5 and 10 minutes, depending on how granular you want your metrics. GCP restricts information for less than 5 minutes. diff --git a/x-pack/metricbeat/module/googlecloud/stackdriver/compute/metadata.go b/x-pack/metricbeat/module/googlecloud/stackdriver/compute/metadata.go index 1b65a023ff1..63cdfcbe82b 100644 --- a/x-pack/metricbeat/module/googlecloud/stackdriver/compute/metadata.go +++ b/x-pack/metricbeat/module/googlecloud/stackdriver/compute/metadata.go @@ -90,9 +90,13 @@ func (s *metadataCollector) Metadata(ctx context.Context, resp *monitoringpb.Tim metadataCollectorData.Labels[googlecloud.LabelUser] = s.computeMetadata.User } - if s.computeMetadata.Metadata != nil { - metadataCollectorData.Labels[googlecloud.LabelMetadata] = s.computeMetadata.Metadata - } + /* + Do not collect meta for now, as it can contain sensitive info + TODO revisit this and make meta available through whitelisting + if s.computeMetadata.Metadata != nil { + metadataCollectorData.Labels[googlecloud.LabelMetadata] = s.computeMetadata.Metadata + } + */ return metadataCollectorData, nil } From dd2ef7dae38966b148aa71e41b98d0c76792b0fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20P=C3=A9rez-Aradros=20Herce?= Date: Fri, 24 Jan 2020 12:45:59 +0100 Subject: [PATCH 2/2] Update docs --- metricbeat/docs/modules/googlecloud.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metricbeat/docs/modules/googlecloud.asciidoc b/metricbeat/docs/modules/googlecloud.asciidoc index d987df58a67..a1f596aef1e 100644 --- a/metricbeat/docs/modules/googlecloud.asciidoc +++ b/metricbeat/docs/modules/googlecloud.asciidoc @@ -59,7 +59,7 @@ You can play in IAM pretty much with your service accounts and Instance level ac Google Cloud Platform offers the https://cloud.google.com/monitoring/api/metrics_gcp[Stackdriver Monitoring API] to fetch metrics from its services. *Those metrics are retrieved one by one*. -If you also want to *extract service metadata and labels* (by setting `exclude_labels` to false, which is the default state). You also make a new API check on the corresponding service. Service labels requires a new API call to extract those metrics. In the worst case the number of API calls will be doubled. In the best case, all metrics come from the same GCP entity and 100% of the required information is included in the first API call (which is cached for subsequent calls). +If you also want to *extract service labels* (by setting `exclude_labels` to false, which is the default state). You also make a new API check on the corresponding service. Service labels requires a new API call to extract those metrics. In the worst case the number of API calls will be doubled. In the best case, all metrics come from the same GCP entity and 100% of the required information is included in the first API call (which is cached for subsequent calls). A recommended `period` value between fetches is between 5 and 10 minutes, depending on how granular you want your metrics. GCP restricts information for less than 5 minutes.