[Auditbeat] Reduce system/socket logging noise #15890
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The socket dataset uses ThreadEnter(event) / ThreadLeave(event) as a single-event per-thread state tracking, useful for correlating function calls and their return values. However, in some cases functions are stacked, like sys_execve() calling itself recursively or inet6_create() calling inet_create(). This results in an existing stored event to be evicted, which is not a problem but currently is causing a warning to be printed to the logs. This patch makes two changes to this situation: - Only print warnings from the state machine when socketdetailed selector is enabled. The state machine currently only generates warnings for ThreadEnter/ThreadExit issues. - Change ThreadEnter errors to be constructed on demand by their Error() method, so that the somewhat expensive fmt.Sprintf() / event.String() is only invoked if the error is going to be printed to the log. This is a huge CPU saving in systems where this benign eviction is happening frequently.
This selector is extremely noisy. This change excludes it from being enabled when debug is enabled with `-d '*'` and requires it to be explicitly defined: `-d '*,socketdetailed'`.
It makes no sense to print guesses' progress in regular debug (socket) and the resulting template variables only when socketdetailed is set.
|
Pinging @elastic/siem (Team:SIEM) |
The syscall parameter templates (`SYS_Pn`) were not valid until guess_syscall_args runs. As the variables `SYS_Pn` already existed, another guess using them could use the wrong values because the dependency mechanism only checks if the variable exists. The fix for this is to have temporary variables (`_SYS_Pn`) and have guess_syscall_args create the definitive ones. This didn't cause any bug as the only guess that used syscall args is the new guess_deref which is enabled on demand via an environment variable for diagnostic purposes.
adriansr
force-pushed
the
fix_system_socket_noise
branch
from
f3f9156 to
d381ab5
Compare
adriansr
added
the
needs_backport
adriansr
added a commit
to adriansr/beats
that referenced
this pull request
Mar 19, 2020
* Make ThreadEnter errors less noisy The socket dataset uses ThreadEnter(event) / ThreadLeave(event) as a single-event per-thread state tracking, useful for correlating function calls and their return values. However, in some cases functions are stacked, like sys_execve() calling itself recursively or inet6_create() calling inet_create(). This results in an existing stored event to be evicted, which is not a problem but currently is causing a warning to be printed to the logs. This patch makes two changes to this situation: - Only print warnings from the state machine when socketdetailed selector is enabled. The state machine currently only generates warnings for ThreadEnter/ThreadExit issues. - Change ThreadEnter errors to be constructed on demand by their Error() method, so that the somewhat expensive fmt.Sprintf() / event.String() is only invoked if the error is going to be printed to the log. This is a huge CPU saving in systems where this benign eviction is happening frequently. * socketdetailed selector has to be enabled explicitly This selector is extremely noisy. This change excludes it from being enabled when debug is enabled with `-d '*'` and requires it to be explicitly defined: `-d '*,socketdetailed'`. * Print template variables when socket debug is enabled It makes no sense to print guesses' progress in regular debug (socket) and the resulting template variables only when socketdetailed is set. * Fix syscall arguments usage in guesses The syscall parameter templates (`SYS_Pn`) were not valid until guess_syscall_args runs. As the variables `SYS_Pn` already existed, another guess using them could use the wrong values because the dependency mechanism only checks if the variable exists. The fix for this is to have temporary variables (`_SYS_Pn`) and have guess_syscall_args create the definitive ones. This didn't cause any bug as the only guess that used syscall args is the new guess_deref which is enabled on demand via an environment variable for diagnostic purposes. (cherry picked from commit 32a3cde)
6 tasks
adriansr
added
v7.7.0
and removed
needs_backport
adriansr
added a commit
that referenced
this pull request
Mar 19, 2020
* Make ThreadEnter errors less noisy The socket dataset uses ThreadEnter(event) / ThreadLeave(event) as a single-event per-thread state tracking, useful for correlating function calls and their return values. However, in some cases functions are stacked, like sys_execve() calling itself recursively or inet6_create() calling inet_create(). This results in an existing stored event to be evicted, which is not a problem but currently is causing a warning to be printed to the logs. This patch makes two changes to this situation: - Only print warnings from the state machine when socketdetailed selector is enabled. The state machine currently only generates warnings for ThreadEnter/ThreadExit issues. - Change ThreadEnter errors to be constructed on demand by their Error() method, so that the somewhat expensive fmt.Sprintf() / event.String() is only invoked if the error is going to be printed to the log. This is a huge CPU saving in systems where this benign eviction is happening frequently. * socketdetailed selector has to be enabled explicitly This selector is extremely noisy. This change excludes it from being enabled when debug is enabled with `-d '*'` and requires it to be explicitly defined: `-d '*,socketdetailed'`. * Print template variables when socket debug is enabled It makes no sense to print guesses' progress in regular debug (socket) and the resulting template variables only when socketdetailed is set. * Fix syscall arguments usage in guesses The syscall parameter templates (`SYS_Pn`) were not valid until guess_syscall_args runs. As the variables `SYS_Pn` already existed, another guess using them could use the wrong values because the dependency mechanism only checks if the variable exists. The fix for this is to have temporary variables (`_SYS_Pn`) and have guess_syscall_args create the definitive ones. This didn't cause any bug as the only guess that used syscall args is the new guess_deref which is enabled on demand via an environment variable for diagnostic purposes. (cherry picked from commit 32a3cde)
andrewstucki
pushed a commit
to andrewstucki/beats
that referenced
this pull request
Apr 4, 2020
This unrelated bug was introduced by elastic#15890 (unreleased).
andrewstucki
pushed a commit
that referenced
this pull request
Apr 6, 2020
* Add code for reaping sockets after a set timeout * Fix broken fileset under 32-bit OS. This unrelated bug was introduced by #15890 (unreleased). * Add docs * Update changelog * Fix ordering issue Co-authored-by: Adrian Serrano <[email protected]>
andrewstucki
pushed a commit
to andrewstucki/beats
that referenced
this pull request
Apr 6, 2020
* Add code for reaping sockets after a set timeout * Fix broken fileset under 32-bit OS. This unrelated bug was introduced by elastic#15890 (unreleased). * Add docs * Update changelog * Fix ordering issue Co-authored-by: Adrian Serrano <[email protected]> (cherry picked from commit ff68af6)
andrewstucki
pushed a commit
to andrewstucki/beats
that referenced
this pull request
Apr 6, 2020
* Add code for reaping sockets after a set timeout * Fix broken fileset under 32-bit OS. This unrelated bug was introduced by elastic#15890 (unreleased). * Add docs * Update changelog * Fix ordering issue Co-authored-by: Adrian Serrano <[email protected]> (cherry picked from commit ff68af6)
andrewstucki
pushed a commit
that referenced
this pull request
Apr 6, 2020
…17513) * [Auditbeat] Memory leak and syscall fix (#17500) * Add code for reaping sockets after a set timeout * Fix broken fileset under 32-bit OS. This unrelated bug was introduced by #15890 (unreleased). * Add docs * Update changelog * Fix ordering issue Co-authored-by: Adrian Serrano <[email protected]> (cherry picked from commit ff68af6) * fix changelog
andrewstucki
pushed a commit
that referenced
this pull request
Apr 7, 2020
…17514) * [Auditbeat] Memory leak and syscall fix (#17500) * Add code for reaping sockets after a set timeout * Fix broken fileset under 32-bit OS. This unrelated bug was introduced by #15890 (unreleased). * Add docs * Update changelog * Fix ordering issue Co-authored-by: Adrian Serrano <[email protected]> (cherry picked from commit ff68af6) * fix changelog
leweafan
pushed a commit
to leweafan/beats
that referenced
this pull request
Apr 28, 2023
… fix (elastic#17514) * [Auditbeat] Memory leak and syscall fix (elastic#17500) * Add code for reaping sockets after a set timeout * Fix broken fileset under 32-bit OS. This unrelated bug was introduced by elastic#15890 (unreleased). * Add docs * Update changelog * Fix ordering issue Co-authored-by: Adrian Serrano <[email protected]> (cherry picked from commit a92b736) * fix changelog
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
This PR updates the logging of system/socket dataset to be less noisy, especially when
-d '*'is used. Also updates some code that could introduce a difficult to spot bug in the future.Make ThreadEnter errors less noisy
The socket dataset uses ThreadEnter(event) / ThreadLeave(event) as a
single-event per-thread state tracking, useful for correlating function
calls and their return values.
However, in some cases functions are stacked, like sys_execve() calling
itself recursively or inet6_create() calling inet_create(). This results
in an existing stored event to be evicted, which is not a problem but
currently is causing a warning to be printed to the logs.
This patch makes two changes to this situation:
Only print warnings from the state machine when socketdetailed selector
is enabled. The state machine currently only generates warnings for
ThreadEnter/ThreadExit issues.
Change ThreadEnter errors to be constructed on demand by their Error()
method, so that the somewhat expensive fmt.Sprintf() / event.String()
is only invoked if the error is going to be printed to the log.
This is a huge CPU saving in systems where this benign eviction is
happening frequently.
socketdetailed selector has to be enabled explicitly
This selector is extremely noisy. This change excludes it from being
enabled when debug is enabled with
-d '*'and requires it to beexplicitly defined:
-d '*,socketdetailed'.Print template variables when socket debug is enabled
It makes no sense to print guesses' progress in regular debug (socket)
and the resulting template variables only when socketdetailed is set.
Fix syscall arguments usage in guesses
The syscall parameter templates (
SYS_Pn) were not valid untilguess_syscall_args runs. As the variables
SYS_Pnalready existed,another guess using them could use the wrong values because the
dependency mechanism only checks if the variable exists.
The fix for this is to have temporary variables (
_SYS_Pn) and haveguess_syscall_args create the definitive ones.
This didn't cause any bug as the only guess that used syscall
args is the new guess_deref which is enabled on demand via an
environment variable for diagnostic purposes.
Why is it important?
Two reasons:
socketdetailedselector being activated by default when-d '*'is specified caused the logs to be full of kprobe events at rates of 10.000 per second or more. Log files would rotate every few minutes.Checklist
My code follows the style guidelines of this project
I have commented my code, particularly in hard-to-understand areas
I have made corresponding changes to the documentation
I have made corresponding change to the default configuration files
I have added tests that prove my fix is effective or that my feature works
I haven't added a changelog entry because I don't think these changes have entity to deserve it.