Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[winlogbeat] Retry EvtSubscribe from start if fails with strict mode #30155

Merged
merged 19 commits into from
Mar 29, 2022

Conversation

marc-gr
Copy link
Contributor

@marc-gr marc-gr commented Feb 2, 2022

What does this PR do?

Creates a subscription to the winlog channel using EvtSubscribeStrict flag to be able to notice when a bookmark ran invalid. In that scenario we retry the subscription from the beginning of the channel.

Why is it important?

Based on #29793 there is the suspicion that under some scenarios winlogbeat might be ignoring some events when an invalid bookmark is used.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
    - [ ] I have made corresponding changes to the documentation
    - [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

@marc-gr marc-gr added bug Winlogbeat Team:Security-External Integrations backport-v8.0.0 Automated backport with mergify backport-v8.1.0 Automated backport with mergify backport-7.17 Automated backport to the 7.17 branch with mergify labels Feb 2, 2022
@marc-gr marc-gr requested a review from andrewkroh February 2, 2022 11:24
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Feb 2, 2022
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Feb 2, 2022
@marc-gr
Copy link
Contributor Author

marc-gr commented Feb 2, 2022

@andrewkroh the retry is performed automatically in this first approach. Do you think adding a way to enable or disable this behavior at will would be preferred?

@elasticmachine
Copy link
Collaborator

elasticmachine commented Feb 2, 2022

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-03-29T07:37:52.934+0000

  • Duration: 74 min 12 sec

Test stats 🧪

Test Results
Failed 0
Passed 21973
Skipped 1934
Total 23907

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@andrewkroh
Copy link
Member

andrewkroh commented Feb 3, 2022

That looks pretty simple so perhaps it does not need to be configurable. Can you create an integration test with windows that exercises this path. One idea I have is to read from a test log we create during the tests, modify the bookmark we have to move the read index forward such that it becomes an invalid bookmark, then try to read using the bookmark, verify it starts at the beginning.

@andrewkroh
Copy link
Member

Based on #30201 I think another test case for this should be reading from a channel, deleting the channel, then recreating the channel and read from it again with the previously saved bookmark. I think that's a realistic scenario that is happening to users based on that report.

@nicpenning
Copy link
Contributor

Let me know if I should create a new issue but have you ever noticed that Winlogbeat can't read from the SysMon channel when SysMon is recently installed or when the configuration changes? A restart of the winlogbeat service is needed when making changes to SysMon. It's been many versions since I tested this but I will report back if that's still happening. The only way we could successfully deploy 9k+ winlogbeat agents and SysMon was to install sysmon first then winlogbeat. Then any changes to SysMon would require us to restart winlogbeat so we can gather events as soon as possible.

@marc-gr marc-gr force-pushed the winlogbeat-evtsubscribestrict branch from 0543feb to 72689d0 Compare February 8, 2022 12:21
@mergify mergify bot assigned marc-gr Feb 8, 2022
@marc-gr
Copy link
Contributor Author

marc-gr commented Feb 9, 2022

/test

@marc-gr marc-gr force-pushed the winlogbeat-evtsubscribestrict branch from 72689d0 to 3eed307 Compare February 9, 2022 12:19
@andrewkroh
Copy link
Member

Can you fix this message please.

{"log.level":"debug","@timestamp":"2022-02-09T13:11:48.498Z","log.logger":"winlogbeat","log.origin":{"file.name":"beater/winlogbeat.go","file.line":101},"message":"Initialized EventLog]%!(EXTRA string=WinlogbeatTestPython_79371)","service.name":"winlogbeat","ecs.version":"1.6.0"}

And I wonder if your test is failing because the path name is too long? Trying shortening the test name.

Exiting: rename C:\Users\jenkins\workspace\PR-30155-6-ef9ac65f-57be-49e2-bb4b-e126f9421437\src\github.com\elastic\beats\winlogbeat\build\system-tests\run\test_wineventlog.Test.test_restart_if_bookmarked_event_does_not_exist\data.winlogbeat.yml.new C:\Users\jenkins\workspace\PR-30155-6-ef9ac65f-57be-49e2-bb4b-e126f9421437\src\github.com\elastic\beats\winlogbeat\build\system-tests\run\test_wineventlog.Test.test_restart_if_bookmarked_event_does_not_exist\data.winlogbeat.yml: Access is denied.

@marc-gr marc-gr force-pushed the winlogbeat-evtsubscribestrict branch from 3eed307 to b1eedbd Compare February 14, 2022 10:28
@marc-gr marc-gr force-pushed the winlogbeat-evtsubscribestrict branch from b1eedbd to e7dd4df Compare February 16, 2022 10:59
marc-gr and others added 4 commits March 7, 2022 11:10
@marc-gr
Copy link
Contributor Author

marc-gr commented Mar 23, 2022

/test

@marc-gr marc-gr requested a review from andrewkroh March 23, 2022 14:34
@marc-gr marc-gr requested a review from andrewkroh March 29, 2022 07:23
@marc-gr marc-gr added the backport-v8.2.0 Automated backport with mergify label Mar 29, 2022
@marc-gr marc-gr merged commit e8a4675 into elastic:main Mar 29, 2022
@marc-gr marc-gr deleted the winlogbeat-evtsubscribestrict branch March 29, 2022 12:18
mergify bot pushed a commit that referenced this pull request Mar 29, 2022
…30155)

* Retry EvtSubscribe from start if fails with strict mode

* Add metrics and tests

* Shorten test name

* Fix debug message

* Update winlogbeat/beater/winlogbeat.go

Co-authored-by: Andrew Kroh <[email protected]>

* Shorten test names

* Add changelog

* Shorten bad bookmark test

* Close file on test

* restructure test

* Fix fake bookmark generation in test

One of the format strings was ignored, resulting in invalid YaML

* Additional logging

* Fix linting issues

* Fix linting issue

* Remove test output

* Fix usage of fmt.Errorf

Co-authored-by: Andrew Kroh <[email protected]>
Co-authored-by: Adrian Serrano <[email protected]>
(cherry picked from commit e8a4675)
mergify bot pushed a commit that referenced this pull request Mar 29, 2022
…30155)

* Retry EvtSubscribe from start if fails with strict mode

* Add metrics and tests

* Shorten test name

* Fix debug message

* Update winlogbeat/beater/winlogbeat.go

Co-authored-by: Andrew Kroh <[email protected]>

* Shorten test names

* Add changelog

* Shorten bad bookmark test

* Close file on test

* restructure test

* Fix fake bookmark generation in test

One of the format strings was ignored, resulting in invalid YaML

* Additional logging

* Fix linting issues

* Fix linting issue

* Remove test output

* Fix usage of fmt.Errorf

Co-authored-by: Andrew Kroh <[email protected]>
Co-authored-by: Adrian Serrano <[email protected]>
(cherry picked from commit e8a4675)
mergify bot pushed a commit that referenced this pull request Mar 29, 2022
…30155)

* Retry EvtSubscribe from start if fails with strict mode

* Add metrics and tests

* Shorten test name

* Fix debug message

* Update winlogbeat/beater/winlogbeat.go

Co-authored-by: Andrew Kroh <[email protected]>

* Shorten test names

* Add changelog

* Shorten bad bookmark test

* Close file on test

* restructure test

* Fix fake bookmark generation in test

One of the format strings was ignored, resulting in invalid YaML

* Additional logging

* Fix linting issues

* Fix linting issue

* Remove test output

* Fix usage of fmt.Errorf

Co-authored-by: Andrew Kroh <[email protected]>
Co-authored-by: Adrian Serrano <[email protected]>
(cherry picked from commit e8a4675)
marc-gr added a commit that referenced this pull request Mar 29, 2022
…fails with strict mode (#31043)

* [winlogbeat] Retry EvtSubscribe from start if fails with strict mode (#30155)

* Retry EvtSubscribe from start if fails with strict mode

* Add metrics and tests

* Shorten test name

* Fix debug message

* Update winlogbeat/beater/winlogbeat.go

Co-authored-by: Andrew Kroh <[email protected]>

* Shorten test names

* Add changelog

* Shorten bad bookmark test

* Close file on test

* restructure test

* Fix fake bookmark generation in test

One of the format strings was ignored, resulting in invalid YaML

* Additional logging

* Fix linting issues

* Fix linting issue

* Remove test output

* Fix usage of fmt.Errorf

Co-authored-by: Andrew Kroh <[email protected]>
Co-authored-by: Adrian Serrano <[email protected]>
(cherry picked from commit e8a4675)

* Update CHANGELOG.next.asciidoc

Co-authored-by: Marc Guasch <[email protected]>
marc-gr added a commit that referenced this pull request Mar 31, 2022
…fails with strict mode (#31044)

* [winlogbeat] Retry EvtSubscribe from start if fails with strict mode (#30155)

* Retry EvtSubscribe from start if fails with strict mode

* Add metrics and tests

* Shorten test name

* Fix debug message

* Update winlogbeat/beater/winlogbeat.go

Co-authored-by: Andrew Kroh <[email protected]>

* Shorten test names

* Add changelog

* Shorten bad bookmark test

* Close file on test

* restructure test

* Fix fake bookmark generation in test

One of the format strings was ignored, resulting in invalid YaML

* Additional logging

* Fix linting issues

* Fix linting issue

* Remove test output

* Fix usage of fmt.Errorf

Co-authored-by: Andrew Kroh <[email protected]>
Co-authored-by: Adrian Serrano <[email protected]>
(cherry picked from commit e8a4675)

* Update CHANGELOG.next.asciidoc

Co-authored-by: Marc Guasch <[email protected]>
emilioalvap pushed a commit to emilioalvap/beats that referenced this pull request Apr 6, 2022
…lastic#30155)

* Retry EvtSubscribe from start if fails with strict mode

* Add metrics and tests

* Shorten test name

* Fix debug message

* Update winlogbeat/beater/winlogbeat.go

Co-authored-by: Andrew Kroh <[email protected]>

* Shorten test names

* Add changelog

* Shorten bad bookmark test

* Close file on test

* restructure test

* Fix fake bookmark generation in test

One of the format strings was ignored, resulting in invalid YaML

* Additional logging

* Fix linting issues

* Fix linting issue

* Remove test output

* Fix usage of fmt.Errorf

Co-authored-by: Andrew Kroh <[email protected]>
Co-authored-by: Adrian Serrano <[email protected]>
marc-gr added a commit that referenced this pull request Apr 20, 2022
… fails with strict mode (#31042)

* [winlogbeat] Retry EvtSubscribe from start if fails with strict mode (#30155)

* Retry EvtSubscribe from start if fails with strict mode

* Add metrics and tests

* Shorten test name

* Fix debug message

* Update winlogbeat/beater/winlogbeat.go

Co-authored-by: Andrew Kroh <[email protected]>

* Shorten test names

* Add changelog

* Shorten bad bookmark test

* Close file on test

* restructure test

* Fix fake bookmark generation in test

One of the format strings was ignored, resulting in invalid YaML

* Additional logging

* Fix linting issues

* Fix linting issue

* Remove test output

* Fix usage of fmt.Errorf

Co-authored-by: Andrew Kroh <[email protected]>
Co-authored-by: Adrian Serrano <[email protected]>
(cherry picked from commit e8a4675)

* Update CHANGELOG.next.asciidoc

* Fix unlink statements

Co-authored-by: Marc Guasch <[email protected]>
Co-authored-by: Marc Guasch <[email protected]>
kush-elastic pushed a commit to kush-elastic/beats that referenced this pull request May 2, 2022
…lastic#30155)

* Retry EvtSubscribe from start if fails with strict mode

* Add metrics and tests

* Shorten test name

* Fix debug message

* Update winlogbeat/beater/winlogbeat.go

Co-authored-by: Andrew Kroh <[email protected]>

* Shorten test names

* Add changelog

* Shorten bad bookmark test

* Close file on test

* restructure test

* Fix fake bookmark generation in test

One of the format strings was ignored, resulting in invalid YaML

* Additional logging

* Fix linting issues

* Fix linting issue

* Remove test output

* Fix usage of fmt.Errorf

Co-authored-by: Andrew Kroh <[email protected]>
Co-authored-by: Adrian Serrano <[email protected]>
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
…art if fails with strict mode (elastic#31043)

* [winlogbeat] Retry EvtSubscribe from start if fails with strict mode (elastic#30155)

* Retry EvtSubscribe from start if fails with strict mode

* Add metrics and tests

* Shorten test name

* Fix debug message

* Update winlogbeat/beater/winlogbeat.go

Co-authored-by: Andrew Kroh <[email protected]>

* Shorten test names

* Add changelog

* Shorten bad bookmark test

* Close file on test

* restructure test

* Fix fake bookmark generation in test

One of the format strings was ignored, resulting in invalid YaML

* Additional logging

* Fix linting issues

* Fix linting issue

* Remove test output

* Fix usage of fmt.Errorf

Co-authored-by: Andrew Kroh <[email protected]>
Co-authored-by: Adrian Serrano <[email protected]>
(cherry picked from commit 6b75bc6)

* Update CHANGELOG.next.asciidoc

Co-authored-by: Marc Guasch <[email protected]>
chrisberkhout pushed a commit that referenced this pull request Jun 1, 2023
…30155)

* Retry EvtSubscribe from start if fails with strict mode

* Add metrics and tests

* Shorten test name

* Fix debug message

* Update winlogbeat/beater/winlogbeat.go

Co-authored-by: Andrew Kroh <[email protected]>

* Shorten test names

* Add changelog

* Shorten bad bookmark test

* Close file on test

* restructure test

* Fix fake bookmark generation in test

One of the format strings was ignored, resulting in invalid YaML

* Additional logging

* Fix linting issues

* Fix linting issue

* Remove test output

* Fix usage of fmt.Errorf

Co-authored-by: Andrew Kroh <[email protected]>
Co-authored-by: Adrian Serrano <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport-7.17 Automated backport to the 7.17 branch with mergify backport-v8.0.0 Automated backport with mergify backport-v8.1.0 Automated backport with mergify backport-v8.2.0 Automated backport with mergify bug Winlogbeat
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Winlogbeat] Add config option to experiment with EvtSubscribeStrict
5 participants