Add new fingerprint file identity
#35734
Conversation
botelastic
bot
added
the
needs_team
|
This pull request does not have a backport label.
To fixup this pull request, you need to add the backport labels for the needed
|
rdner
added
skip-ci
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. 🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
rdner
force-pushed
the
fingerprint-file-identity
branch
from
a782869 to
bf25f92
Compare
|
This pull request is now in conflicts. Could you fix it? 🙏 |
This is a new alternative to existing options like `native`, `path` and `inode_marker`. Unlike the existing options, this file identity does not rely on any file system metadata and uses only the file size and its content. Users can specify what amount of bytes is used to fingerprint the beginning of each file. This identity is supposed to be more stable and less affected by the environment/setup of the users.
So, we can handle removals and postponed ingestion. Also, a few performance optimizations included.
rdner
force-pushed
the
fingerprint-file-identity
branch
from
3fc3bac to
d47387a
Compare
rdner
added
the
Team:Elastic-Agent-Data-Plane
botelastic
bot
removed
the
needs_team
| @@ -33,6 +33,7 @@ import ( | |||
| type config struct { | |||
| Reader readerConfig `config:",inline"` | |||
|
|
|||
| ID string `config:"id"` | |||
There was a problem hiding this comment.
Not entirely clear what id represents: is it the identifier of the config object itself? The filestream input? Is it stable through restarts ?
There was a problem hiding this comment.
This is an input ID in an input-level configuration. You can find it here https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html#CO11-1
filebeat/input/filestream/fswatch.go
Outdated
| s.log.Debug("stat(%s) failed: %s", file, err) | ||
| fileID := fd.FileID() | ||
| if knownFilename, exists := uniqueIDs[fileID]; exists { | ||
| s.log.Infof("%q points to an already known ingest target %q [%s==%s]. Skipping", fd.Filename, knownFilename, fileID, fileID) |
There was a problem hiding this comment.
should we promote it to WARN level? Can be potentially noisy but very useful for troubleshooting.
There was a problem hiding this comment.
I think INFO is fine. There's neither any degraded behavior nor is there necessarily any action a user could take. And I know some customers are spooked by WARN level messages in the logs. So I'd leave this as INFO. We (maintainers) should be able to search for this message pretty easily during troubleshooting.
I realize this log message, specifically the part about the filesize, is coming from an error returned by the However, for this particular "error" about needing a minimum file size for fingerprinting, I think it might be valuable to log it as at a Side note: it might be good to include units (bytes) in the message for the file sizes - observed and expected. |
|
This pull request is now in conflicts. Could you fix it? 🙏 |
This is a new alternative to existing options like `native`, `path` and `inode_marker`. Unlike the existing options, this file identity does not rely on any file system metadata and uses only the file size and its content. Users can specify what amount of bytes is used to fingerprint the beginning of each file, optionally it's possible to set an offset from the beginning. This identity is supposed to be more stable and less affected by the environment/setup of the users. This change also contains a few performance optimisations of how we work with the filesystem and watch for file changes. (cherry picked from commit b701377) # Conflicts: # filebeat/input/filestream/config.go # filebeat/input/filestream/fswatch.go # filebeat/input/filestream/fswatch_test.go # filebeat/input/filestream/identifier.go # filebeat/input/filestream/prospector.go # filebeat/input/filestream/prospector_test.go # libbeat/metric/system/cgroup/cgcommon/metrics_test.go
* Add new `fingerprint` file identity (#35734) This is a new alternative to existing options like `native`, `path` and `inode_marker`. Unlike the existing options, this file identity does not rely on any file system metadata and uses only the file size and its content. Users can specify what amount of bytes is used to fingerprint the beginning of each file, optionally it's possible to set an offset from the beginning. This identity is supposed to be more stable and less affected by the environment/setup of the users. This change also contains a few performance optimisations of how we work with the filesystem and watch for file changes. (cherry picked from commit b701377) # Conflicts: # filebeat/input/filestream/config.go # filebeat/input/filestream/fswatch.go # filebeat/input/filestream/fswatch_test.go # filebeat/input/filestream/identifier.go # filebeat/input/filestream/prospector.go # filebeat/input/filestream/prospector_test.go # libbeat/metric/system/cgroup/cgcommon/metrics_test.go * Resolve conflicts --------- Co-authored-by: Denis <[email protected]>
|
Hello 👋 |
This is a new alternative to existing options like `native`, `path` and `inode_marker`. Unlike the existing options, this file identity does not rely on any file system metadata and uses only the file size and its content. Users can specify what amount of bytes is used to fingerprint the beginning of each file, optionally it's possible to set an offset from the beginning. This identity is supposed to be more stable and less affected by the environment/setup of the users. This change also contains a few performance optimisations of how we work with the filesystem and watch for file changes.
UPD
See #36078 for benchmarks results.
What does this PR do?
This is a new alternative to existing options like
native,pathandinode_marker.Unlike the existing options, this file identity does not rely on any file system metadata and uses only the file size and its content.
Users can specify what amount of bytes is used to fingerprint the beginning of each file.
This identity is supposed to be more stable and less affected by the environment/setup of the users.
Why is it important?
Some of customers experiencing problems with relying on file system metadata, so we need the alternative file identity option that does not rely on any file system metadata.
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Author's Checklist
Edge cases
offset+lengthits ingested is delayed until the file grows in size{ "log.level": "info", "@timestamp": "2023-07-13T11:42:47.606+0200", "log.logger": "scanner", "log.origin": { "file.name": "filestream/fswatch.go", "file.line": 376 }, "message": "\"/path/to/your/logs/some.log\" points to an already known ingest target \"/path/to/your/logs/another.log\" [2edc986847e209b4016e141a6dc8716d3207350f416969382d431539bf292e4a==2edc986847e209b4016e141a6 dc8716d3207350f416969382d431539bf292e4a]. Skipping", "service.name": "filebeat", "ecs.version": "1.6.0" }{ "log.level": "error", "@timestamp": "2023-07-13T11:36:49.507+0200", "log.origin": { "file.name": "instance/beat.go", "file.line": 1274 }, "message": "Exiting: Failed to start crawler: starting input failed: error while initializing input: cannot create prospector: fingerprint file identity can be used only when fingerprint is enabled in the scanner", "service.name": "filebeat", "ecs.version": "1.6.0" }length-offset) Filebeat will fail to start with:{ "log.level": "error", "@timestamp": "2023-07-13T11:38:32.080+0200", "log.origin": { "file.name": "instance/beat.go", "file.line": 1274 }, "message": "Exiting: Failed to start crawler: starting input failed: error while initializing input: cannot create prospector: error while creating filewatcher error while reading configuration of fingerprint: fingerprint size 10 cannot be smaller than 64", "service.name": "filebeat", "ecs.version": "1.6.0" }This requirement comes from the SHA block size.
offsetorlengthvalues will lead to the full re-ingestion of all files matched by thepaths.Documentation updates
How to test this PR locally
Note the path placeholders you need to fix first.
Check if the following log messages showed up in the Filebeat's output:
{ "log.level": "debug", "@timestamp": "2023-07-13T11:00:43.811+0200", "log.logger": "scanner", "log.origin": { "file.name": "filestream/fswatch.go", "file.line": 295 }, "message": "fingerprint mode enabled: offset 0, length 1024", "service.name": "filebeat", "ecs.version": "1.6.0" } { "log.level": "debug", "@timestamp": "2023-07-13T11:00:43.811+0200", "log.origin": { "file.name": "filestream/prospector_creator.go", "file.line": 58 }, "message": "file identity is set to fingerprint", "service.name": "filebeat", "filestream_id": "my-filestream-id", "ecs.version": "1.6.0" }touch some.log) in/path/to/your/logs{ "log.level": "debug", "@timestamp": "2023-07-13T11:09:25.676+0200", "log.logger": "scanner", "log.origin": { "file.name": "filestream/fswatch.go", "file.line": 370 }, "message": "cannot create a file descriptor for an ingest target \"/path/to/your/logs/some.log\": filesize of \"/path/to/your/logs/some.log\" is 0, expected at least 1024 for fingerprinting", "service.name": "filebeat", "ecs.version": "1.6.0" }This means the scanner detected the file but its ingestion is delayed until the file size reaches the fingerprint size, which is 1024 bytes by default.
you can see that the message changed and contains the new file size:
{ "log.level": "debug", "@timestamp": "2023-07-13T11:12:43.968+0200", "log.logger": "scanner", "log.origin": { "file.name": "filestream/fswatch.go", "file.line": 370 }, "message": "cannot create a file descriptor for an ingest target \"/path/to/your/logs/some.log\": filesize of \"/path/to/your/logs/some.log\" is 128, expected at least 1024 for fingerprinting", "service.name": "filebeat", "ecs.version": "1.6.0" }and you should see that Filebeat started reading from it:
{ "log.level": "debug", "@timestamp": "2023-07-13T11:15:18.969+0200", "log.logger": "input.filestream", "log.origin": { "file.name": "filestream/prospector.go", "file.line": 179 }, "message": "A new file /path/to/your/logs/some.log has been found", "service.name": "filebeat", "id": "my-filestream-id", "prospector": "file_prospector", "operation": "create", "source_name": "fingerprint::2edc986847e209b4016e141a6dc8716d3207350f416969382d431539bf292e4a", "fingerprint": "2edc986847e209b4016e141a6dc8716d3207350f416969382d431539bf292e4a", "os_id": "119173889-16777234", "new_path": "/path/to/your/logs/some.log", "ecs.version": "1.6.0" } { "log.level": "debug", "@timestamp": "2023-07-13T11:15:18.970+0200", "log.logger": "input.filestream", "log.origin": { "file.name": "input-logfile/harvester.go", "file.line": 139 }, "message": "Starting harvester for file", "service.name": "filebeat", "id": "my-filestream-id", "source_file": "filestream::my-filestream-id::fingerprint::2edc986847e209b4016e141a6dc8716d3207350f416969382d431539bf292e4a", "ecs.version": "1.6.0" } { "log.level": "debug", "@timestamp": "2023-07-13T11:15:18.971+0200", "log.logger": "input.filestream", "log.origin": { "file.name": "filestream/filestream.go", "file.line": 131 }, "message": "End of file reached: /path/to/your/logs/some.log; Backoff now.", "service.name": "filebeat", "id": "my-filestream-id", "source_file": "filestream::my-filestream-id::fingerprint::2edc986847e209b4016e141a6dc8716d3207350f416969382d431539bf292e4a", "path": "/path/to/your/logs/some.log", "state-id": "fingerprint::2edc986847e209b4016e141a6dc8716d3207350f416969382d431539bf292e4a", "ecs.version": "1.6.0" }The file is an ingest target now and we can see a file entry in the registry log:
{ "op": "set", "id": 1 } { "k": "filestream::my-filestream-id::fingerprint::2edc986847e209b4016e141a6dc8716d3207350f416969382d431539bf292e4a", "v": { "ttl": 0, "updated": [ 281470681743360, 18446744011573955000 ], "cursor": null, "meta": { "identifier_name": "fingerprint", "source": "/path/to/your/logs/some.log" } } } { "op": "set", "id": 2 } { "k": "filestream::my-filestream-id::fingerprint::2edc986847e209b4016e141a6dc8716d3207350f416969382d431539bf292e4a", "v": { "ttl": 1800000000000, "updated": [ 516367547520, 1689239718 ], "cursor": null, "meta": { "identifier_name": "fingerprint", "source": "/path/to/your/logs/some.log" } } }As you can see there is no offset yet, because we have not written a new line character and our configuration is line-based.
Now you should see this log message in Filebeat's output:
{ "log.level": "debug", "@timestamp": "2023-07-13T11:25:34.821+0200", "log.logger": "processors", "log.origin": { "file.name": "processing/processors.go", "file.line": 213 }, "message": "Publish event: {\n \"@timestamp\": \"2023-07-13T09:25:34.821Z\",\n \"@metadata\": {\n \"beat\": \"filebeat\",\n \"type\": \"_doc\",\n \"version\": \"8.10.0\"\n },\n \"message\": \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\",\n \"input\": {\n \"type\": \"filestream\"\n },\n \"host\": {\n \"name\": \"MacBook-Pro.localdomain\"\n },\n \"agen t\": {\n \"version\": \"8.10.0\",\n \"ephemeral_id\": \"bca636e7-678f-4155-ae6c-506f3fbda7be\",\n \"id\": \"7bb65ce2-f3ae-4c9c-ad58-d33760e14425\",\n \"name\": \"MacBook-Pro.localdomain\",\n \"type\": \"filebeat\"\n },\n \"ecs\": {\n \"version\": \"8.0 .0\"\n },\n \"log\": {\n \"offset\": 0,\n \"file\": {\n \"path\": \"/path/to/your/logs/some.log\"\n }\n }\n}", "service.name": "filebeat", "ecs.version": "1.6.0" }If we look at the registry again, we'll see the updated offset:
{ "op": "set", "id": 3 } { "k": "filestream::my-filestream-id::fingerprint::2edc986847e209b4016e141a6dc8716d3207350f416969382d431539bf292e4a", "v": { "ttl": 1800000000000, "updated": [ 516217223520, 1689240334 ], "cursor": { "offset": 1025 }, "meta": { "source": "/path/to/your/logs/some.log", "identifier_name": "fingerprint" } } }Related issues