Skip to content

Commit

Permalink
[Auditbeat] Start system module without host ID (elastic#12373)
Browse files Browse the repository at this point in the history
Allows the system module to start without the host ID. It will log a warning, and documents will not contain any `entity_id` fields.
  • Loading branch information
Christoph Wurm authored May 31, 2019
1 parent 734441f commit 00bb536
Show file tree
Hide file tree
Showing 6 changed files with 34 additions and 12 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Package dataset: Close librpm handle. {pull}12215[12215]
- Package dataset: Auto-detect package directories. {pull}12289[12289]
- Package dataset: Improve dpkg parsing. {pull}12325[12325]
- System module: Start system module without host ID. {pull}12373[12373]

*Filebeat*

Expand Down
4 changes: 3 additions & 1 deletion x-pack/auditbeat/module/system/package/package.go
Original file line number Diff line number Diff line change
Expand Up @@ -351,7 +351,9 @@ func (ms *MetricSet) packageEvent(pkg *Package, eventType string, action eventAc
MetricSetFields: pkg.toMapStr(),
}

event.MetricSetFields.Put("entity_id", pkg.entityID(ms.HostID()))
if ms.HostID() != "" {
event.MetricSetFields.Put("entity_id", pkg.entityID(ms.HostID()))
}

if pkg.Error != nil {
event.RootFields.Put("error.message", pkg.Error.Error())
Expand Down
4 changes: 3 additions & 1 deletion x-pack/auditbeat/module/system/process/process.go
Original file line number Diff line number Diff line change
Expand Up @@ -361,7 +361,9 @@ func (ms *MetricSet) processEvent(process *Process, eventType string, action eve
event.RootFields.Put("error.message", process.Error.Error())
}

event.RootFields.Put("process.entity_id", process.entityID(ms.HostID()))
if ms.HostID() != "" {
event.RootFields.Put("process.entity_id", process.entityID(ms.HostID()))
}

return event
}
Expand Down
4 changes: 3 additions & 1 deletion x-pack/auditbeat/module/system/socket/socket.go
Original file line number Diff line number Diff line change
Expand Up @@ -363,7 +363,9 @@ func (ms *MetricSet) socketEvent(socket *Socket, eventType string, action eventA
event.RootFields.Put("event.action", action.String())
event.RootFields.Put("message", socketMessage(socket, action))

event.RootFields.Put("socket.entity_id", socket.entityID(ms.HostID()))
if ms.HostID() != "" {
event.RootFields.Put("socket.entity_id", socket.entityID(ms.HostID()))
}

return event
}
Expand Down
20 changes: 15 additions & 5 deletions x-pack/auditbeat/module/system/system.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,18 @@
package system

import (
"github.com/pkg/errors"

"github.com/elastic/beats/libbeat/logp"
"github.com/elastic/beats/metricbeat/mb"
"github.com/elastic/go-sysinfo"
)

const (
moduleName = "system"
)

func init() {
// Register the custom ModuleFactory function for the system module.
if err := mb.Registry.AddModule("system", NewModule); err != nil {
if err := mb.Registry.AddModule(moduleName, NewModule); err != nil {
panic(err)
}
}
Expand Down Expand Up @@ -49,9 +52,16 @@ func NewModule(base mb.BaseModule) (mb.Module, error) {
return nil, err
}

log := logp.NewLogger(moduleName)

var hostID string
hostInfo, err := sysinfo.Host()
if err != nil {
return nil, errors.Wrap(err, "failed to get host ID")
if hostInfo != nil {
hostID = hostInfo.Info().UniqueID
}

if hostID == "" {
log.Warnf("Could not get host ID, will not fill entity_id fields. Error: %+v", err)
}

return &SystemModule{
Expand Down
13 changes: 9 additions & 4 deletions x-pack/auditbeat/module/system/user/user.go
Original file line number Diff line number Diff line change
Expand Up @@ -427,21 +427,26 @@ func (ms *MetricSet) reportChanges(report mb.ReporterV2) error {
}

func (ms *MetricSet) userEvent(user *User, eventType string, action eventAction) mb.Event {
return mb.Event{
event := mb.Event{
RootFields: common.MapStr{
"event": common.MapStr{
"kind": eventType,
"action": action.String(),
},
"user": common.MapStr{
"entity_id": user.entityID(ms.HostID()),
"id": user.UID,
"name": user.Name,
"id": user.UID,
"name": user.Name,
},
"message": userMessage(user, action),
},
MetricSetFields: user.toMapStr(),
}

if ms.HostID() != "" {
event.RootFields.Put("user.entity_id", user.entityID(ms.HostID()))
}

return event
}

func userMessage(user *User, action eventAction) string {
Expand Down

0 comments on commit 00bb536

Please sign in to comment.