From 83f18e9184645a482d6a236d747bf74c2f2b83a7 Mon Sep 17 00:00:00 2001 From: Christoph Wurm Date: Tue, 23 Jul 2019 15:19:10 +0100 Subject: [PATCH] [Auditbeat] Export Host fields to gob encoder (#12940) In the `system/host` dataset, the fields of the `Host` struct are not exported, and so cannot be picked up by `gob`. This prevents it from being written to disk to detect changes between restarts and causes error messages. This changes the fields to be exported. --- CHANGELOG.next.asciidoc | 1 + x-pack/auditbeat/module/system/host/host.go | 90 ++++++++++----------- 2 files changed, 46 insertions(+), 45 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 632d553e405..6328a0b3bc2 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -96,6 +96,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Host dataset: Fix reboot detection logic. {pull}12591[12591] - Add syscalls used by librpm for the system/package dataset to the default Auditbeat seccomp policy. {issue}12578[12578] {pull}12617[12617] - Process dataset: Do not show non-root warning on Windows. {pull}12740[12740] +- Host dataset: Export Host fields to gob encoder. {pull}12940[12940] *Filebeat* diff --git a/x-pack/auditbeat/module/system/host/host.go b/x-pack/auditbeat/module/system/host/host.go index c6a6d6dc10b..ebffcf78de4 100644 --- a/x-pack/auditbeat/module/system/host/host.go +++ b/x-pack/auditbeat/module/system/host/host.go @@ -69,12 +69,12 @@ func (action eventAction) String() string { // Host represents information about a host. type Host struct { - info types.HostInfo + Info types.HostInfo // Uptime() in types.HostInfo recalculates the uptime every time it is called - // so storing it permanently here. - uptime time.Duration - ips []net.IP - macs []net.HardwareAddr + Uptime time.Duration + Ips []net.IP + Macs []net.HardwareAddr } // changeDetectionHash creates a hash of selected parts of the host information. @@ -82,18 +82,18 @@ type Host struct { func (host *Host) changeDetectionHash() uint64 { h := xxhash.New64() - if host.info.Containerized != nil { - h.WriteString(strconv.FormatBool(*host.info.Containerized)) + if host.Info.Containerized != nil { + h.WriteString(strconv.FormatBool(*host.Info.Containerized)) } - h.WriteString(host.info.Timezone) - binary.Write(h, binary.BigEndian, int32(host.info.TimezoneOffsetSec)) - h.WriteString(host.info.Architecture) - h.WriteString(host.info.OS.Platform) - h.WriteString(host.info.OS.Name) - h.WriteString(host.info.OS.Family) - h.WriteString(host.info.OS.Version) - h.WriteString(host.info.KernelVersion) + h.WriteString(host.Info.Timezone) + binary.Write(h, binary.BigEndian, int32(host.Info.TimezoneOffsetSec)) + h.WriteString(host.Info.Architecture) + h.WriteString(host.Info.OS.Platform) + h.WriteString(host.Info.OS.Name) + h.WriteString(host.Info.OS.Family) + h.WriteString(host.Info.OS.Version) + h.WriteString(host.Info.KernelVersion) return h.Sum64() } @@ -101,40 +101,40 @@ func (host *Host) changeDetectionHash() uint64 { func (host *Host) toMapStr() common.MapStr { mapstr := common.MapStr{ // https://github.com/elastic/ecs#-host-fields - "uptime": host.uptime, - "boottime": host.info.BootTime, - "timezone.name": host.info.Timezone, - "timezone.offset.sec": host.info.TimezoneOffsetSec, - "hostname": host.info.Hostname, - "id": host.info.UniqueID, - "architecture": host.info.Architecture, + "uptime": host.Uptime, + "boottime": host.Info.BootTime, + "timezone.name": host.Info.Timezone, + "timezone.offset.sec": host.Info.TimezoneOffsetSec, + "hostname": host.Info.Hostname, + "id": host.Info.UniqueID, + "architecture": host.Info.Architecture, // https://github.com/elastic/ecs#-operating-system-fields "os": common.MapStr{ - "platform": host.info.OS.Platform, - "name": host.info.OS.Name, - "family": host.info.OS.Family, - "version": host.info.OS.Version, - "kernel": host.info.KernelVersion, + "platform": host.Info.OS.Platform, + "name": host.Info.OS.Name, + "family": host.Info.OS.Family, + "version": host.Info.OS.Version, + "kernel": host.Info.KernelVersion, }, } - if host.info.Containerized != nil { - mapstr.Put("containerized", host.info.Containerized) + if host.Info.Containerized != nil { + mapstr.Put("containerized", host.Info.Containerized) } - if host.info.OS.Codename != "" { - mapstr.Put("os.codename", host.info.OS.Codename) + if host.Info.OS.Codename != "" { + mapstr.Put("os.codename", host.Info.OS.Codename) } var ipStrings []string - for _, ip := range host.ips { + for _, ip := range host.Ips { ipStrings = append(ipStrings, ip.String()) } mapstr.Put("ip", ipStrings) var macStrings []string - for _, mac := range host.macs { + for _, mac := range host.Macs { macStr := mac.String() if macStr != "" { macStrings = append(macStrings, macStr) @@ -253,29 +253,29 @@ func (ms *MetricSet) reportChanges(report mb.ReporterV2) error { var events []mb.Event // Report ID changes as a separate, special event. - if ms.lastHost.info.UniqueID != currentHost.info.UniqueID { + if ms.lastHost.Info.UniqueID != currentHost.Info.UniqueID { /* Issue two events - one for the host with the old ID, one for the new - to link them (since the unique ID is what identifies a host). */ eventOldHost := hostEvent(ms.lastHost, eventTypeEvent, eventActionIDChanged) - eventOldHost.MetricSetFields.Put("new_id", currentHost.info.UniqueID) + eventOldHost.MetricSetFields.Put("new_id", currentHost.Info.UniqueID) events = append(events, eventOldHost) eventNewHost := hostEvent(currentHost, eventTypeEvent, eventActionIDChanged) - eventNewHost.MetricSetFields.Put("old_id", ms.lastHost.info.UniqueID) + eventNewHost.MetricSetFields.Put("old_id", ms.lastHost.Info.UniqueID) events = append(events, eventNewHost) } // Report reboots separately // On Windows, BootTime is not fully accurate and can vary by a few milliseconds. // So we only report a reboot if the new BootTime is at least 1 second after the old. - if currentHost.info.BootTime.After(ms.lastHost.info.BootTime.Add(1 * time.Second)) { + if currentHost.Info.BootTime.After(ms.lastHost.Info.BootTime.Add(1 * time.Second)) { events = append(events, hostEvent(currentHost, eventTypeEvent, eventActionReboot)) } // Report hostname changes separately - if currentHost.info.Hostname != ms.lastHost.info.Hostname { + if currentHost.Info.Hostname != ms.lastHost.Info.Hostname { events = append(events, hostEvent(currentHost, eventTypeEvent, eventActionHostnameChanged)) } @@ -307,10 +307,10 @@ func getHost() (*Host, error) { } host := &Host{ - info: sysinfoHost.Info(), - uptime: sysinfoHost.Info().Uptime(), - ips: ips, - macs: macs, + Info: sysinfoHost.Info(), + Uptime: sysinfoHost.Info().Uptime(), + Ips: ips, + Macs: macs, } return host, nil @@ -352,18 +352,18 @@ func hostEvent(host *Host, eventType string, action eventAction) mb.Event { func hostMessage(host *Host, action eventAction) string { var firstIP string - if len(host.ips) > 0 { - firstIP = host.ips[0].String() + if len(host.Ips) > 0 { + firstIP = host.Ips[0].String() } // Hostname + IP of the first non-loopback interface. - hostString := fmt.Sprintf("%v (IP: %v)", host.info.Hostname, firstIP) + hostString := fmt.Sprintf("%v (IP: %v)", host.Info.Hostname, firstIP) var message string switch action { case eventActionHost: message = fmt.Sprintf("%v host %v is up for %v", - host.info.OS.Name, hostString, fmtDuration(host.uptime)) + host.Info.OS.Name, hostString, fmtDuration(host.Uptime)) case eventActionIDChanged: message = fmt.Sprintf("ID of host %v has changed", hostString) case eventActionReboot: