Update logging from auditd module #6018
Conversation
Use logp.Logger for all logging from the auditd module. I also increased the logging level for two statements because they will be useful for troubleshooting (without having to ask users to re-run with debug enabled).
| return | ||
| } | ||
|
|
||
| out, err := ms.receiveEvents(reporter.Done()) | ||
| if err != nil { | ||
| reporter.Error(err) | ||
| logp.Err("%v %v", logPrefix, err) | ||
| ms.log.Errorw("Failure receiving audit events", "error", err) |
There was a problem hiding this comment.
Would be nice if this would be error.message the same as we have in our fields.yml.
There was a problem hiding this comment.
It would. The error is written as an object, but it doesn’t match our normal structure. See https://github.com/uber-go/zap/blob/master/zapcore/error.go#L28
There was a problem hiding this comment.
It should be possible to intercept (but with some expense) the Error types and wrap them in another type that implements https://godoc.org/go.uber.org/zap/zapcore#ObjectMarshaler to customize the marshaling.
There was a problem hiding this comment.
The part I'm worried if we don't do it is that someone is going to read filebeat json logs which will conflict with our own filebeat template.
| @@ -269,7 +269,10 @@ func RunPushMetricSetV2(timeout time.Duration, waitEvents int, metricSet mb.Push | |||
| select { | |||
| case <-timer.C: | |||
| return | |||
| case e := <-r.eventsC: | |||
| case e, ok := <-r.eventsC: | |||
There was a problem hiding this comment.
@andrewkroh Is this change related? LGTM but curious if that is related to an other issue.
There was a problem hiding this comment.
While testing some failure conditions I noticed the test case didn’t stop immediately and this was the fix.
Use
logp.Loggerfor all logging from the auditd module. I also increased the logging level for two statements because they will be useful for troubleshooting (without having to ask users to re-run with debug enabled).