-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor kprobe tracing functionality out of system/socket #21011
Conversation
08e02bb
to
9694e06
Compare
This creates a new package, x-pack/auditbeat/tracing/kprobes, which provides high-level functionality to create kprobe-tracing based solutions. It extracts the kprobe-templating and guessing functionality out of the system/socket dataset and integrates it into an easier to use interface.
9694e06
to
369cf01
Compare
Pinging @elastic/siem (Team:SIEM) |
// KProbes shared with IPv4 and IPv6. | ||
var sharedKProbes = []helper.ProbeDef{ | ||
var sharedKProbes = []kprobes.ProbeDef{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Though not necessary in this commit, it'd probably be worth splitting these into their own files similar to the other guess
-based files, just for easier management.
func (g *guessDeref) Probes() ([]helper.ProbeDef, error) { | ||
return []helper.ProbeDef{ | ||
func (g *guessDeref) Probes() ([]kprobes.ProbeDef, error) { | ||
return []kprobes.ProbeDef{ | ||
{ | ||
Probe: tracing.Probe{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wondering why keep the package different for kprobes
v. tracing
? Are we planning on doing some other types of tracing (i.e. tracepoint, uprobe, etc?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not really. Makes sense to merge the packages.
Turning it into a draft for now as it needs more changes:
|
Hi! We're labeling this issue as |
Hi! |
What does this PR do?
Refactors the high-level kprobe-tracing functionality out of Auditbeat's system/socket into
x-pack/auditbeat/tracing/kprobes
.Why is it important?
This makes it easier to build new functionality based on kprobe tracing.
Checklist
[ ] I have made corresponding changes to the documentation[ ] I have made corresponding change to the default configuration files[ ] I have added tests that prove my fix is effective or that my feature works[ ] I have added an entry inCHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.Example
An example of reusing this code:
https://github.com/adriansr/beats/tree/poc_auditd_syscall_overhead/x-pack/auditbeat/module/auditd/monitoring/