Add system socket MetricSet #3246
Conversation
|
Don't forget the CHANGELOG ;-) |
andrewkroh
force-pushed
the
feature/system-socket-metricset
branch
from
78119ca
to
6abd7c9
Compare
|
I added a changelog entry and modified the mapping for ES 5.x to use |
|
Fixes #3257 |
| return nil, err | ||
| } | ||
| if os.Geteuid() != 0 { | ||
| debugf("socket process info will only be available for metricbeat " + |
There was a problem hiding this comment.
This would make sense as a warning, maybe?
|
|
||
| // IsEnabled returns true if enabled is not defined or is set to true. | ||
| func (c ReverseLookupConfig) IsEnabled() bool { | ||
| return c.Enabled == nil || *c.Enabled == true |
There was a problem hiding this comment.
This mean that by default reverse lookup is enabled, right? I'm not sure about enabling that by default since it can cause performance issues, especially since there's no configurable timeout on the lookup, right?
There was a problem hiding this comment.
Correct, there is no configurable lookup timeout and the requests are executed serially. It's not an optimal implementation and it can slow down fetching. I'll change it to disabled by default.
The system.socket metricset reports an event for each new TCP socket that it sees. It does this by polling the kernel to get a dump of all sockets. So using a short polling interval with this metricset is important to not miss short lived connections. The metricset reports the process that has the socket open. It does this by associating the socket's inode to the process that has a file descriptor open pointing to the socket's inode. It reads /proc and /proc/<pid>/fd just prior to polling the kernel to get all sockets. A reverse lookup can be performed by the metricset on the remote IP and the returned hostname will be added to the event and cached. The is disabled by default and can be enabled through the configuration. If a hostname is found then the eTLD+1 (effective top-level domain plus one level) value will also be added to the event. For the IP address fields the index template for Elasticsearch 5.x uses the ip field type. But for Elasticsearch 2.x it uses string because the ip field type in 2.x does not support IPv6 addresses.
andrewkroh
force-pushed
the
feature/system-socket-metricset
branch
from
0a3fc90
to
c5a6c97
Compare
|
Rebased. I recommend using the "Rebase and merge" option which will add my 3 separate commits, but will not create a merge commit. |
The system.socket metricset reports an event for each new TCP socket that it
sees. It does this by polling the kernel to get a dump of all sockets.
So using a short polling interval with this metricset is important to
not miss short lived connections.
The metricset reports the process that has the socket open. It does this
by associating the socket's inode to the process that has a file
descriptor open pointing to the socket's inode. It reads /proc and
/proc//fd just prior to polling the kernel to get all sockets.
A reverse lookup can be performed by the metricset on the remote IP and the
returned hostname will be added to the event and cached. The is disabled by
default and can be enabled through the configuration. If a hostname is found
then the eTLD+1 (effective top-level domain plus one level) value will also be
added to the event.
For the IP address fields the index template for Elasticsearch 5.x uses
the ip field type. But for Elasticsearch 2.x it uses string because the
ip field type in 2.x does not support IPv6 addresses.