Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[add_session_metadata processor] Keep exited processes in the process DB #39173

Merged
merged 12 commits into from Apr 25, 2024
Merged

[add_session_metadata processor] Keep exited processes in the process DB #39173

merged 12 commits into from Apr 25, 2024

Conversation

mjwolf
Copy link
Contributor

@mjwolf mjwolf commented Apr 24, 2024
edited

Proposed commit message

With the add_session_metadata processor, don't remove processes from the process db when the process has exited.

The processor can be run on an fork/exec events after the process has actually exited, so the process must remain in the DB after it has exited, so the info can be used in enrichment of these events.

Now that the process is kept in the DB, the exit code is also appended on exit events, so the exit code can be used in enrichment of the exit events.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

@mjwolf
Add logging on missed processes
4775eae
@mjwolf
Keep exit event process in DB
8f94732 
With the add_session_metadata processor, don't remove processes from the process
db when the process has exited.

The processor can be run on an fork/exec events after the process has actually
exited, so the process must remain in the DB after it has exited, so the info
can be used in enrichment of these events.

Now the process is kept in the DB, and the exit code is appended, so the exit
code is also now properly enriched for exit events.
@mjwolf
Merge remote-tracking branch 'upstream/main' into session-view-missed
9d9673b
@mjwolf mjwolf requested a review from a team as a code owner April 24, 2024 05:29
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Apr 24, 2024
@mergify mergify bot assigned mjwolf Apr 24, 2024
@mergify Mergify
Copy link
Contributor

mergify bot commented Apr 24, 2024

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @mjwolf? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

@mjwolf mjwolf added bugfix backport-v8.14.0 Automated backport with mergify Team:Security-Linux Platform Linux Platform Team in Security Solution labels Apr 24, 2024
@elasticmachine
Copy link
Collaborator

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Apr 24, 2024
@elasticmachine
Copy link
Collaborator

elasticmachine commented Apr 24, 2024
edited

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2024-04-25T19:31:22.541+0000

  • Duration: 56 min 11 sec

Test stats 🧪

Test Results
Failed 0
Passed 473
Skipped 60
Total 533

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

pkoutsovasilis
pkoutsovasilis approved these changes Apr 25, 2024
View reviewed changes
Copy link
Contributor

@pkoutsovasilis pkoutsovasilis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@mjwolf mjwolf enabled auto-merge (squash) April 25, 2024 19:32
@mjwolf mjwolf disabled auto-merge April 25, 2024 19:40
@mjwolf mjwolf enabled auto-merge (squash) April 25, 2024 19:55
@mjwolf mjwolf merged commit 9649588 into elastic:main Apr 25, 2024
27 checks passed
mergify bot pushed a commit that referenced this pull request Apr 25, 2024
@mjwolf @mergify
[add_session_metadata processor] Keep exited processes in the process…
e743fd4 
… DB (#39173)

With the add_session_metadata processor, don't remove processes from the process db when the process has exited.

The processor can be run on an fork/exec events after the process has actually exited, so the process must remain in the DB after it has exited, so the info can be used in enrichment of these events.

Now that the process is kept in the DB, the exit code is also appended on exit events, so the exit code can be used in enrichment of the exit events.

(cherry picked from commit 9649588)
@mergify mergify bot mentioned this pull request Apr 25, 2024
Merged
6 tasks
@mjwolf mjwolf mentioned this pull request Apr 25, 2024
Closed
mjwolf added a commit that referenced this pull request Apr 25, 2024
@mergify @mjwolf
[add_session_metadata processor] Keep exited processes in the process…
0376f3b 
… DB (#39173) (#39225)

With the add_session_metadata processor, don't remove processes from the process db when the process has exited.

The processor can be run on an fork/exec events after the process has actually exited, so the process must remain in the DB after it has exited, so the info can be used in enrichment of these events.

Now that the process is kept in the DB, the exit code is also appended on exit events, so the exit code can be used in enrichment of the exit events.

(cherry picked from commit 9649588)

Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
@mjwolf mjwolf deleted the session-view-fix-missed-events branch April 25, 2024 23:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pkoutsovasilis pkoutsovasilis pkoutsovasilis approved these changes

@andrewkroh andrewkroh Awaiting requested review from andrewkroh

@nicholasberlin nicholasberlin Awaiting requested review from nicholasberlin

Assignees

@mjwolf mjwolf

Labels
backport-v8.14.0 Automated backport with mergify bugfix Team:Security-Linux Platform Linux Platform Team in Security Solution
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Security-Linux Platform Integrations] Auditbeat missing Session View Process fields
5 participants
@mjwolf @elasticmachine @andrewkroh @pkoutsovasilis @nicholasberlin