[Auditbeat] Update host metricset (elastic#9421)

Updates the `host` metricset to be in line with the other metricsets in the `system` module: 1. Adds regular state reporting based on `state.period`/`host.state.period` 2. Persists state between restarts in `beat.db` 3. Detects changes in host information 4. Changes to using `system.host.ip`/`system.host.mac` instead of `system.host.network.interfaces`
cwurm · Dec 15, 2018 · 8b3d5a8 · 8b3d5a8
1 parent 86ec03e
commit 8b3d5a8
Show file tree

Hide file tree

Showing 7 changed files with 413 additions and 147 deletions.
diff --git a/x-pack/auditbeat/include/fields.go b/x-pack/auditbeat/include/fields.go
diff --git a/x-pack/auditbeat/module/system/host/_meta/data.json b/x-pack/auditbeat/module/system/host/_meta/data.json
@@ -1,46 +1,51 @@
 {
     "@timestamp": "2017-10-12T08:05:34.853Z",
-    "beat": {
+    "agent": {
         "hostname": "host.example.com",
         "name": "host.example.com"
     },
-    "metricset": {
+    "event": {
+        "action": "host",
+        "dataset": "host",
         "module": "system",
-        "name": "host",
-        "rtt": 115
+        "type": "state"
+    },
+    "service": {
+        "type": "system"
     },
     "system": {
         "host": {
             "architecture": "x86_64",
-            "boottime": "2018-10-01T13:33:02Z",
+            "boottime": "2018-12-04T12:13:02Z",
             "containerized": false,
-            "id": "87778e62461b4d609aee5a20f2ec4be6",
-            "name": "ubuntu-bionic",
-            "network": {
-                "interfaces": [
-                    {
-                        "flags": "up|broadcast|multicast",
-                        "index": 2,
-                        "ip": [
-                            "10.0.2.15",
-                            "fe80::2d:fdff:fe81:e747"
-                        ],
-                        "mac": "02:2d:fd:81:e7:47",
-                        "mtu": 1500,
-                        "name": "enp0s3"
-                    }
-                ]
-            },
+            "id": "b0d3f38d51bdeefe224737595c03d916",
+            "ip": [
+                "10.0.2.15",
+                "fe80::2d:fdff:fe81:e747",
+                "172.28.128.3",
+                "fe80::a00:27ff:fe1f:7160",
+                "172.17.0.1",
+                "fe80::42:83ff:febe:1a3a",
+                "172.18.0.1",
+                "fe80::42:9eff:fed3:d888"
+            ],
+            "mac": [
+                "02:2d:fd:81:e7:47",
+                "08:00:27:1f:71:60",
+                "02:42:83:be:1a:3a",
+                "02:42:9e:d3:d8:88"
+            ],
+            "hostname": "ubuntu-bionic",
             "os": {
                 "family": "debian",
-                "kernel": "4.15.0-34-generic",
+                "kernel": "4.15.0-39-generic",
                 "name": "Ubuntu",
                 "platform": "ubuntu",
                 "version": "18.04.1 LTS (Bionic Beaver)"
             },
             "timezone.name": "UTC",
             "timezone.offset.sec": 0,
-            "uptime": 222611977726
+            "uptime": 105705490232434
         }
     }
 }
diff --git a/x-pack/auditbeat/module/system/host/_meta/fields.yml b/x-pack/auditbeat/module/system/host/_meta/fields.yml
@@ -24,7 +24,7 @@
     type: long
     description: >
         Timezone offset in seconds.
-  - name: name
+  - name: hostname
     type: keyword
     description: >
         Hostname.
@@ -36,6 +36,14 @@
     type: keyword
     description: >
         Host architecture (e.g. x86_64).
+  - name: mac
+    type: keyword
+    description: >
+        MAC addresses.
+  - name: ip
+    type: ip
+    description: >
+        IP addresses.
   - name: os
     type: group
     description: >
@@ -61,37 +69,3 @@
       type: keyword
       description: >
         The operating system's kernel version.
-  - name: network
-    type: group
-    description: >
-      `network` contains network information from the system.
-    fields:
-    - name: interfaces
-      type: array
-      description: >
-        `interfaces` contains information about network interfaces.
-      fields:
-      - name: index
-        type: integer
-        description: >
-          Index of the interface.
-      - name: mtu
-        type: integer
-        description: >
-          Maximum transmission unit.
-      - name: name
-        type: keyword
-        description: >
-          Interface name.
-      - name: mac
-        type: keyword
-        description: >
-          MAC address.
-      - name: flags
-        type: text
-        description: >
-          Interface flags.
-      - name: ip
-        type: ip
-        description: >
-          IP addresses.
diff --git a/x-pack/auditbeat/module/system/host/config.go b/x-pack/auditbeat/module/system/host/config.go
@@ -0,0 +1,28 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License;
+// you may not use this file except in compliance with the Elastic License.
+
+package host
+
+import (
+	"time"
+)
+
+// config defines the metricset's configuration options.
+type config struct {
+	StatePeriod     time.Duration `config:"state.period"`
+	HostStatePeriod time.Duration `config:"host.state.period"`
+}
+
+func (c *config) effectiveStatePeriod() time.Duration {
+	if c.HostStatePeriod != 0 {
+		return c.HostStatePeriod
+	}
+	return c.StatePeriod
+}
+
+func defaultConfig() config {
+	return config{
+		StatePeriod: 1 * time.Hour,
+	}
+}