forked from open-telemetry/opentelemetry-network
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ebpf_net.render
2133 lines (1964 loc) · 54 KB
/
ebpf_net.render
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
/*
* Copyright The OpenTelemetry Authors
* SPDX-License-Identifier: Apache-2.0
*/
package ebpf_net
/* RPC ID ranges.
*
* NOTE: when modifying, make sure that existing IDs stay the same
* (add IDs higher than previously used, add at the end of the list).
* RPC IDs are allocated here, but mapped over the list of contiguous app message ids
* for each message. 300 is the first allocated RPC id per historical convention.
*/
namespace {
ingest: 301-310,321-330,341,350-360,390-420,491-520,531-550
agent_internal: 331-340,361-380
matching: 421-440,471-490
kernel_collector: 521-530
cloud_collector: 441-450
aggregation: 451-470
logging: 600-699
}
/******************************************************************************
* APP SPANS
******************************************************************************/
app agent_internal {
span agent_internal
impl "ebpf_net::agent_internal::AgentInternalSpanBase"
include "<generated/ebpf_net/agent_internal/span_base.h>"
{
pool_size 1
singleton
0: log dns_packet {
description "a DNS packet sent or received by an application"
severity 0
1: u64 sk
2: string pkt
3: u16 total_len
4: u8 is_rx // 0 = sent, 1 = received
}
1: log reset_tcp_counters {
description "new_socket and the sk has the following counters"
severity 0
1: u64 sk
2: u64 bytes_acked
3: u32 packets_delivered
4: u32 packets_retrans
5: u64 bytes_received
6: u32 pid
}
2: log new_sock_created {
description "new socket has been created"
severity 0
1: u32 pid
2: u64 sk
}
3: log udp_new_socket {
description "found new or scanned existing udp socket"
severity 0
1: u32 pid
2: u64 sk
3: u8 laddr[16]
4: u16 lport
}
4: log udp_destroy_socket {
description "udp socket was destroyed"
severity 0
1: u64 sk
}
5: log udp_stats {
description "udp socket sent datagrams"
severity 0
1: u64 sk
2: u8 raddr[16]
3: u32 packets
4: u32 bytes
5: u8 changed_af
6: u16 rport
7: u8 is_rx
8: u8 laddr[16]
9: u16 lport
10: u32 drops
}
6: log pid_info {
description "new process info"
severity 0
1: u32 pid
2: u8 comm[16]
3: u64 cgroup
4: s32 parent_pid
}
7: log pid_close {
description "close process info"
severity 0
1: u32 pid
2: u8 comm[16]
}
20: log pid_set_comm {
description "process comm change"
severity 0
1: u32 pid
2: u8 comm[16]
}
8: log set_state_ipv4 {
description "socket state changed or enumerating sockets"
severity 0
1: u32 dest
2: u32 src
3: u16 dport
4: u16 sport
5: u64 sk
7: u32 tx_rx // 0-unknown, 1-connector, 2-listener
}
9: log set_state_ipv6 {
description "socket state changed or enumerating sockets"
severity 0
1: u8 dest[16]
2: u8 src[16]
3: u16 dport
4: u16 sport
5: u64 sk
7: u32 tx_rx // 0-unknown, 1-connector, 2-listener
}
10: log rtt_estimator {
description "periodic telemetry about a socket"
severity 0
1: u32 srtt
2: u32 snd_cwnd
3: u64 bytes_acked
4: u8 ca_state
5: u64 sk
6: u32 packets_in_flight
7: u32 packets_delivered
8: u32 packets_retrans
9: u32 rcv_holes
10: u64 bytes_received
11: u32 rcv_delivered
12: u32 rcv_rtt
}
11: log close_sock_info {
description "close socket info"
severity 0
1: u64 sk
}
12: log kill_css {
description "destroy a css"
severity 0
1: u64 cgroup
2: u64 cgroup_parent
3: u8 name[256]
// Be careful: mind the 512 byte limit for the bpf stack.
// We need the whole name because systemd style cgroup names are long and
// have the container id at the end.
}
13: log css_populate_dir {
description "create subsys files in a cgroup directory"
severity 0
1: u64 cgroup
2: u64 cgroup_parent
3: u8 name[256] // See kill_css note.
}
14: log cgroup_clone_children_read {
description "cgroup_clone_children_read"
severity 0
1: u64 cgroup
2: u64 cgroup_parent
3: u8 name[256] // See kill_css note.
}
15: log cgroup_attach_task {
description "cgroup_attach_task"
severity 0
1: u64 cgroup
2: u32 pid
3: u8 comm[16]
}
// unpacks connection information from the params of this function
// struct nf_conn ct.tuplehash holds two nf_conntrack_tuple structs
// see nf_conntrack_tuple.h for more info
16: log nf_conntrack_alter_reply {
description "nf_conntrack_alter_reply"
severity 0
1: u64 ct
2: u32 src_ip // in network byte order
3: u16 src_port // in network byte order
4: u32 dst_ip // in network byte order
5: u16 dst_port // in network byte order
6: u8 proto
7: u32 nat_src_ip // in network byte order
8: u16 nat_src_port // in network byte order
9: u32 nat_dst_ip // in network byte order
10: u16 nat_dst_port // in network byte order
11: u8 nat_proto
}
17: log nf_nat_cleanup_conntrack {
description "nf_nat_cleanup_conntrack"
severity 0
1: u64 ct
2: u32 src_ip // in network byte order
3: u16 src_port // in network byte order
4: u32 dst_ip // in network byte order
5: u16 dst_port // in network byte order
6: u8 proto
}
18: log existing_conntrack_tuple {
description "existing_conntrack_tuple"
severity 0
1: u64 ct
2: u32 src_ip // in network byte order
3: u16 src_port // in network byte order
4: u32 dst_ip // in network byte order
5: u16 dst_port // in network byte order
6: u8 proto
7: u8 dir
}
19: log tcp_syn_timeout {
description "tcp socket experienced a timeout in SYN_RECV or SYN_SENT state"
severity 0
1: u64 sk
}
21: log http_response {
description "http response code and latency"
severity 0
1: u64 sk
2: u32 pid
3: u16 code // http response code
4: u64 latency_ns // in nanoseconds (client=round-trip time, server=processing time)
5: u8 client_server // 0 = client, 1 = server
}
22: log bpf_log {
description "log/warning/error event"
severity 0
1: u64 filelineid // file/line debug information id
2: u64 code // error/warning/message code
3: u64 arg0 // code-specific arguments (generic)
4: u64 arg1
5: u64 arg2
}
23: log stack_trace {
description "debugging stack trace event"
severity 0
1: s32 kernel_stack_id // id of the kernel stack trace
2: s32 user_stack_id // id of the userland stack trace
3: u32 tgid // tgid
4: u8 comm[16] // process command
}
24: log tcp_data {
description "tcp packet data from bpf"
severity 0
1: u64 sk // sock
2: u32 pid // tgid
3: u32 length // data length
4: u64 offset // offset into the stream for the data
5: u8 stream_type // enum STREAM_TYPE { ST_SEND = 0, ST_RECV = 1 }
6: u8 client_server // enum CLIENT_SERVER_TYPE { SC_CLIENT = 0, SC_SERVER = 1 }
}
26: log pid_exit {
description "called when a thread exits"
severity 0
1: u64 tgid
2: u32 pid
3: s32 exit_code
}
27: log report_debug_event {
description "called when a bpf debug event is triggered - for debugging purposes"
severity 0
1: u16 event // unique dentifying code for the debug event
2: u64 arg1 // event dependent data
3: u64 arg2 // event dependent data
4: u64 arg3 // event dependent data
5: u64 arg4 // event dependent data
}
28: log tcp_reset {
description "tcp RST was sent/received"
severity 0
1: u64 sk
2: u8 is_rx
}
}
} /* app agent_internal */
app ingest {
jit
span process impl "reducer::ingest::ProcessSpan" include "<reducer/ingest/process_span.h>" {
pool_size 10000000
string<16> comm
reference<cgroup> cgroup
reference<service> service
// userspace proxy hack: cgroup of the target process
reference<cgroup> cgroup_override
0: start pid_info ref pid {
description "new process info"
severity 0
1: u32 pid
2: u8 comm[16]
}
5: end pid_close_info ref pid {
description "close process info"
severity 0
1: u32 pid
2: u8 comm[16]
}
35: start pid_info_create_deprecated ref pid {
description "new process info"
severity 0
1: u32 pid
2: u8 comm[16]
3: u64 cgroup
}
108: start pid_info_create ref pid {
description "new process info"
severity 0
1: u32 pid
2: u8 comm[16]
3: u64 cgroup
4: s32 parent_pid
5: string cmdline
}
39: log pid_cgroup_move ref pid {
description "process attached to a cgroup"
severity 0
1: u32 pid
3: u64 cgroup
}
41: log pid_set_comm ref pid {
description "process comm changed"
severity 0
1: u32 pid
2: u8 comm[16]
}
109: log pid_set_cmdline ref pid {
description "process command-line changed"
severity 0
1: u32 pid
2: string cmdline
}
} /* span process */
// processes proxied by the kernel collector
// transitional span so we can migrate from the non-proxied version
// gradually without breaking existing functionality
span tracked_process
impl "ebpf_net::ingest::TrackedProcessSpanBase"
include "<generated/ebpf_net/ingest/span_base.h>"
{
pool_size 10000000
72: msg _start {}
73: msg _end {}
74: msg set_tgid {
description "set tgid"
severity 0
1: u32 tgid
}
75: msg set_cgroup {
description "set cgroup"
severity 0
1: u64 cgroup
}
76: msg set_command {
description "set cmd line"
severity 0
1: string command
}
89: msg pid_exit {
description "pid_exit"
severity 0
// the TGID this PID belongs to
1: u64 tgid
// the PID that's exiting
2: u32 pid
// the exit code of the PID when it finished execution
3: s32 exit_code
}
} /* span tracked_process_span */
span cgroup impl "reducer::ingest::CgroupSpan" include "<reducer/ingest/cgroup_span.h>" {
pool_size 800000
// cgroup name prefix
string<256> name
// if this cgroup is a pod
u8 pod_uid_suffix[64]
u64 pod_uid_hash
u16 cpu_soft_limit // cpu shares in kernel lingo: https://elixir.bootlin.com/linux/v5.8-rc3/source/kernel/sched/fair.c#L3122
u32 cpu_hard_quota
u32 cpu_hard_period
reference<cgroup> parent
reference<service> service
reference<container> container
36: start cgroup_create_deprecated ref cgroup {
description "cgroup created"
severity 0
1: u64 cgroup
2: u64 cgroup_parent
3: u8 name[64]
}
106: start cgroup_create ref cgroup {
description "cgroup created"
severity 0
1: u64 cgroup
2: u64 cgroup_parent
3: u8 name[256]
}
37: end cgroup_close ref cgroup {
description "cgroup destroyed"
severity 0
1: u64 cgroup
}
38: log container_metadata ref cgroup {
description "Container metadata"
severity 0
1: u64 cgroup
2: string id
3: string name
4: string image
5: string ip_addr
6: string cluster
7: string container_name
8: string task_family
9: string task_version
10: string ns
}
52: log pod_name ref cgroup {
description "The name of the pod derived from docker metadata"
severity 0
1: u64 cgroup
2: string _deprecated_pod_uid
3: string name
}
80: log nomad_metadata ref cgroup {
description "Nomad metadata extracted from the container's environment"
severity 0
1: u64 cgroup
2: string ns
3: string group_name
4: string task_name
5: string job_name
}
84: log k8s_metadata ref cgroup {
description "K8s metadata extracted from the container's labels"
severity 0
1: u64 cgroup
2: string container_name
3: string pod_name
4: string pod_ns
5: string pod_uid
6: string sandbox_uid
}
85: log k8s_metadata_port ref cgroup {
description "K8s ports metadata extracted from the container's labels"
severity 0
1: u64 cgroup
2: u16 port
3: u8 protocol // as in `PortProtocol` from `common/port_protocol.h`
4: string name
}
86: log container_resource_limits_deprecated ref cgroup {
description "container resource limits"
severity 0
1: u64 cgroup
2: u16 cpu_shares
3: u16 cpu_period
4: u16 cpu_quota
5: u8 memory_swappiness
6: u64 memory_limit
7: u64 memory_soft_limit
8: s64 total_memory_limit
}
90: log container_resource_limits ref cgroup {
description "container resource limits"
severity 0
1: u64 cgroup
2: u16 cpu_shares
3: u32 cpu_period
4: u32 cpu_quota
5: u8 memory_swappiness
6: u64 memory_limit
7: u64 memory_soft_limit
8: s64 total_memory_limit
}
100: log container_annotation ref cgroup {
description "Container annotation from `Config.Labels`"
severity 0
1: u64 cgroup
2: string key
3: string value
}
} /* span cgroup */
span socket impl "reducer::ingest::SocketSpan" include "<reducer/ingest/socket_span.h>" {
pool_size 5000000
reference<process> process
1: start new_sock_info ref sk {
description "new socket info"
severity 0
1: u32 pid
2: u64 sk
}
2: log set_state_ipv4 ref sk {
description "socket state changed or enumerating sockets"
severity 0
1: u32 dest
2: u32 src
3: u16 dport
4: u16 sport
5: u64 sk
7: u32 tx_rx
}
3: log set_state_ipv6 ref sk {
description "socket state changed or enumerating sockets"
severity 0
1: u8 dest[16]
2: u8 src[16]
3: u16 dport
4: u16 sport
5: u64 sk
7: u32 tx_rx
}
15: log socket_stats ref sk {
description "aggregated statistics for the socket"
severity 0
1: u64 sk
2: u64 diff_bytes
3: u32 diff_delivered
4: u32 diff_retrans
5: u32 max_srtt
6: u8 is_rx
}
31: log nat_remapping ref sk {
description "NAT remapping for a connection"
severity 0
1: u64 sk
2: u32 src
3: u32 dst
4: u16 sport
5: u16 dport
}
7: end close_sock_info ref sk {
description "close socket info"
severity 0
1: u64 sk
}
40: log syn_timeout ref sk {
description "tcp socket experienced a timeout in SYN_RECV or SYN_SENT state"
severity 0
1: u64 sk
}
43: log http_response ref sk {
description "http response code and latency"
severity 0
1: u64 sk
2: u32 pid
3: u16 code // http response code
4: u64 latency_ns // in nanoseconds (client=round-trip time, server=processing time)
5: u8 client_server // 0 = client, 1 = server
}
91: log tcp_reset ref sk {
description "tcp RST was sent/received"
severity 0
1: u64 sk
2: u8 is_rx
}
} /* span socket */
span agent impl "reducer::ingest::AgentSpan" include "<reducer/ingest/agent_span.h>" {
pool_size 512 /* See core.h CONN_POOL_SIZE */
singleton
6: log process_steady_state {
description "sent when we reach steady state for processes"
severity 0
1: u64 time
}
8: log socket_steady_state {
description "sent when we reach steady state for sockets"
severity 0
1: u64 time
}
9: log version_info {
description "reported to the server when the agent starts"
severity 0
no_authorization_needed
pipeline_only
1: u32 major
2: u32 minor
3: u32 build
}
57: log set_node_info {
description "reports node information from agent"
severity 0
1: string az
2: string role
3: string instance_id
4: string instance_type
}
58: log set_config_label {
description "report a custom label"
severity 0
1: string key
2: string value
}
10: log set_availability_zone_deprecated {
description "reports availability zone"
severity 0
1: u8 retcode
2: u8 az[16]
}
11: log set_iam_role_deprecated {
description "reports cloud platform IAM role"
severity 0
1: u8 retcode
2: u8 role[64]
}
12: log set_instance_id_deprecated {
description "reports cloud platform instance name, the 17 char hex notation"
severity 0
1: u8 retcode
2: u8 id[17]
}
13: log set_instance_type_deprecated {
description "reports cloud platform instance type"
severity 0
1: u8 retcode
2: u8 val[17]
}
14: log dns_response_fake {
description "Used to manually set a DNS entry at the server"
severity 0
1: u16 total_dn_len
2: string ips
3: string domain_name
}
33: log dns_response_dep_a_deprecated {
description "The domain and information from a DNS response"
severity 0
1: u16 total_dn_len
2: string domain_name
3: string ipv4_addrs
4: string ipv6_addrs
}
16: log set_config_label_deprecated {
description "report a label specified in the config file"
severity 0
1: u8 key[20]
2: u8 val[40]
}
23: log api_key {
description "the api key"
severity 0
no_authorization_needed
pipeline_only
1: u8 tenant[20]
2: u8 api_key[64]
}
24: log private_ipv4_addr {
description "a private ipv4 address"
severity 0
1: u32 addr // in network byte order
2: u8 vpc_id[22]
}
25: log ipv6_addr {
description "an ipv6 address"
severity 0
1: u8 addr[16]
2: u8 vpc_id[22]
}
26: log public_to_private_ipv4 {
description "the mapping of a public to private ipv4 address"
severity 0
1: u32 public_addr // in network byte order
2: u32 private_addr // in network byte order
3: u8 vpc_id[22]
}
27: log metadata_complete {
description "sent when we've finished sending all the agent's metadata"
severity 0
1: u64 time
}
28: log bpf_lost_samples {
description "perf reported that samples were lost"
severity 1
pipeline_only
1: u64 count
}
29: log pod_new_legacy {
description "New POD"
severity 0
1: string uid
2: u32 ip
3: string owner_name
4: u8 owner_kind
5: string owner_uid
6: u8 is_host_network
// namespace of the pod
7: string ns
}
56: log pod_new_legacy2 {
description "New POD"
severity 0
1: string uid
2: u32 ip
3: string owner_name
4: u8 owner_kind
5: string owner_uid
6: u8 is_host_network
// namespace of the pod
7: string ns
8: string version
}
87: log pod_new_with_name {
description "New POD"
severity 0
1: string uid
2: u32 ip
3: string owner_name
4: string pod_name
5: u8 owner_kind
6: string owner_uid
7: u8 is_host_network
8: string ns
9: string version
}
42: log pod_container_legacy {
description "POD has a container"
severity 0
1: string uid
2: string container_id
}
66: log pod_container {
description "POD has a container"
severity 0
1: string uid
2: string container_id
3: string container_name
4: string container_image
}
30: log pod_delete {
description "POD is deleted"
severity 0
1: string uid
}
32: log pod_resync {
description "Current live pod info is staled. Clean then up"
severity 0
1: u64 resync_count
}
22: log span_duration_info {
description "the duration and span type"
severity 0
1: u64 duration
}
34: log heartbeat {
description "heartbeat signal from agent/collector to server."
severity 0
pipeline_only
}
110: log connect {
description "called by the agent to connect to intake"
severity 0
no_authorization_needed
pipeline_only
1: u8 collector_type // ClientType enum
2: string hostname
}
51: log health_check {
description "called to perform a health check on the server"
severity 0
no_authorization_needed
pipeline_only
1: u8 client_type // ClientType enum
2: string origin
}
53: log log_message {
description "log agent warnings"
severity 0
pipeline_only
1: u8 log_level // spdlog::level::level_enum
2: string message
}
54: log agent_resource_usage {
description "logs resource usage by the agent"
severity 0
pipeline_only
1: u64 user_mode_time_us
2: u64 kernel_mode_time_us
3: u64 max_resident_set_size
4: u32 minor_page_faults
5: u32 major_page_faults
6: u32 block_input_count
7: u32 block_output_count
8: u32 voluntary_context_switch_count
9: u32 involuntary_context_switch_count
10: u16 cpu_usage_by_agent // per-thousand fixed point, lowest 3 digits are fractional
11: u16 cpu_idle // per-thousand fixed point, lowest 3 digits are fractional
}
55: log cloud_platform {
description "logs which cloud platform the agent is running on"
severity 0
1: u16 cloud_platform // as per `common/cloud_platform.h`
}
61: log os_info_deprecated {
description "reports the os and distro under which the agent is running"
severity 0
1: u8 os // as per `common/operating_system.h`
2: u8 flavor // as per `common/linux_distro.h`
3: string kernel_version
// this message is forwards compatible with support for new operating systems
// the field `distro` could be repurposed with, say, the OSX release or Windows version
}
107: log os_info {
description "reports the os and distro under which the agent is running"
severity 0
1: u8 os // as per `common/operating_system.h`
2: u8 flavor // as per `common/linux_distro.h`
3: string os_version
4: string kernel_version
// this message is forwards compatible with support for new operating systems
// the field `distro` could be repurposed with, say, the OSX release or Windows version
}
62: log kernel_headers_source {
description "logs the source used to obtain kernel headers"
severity 0
pipeline_only
1: u8 source // as per `collector/kernel/kernel_headers_source.h`
}
63: log entrypoint_error {
description "logs errors that happen before launching the agent, at the container entrypoint"
severity 0
pipeline_only
1: u8 error // as per `collector/kernel/entrypoint_error.h`
}
64: log bpf_compiled {
description "tells the server that BPF was successfully compiled by the kernel collector"
severity 0
pipeline_only
}
65: log begin_telemetry {
description "tells the server that agent setup is complete and telemetry is about to flow"
severity 0
pipeline_only
}
67: log cloud_platform_account_info {
description "log under which cloud platform account id this collector is running"
severity 0
1: string account_id
}
68: log collector_health {
description "reports health status about collectors"
severity 0
pipeline_only
1: u16 status // CollectorStatus enum in `common/collector_status.h`
2: u16 detail // extended info about the collector's status
// cloud-collector: the http status code for api calls
}
70: log system_wide_process_settings {
description "reports system-wide settings that matters for process stats"
severity 0
1: u64 clock_ticks_per_second
2: u64 memory_page_bytes
}
// use cases for this message:
// - unexpected error condition has been met, so agent collects information and
// submits to the server for further inspection
//
// NOTE: calls to this message should be rate limited to avoid network overhead
83: log collect_blob {
description "a generic message used to collect random pieces of information from agents"
severity 0
pipeline_only
1: u16 blob_type // as in the `CollectedBlobType` enum from `common/collected_blob_type.h`
2: u64 subtype // extra metadata field whose meaning varies by `type`
3: string metadata // some descriptive metadata about the blob
4: string blob // the contents of the blob
}
98: log report_cpu_cores {
1: u32 cpu_core_count
}
99: log bpf_log {
description "reports health status about collectors"
severity 0
pipeline_only
1: string filename
2: u32 line
2: u64 code // error/warning/message code
3: u64 arg0 // code-specific arguments (generic)
4: u64 arg1
5: u64 arg2
}
} /* span agent */
span aws_network_interface
impl "reducer::collector::cloud::AwsNetworkInterfaceSpan"
include "<reducer/ingest/aws_network_interface_span.h>"
{
pool_size 60000 // arbitrary number, we need a better estimate
index (ip)
proxy matching.aws_enrichment
u128 ip
48: msg _start {}
49: msg _end {}
50: msg network_interface_info_deprecated {
description "information about the network interface"
severity 0
1: u8 ip_owner_id[18]
2: u8 vpc_id[22]
3: u8 az[16]
4: string interface_id
5: u16 interface_type
6: string instance_id
7: string instance_owner_id
8: string public_dns_name
9: string private_dns_name
10: string interface_description
}
59: msg network_interface_info {
description "information about the network interface"
severity 0
1: string ip_owner_id
2: string vpc_id
3: string az
4: string interface_id
5: u16 interface_type
6: string instance_id
7: string instance_owner_id
8: string public_dns_name
9: string private_dns_name
10: string interface_description
}
} /* span aws_network_interface */
span udp_socket impl "reducer::ingest::UdpSocketSpan" include "<reducer/ingest/udp_socket_span.h>" {
pool_size 120000
reference<process> process
17: start udp_new_socket ref sk_id {
description "new udp socket was initialized"