Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x-pack/filebeat/input/http_endpoint: add support for request trace logging #36957

Merged
merged 4 commits into from Nov 12, 2023
Merged

x-pack/filebeat/input/http_endpoint: add support for request trace logging #36957

merged 4 commits into from Nov 12, 2023

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Oct 25, 2023
edited

Proposed commit message

See title.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works - tested manually
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

  • [ ]

How to test this PR locally

Run go test -log-traces in x-pack/filebeat/input/http_endpoint` and then check the resulting ndjson files in the trace_logs directory.

Related issues

Use cases

Screenshots

Logs

@efd6 efd6 added enhancement Filebeat Filebeat Team:Security-External Integrations backport-skip Skip notification from the automated backport with mergify 8.12-candidate labels Oct 25, 2023
@efd6 efd6 self-assigned this Oct 25, 2023
@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Oct 25, 2023
@efd6 efd6 force-pushed the 36951-http_endpoint branch 2 times, most recently from 1221079 to 4d7707c Compare October 25, 2023 01:45
@elasticmachine
Copy link
Collaborator

elasticmachine commented Oct 25, 2023
edited by jenkins-beats-ci bot

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Duration: 143 min 38 sec

❕ Flaky test report

No test was executed to be analysed.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@mergify

This comment was marked as outdated.

Sign in to view
@efd6 efd6 marked this pull request as ready for review October 25, 2023 10:32
@efd6 efd6 requested a review from a team as a code owner October 25, 2023 10:32
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@mergify Mergify
Copy link
Contributor

mergify bot commented Nov 1, 2023

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 36951-http_endpoint upstream/36951-http_endpoint
git merge upstream/main
git push upstream 36951-http_endpoint

@mergify Mergify
Copy link
Contributor

mergify bot commented Nov 6, 2023

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 36951-http_endpoint upstream/36951-http_endpoint
git merge upstream/main
git push upstream 36951-http_endpoint

@efd6 efd6 requested a review from ebeahan November 6, 2023 09:22
@mergify Mergify
Copy link
Contributor

mergify bot commented Nov 7, 2023

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 36951-http_endpoint upstream/36951-http_endpoint
git merge upstream/main
git push upstream 36951-http_endpoint

andrewkroh
andrewkroh reviewed Nov 10, 2023
View reviewed changes
x-pack/filebeat/docs/inputs/input-http-endpoint.asciidoc Outdated
[float]
==== `tracer.filename`

It is possible to log HTTP requests and responses in a CEL program to a local file-system for debugging configurations.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs tailoring to this input (mentions CEL).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would specify that only requests that have passed validation checks (e.g. auth, content-type, method, HMAC) are logged.

Perhaps we should be trace logging unconditionally, and annotating that the request was rejected (like with the http response body and status code). That would be useful for debugging HMAC issues.

x-pack/filebeat/input/internal/httplog/roundtripper.go
@@ -167,6 +130,70 @@ func (rt *LoggingRoundTripper) RoundTrip(req *http.Request) (*http.Response, err
return resp, err
}

// LogRequest logs an HTTP request to the provided logger.
//
// Fields logged:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would like to have the source.{ip,port} in the log.

@mergify Mergify

This comment was marked as outdated.

Sign in to view
efd6
efd6 commented Nov 11, 2023
View reviewed changes
x-pack/filebeat/input/http_endpoint/handler.go
Comment on lines +73 to +77
// If we are logging, keep a copy of the body for the logger.
// This is stashed in the r.Body field. This is only safe
// because we are closing the original body in a defer and
// r.Body is not otherwise referenced by the non-logging logic
// after the call to getBodyReader above.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment is not strictly speaking true. The current handling of gzip content breaks the invariant that request bodies are closed. This is a bug in the current code, so I won't fix it here, but the change is

diff --git a/x-pack/filebeat/input/http_endpoint/gzip.go b/x-pack/filebeat/input/http_endpoint/gzip.go
index 332b482497..5b3e7111f1 100644
--- a/x-pack/filebeat/input/http_endpoint/gzip.go
+++ b/x-pack/filebeat/input/http_endpoint/gzip.go
@@ -18,15 +18,16 @@ var gzipDecoderPool = sync.Pool{

 type pooledGzipReader struct {
        Reader *gzip.Reader
+       closer io.Closer
 }

-func newPooledGzipReader(r io.Reader) (*pooledGzipReader, error) {
+func newPooledGzipReader(r io.ReadCloser) (*pooledGzipReader, error) {
        gzipReader := gzipDecoderPool.Get().(*gzip.Reader)
        if err := gzipReader.Reset(r); err != nil {
                gzipDecoderPool.Put(gzipReader)
                return nil, err
        }
-       return &pooledGzipReader{Reader: gzipReader}, nil
+       return &pooledGzipReader{Reader: gzipReader, closer: r}, nil
 }

 // Read implements io.Reader, reading uncompressed bytes from its underlying Reader.
@@ -34,13 +35,17 @@ func (r *pooledGzipReader) Read(b []byte) (int, error) {
        return r.Reader.Read(b)
 }

-// Close closes the Reader. It does not close the underlying io.Reader.
+// Close closes the Reader and the underlying source.
 // In order for the GZIP checksum to be verified, the reader must be
 // fully consumed until the io.EOF.
 //
 // After this call the reader should not be reused because it is returned to the pool.
 func (r *pooledGzipReader) Close() error {
        err := r.Reader.Close()
+       _err := r.closer.Close()
+       if err == nil {
+               err = _err
+       }
        gzipDecoderPool.Put(r.Reader)
        r.Reader = nil
        return err

@efd6 efd6 requested a review from andrewkroh November 11, 2023 21:29
andrewkroh
andrewkroh approved these changes Nov 12, 2023
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for adding the source.{ip,port} and covering all the request paths with trace logging.

@efd6 efd6 merged commit 0f011b0 into elastic:main Nov 12, 2023
21 checks passed
@efd6 efd6 mentioned this pull request Nov 12, 2023
Merged
6 tasks
Scholar-Li pushed a commit to Scholar-Li/beats that referenced this pull request Feb 5, 2024
@efd6 @Scholar-Li
x-pack/filebeat/input/http_endpoint: add support for request trace lo…
6653b6c 
…gging (elastic#36957)
@ebeahan ebeahan mentioned this pull request May 16, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

@ebeahan ebeahan Awaiting requested review from ebeahan

Assignees

@efd6 efd6

Labels
8.12-candidate backport-skip Skip notification from the automated backport with mergify enhancement Filebeat Filebeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Filebeat] http_endpoint - add option for capturing a trace data
3 participants
@efd6 @elasticmachine @andrewkroh