Merge pull request SUSE#63 from jeffmahoney/sensor-base-0.6.7

Sensor base 0.6.7

Author: jeffmahoney

.github/workflows/go.yml

@@ -41,7 +41,7 @@ jobs:
       run: |
         go get -v -t -d ./...
         sudo apt-get update
-        sudo apt-get install mingw-w64-x86-64-dev gcc-mingw-w64-x86-64 gcc-mingw-w64 libsystemd-dev clang-12 llvm libelf-dev git linux-tools-common make libzstd-dev
+        sudo apt-get install mingw-w64-x86-64-dev gcc-mingw-w64-x86-64 gcc-mingw-w64 libsystemd-dev clang-12 llvm libelf-dev git linux-tools-common make libzstd-dev linux-tools-common
 
     - name: Use Node.js v16
       uses: actions/setup-node@v1

.github/workflows/linux.yml

@@ -25,7 +25,7 @@ jobs:
       run: |
         go get -v -t -d ./...
         sudo apt-get update
-        sudo apt-get install libsystemd-dev clang-12 llvm libelf-dev git linux-tools-common make libzstd-dev
+        sudo apt-get install libsystemd-dev clang-12 llvm libelf-dev git linux-tools-common make libzstd-dev linux-tools-common
 
     - name: Build GUI-less binary
       run: |

Makefile

@@ -16,6 +16,7 @@ LIBBPF_DIR := $(LIBBPFGO_DIR)/libbpf
 LIBBPF_OUTPUT := $(LIBBPFGO_DIR)/output
 LIBBPF_LIB := $(LIBBPF_OUTPUT)/libbpf.a
 GIT := git
+BPFTOOL := bpftool
 EXTRA_TAGS += linuxbpf libbpfgo_static
 else
 $(error Cannot build BPF objects without clang installed.  Install clang or build with BUILD_LIBBPFGO=0.)
@@ -76,7 +77,11 @@ $(LIBBPFGO_DIR): always-check
 	echo "INFO: updating submodule 'libbpfgo'"
 	$(GIT) submodule update --init --recursive $@
 
-$(LIBBPF_LIB): $(LIBBPFGO_DIR)
+$(LIBBPFGO_DIR)/vmlinux.h: $(LIBBFGO_DIR)
+	mkdir -p $(LIBBPF_OUTPUT)
+	$(BPFTOOL) btf dump file /sys/kernel/btf/vmlinux format c > ./third_party/libbpfgo/output/vmlinux.h
+
+$(LIBBPF_LIB): $(LIBBPFGO_DIR) $(LIBBPFGO_DIR)/vmlinux.h
 	make -C $(LIBBPFGO_DIR) libbpfgo-static
 
 %.bpf.o: %.bpf.c $(LIBBPF_LIB)

artifacts/definitions/LogScale/Events/Clients.yaml

@@ -0,0 +1,76 @@
+name: LogScale.Events.Clients
+description: |
+  This server side event monitoring artifact will watch a selection of client
+  monitoring artifacts for new events and push those to a LogScale (formerly
+  Humio) ingestion endpoint
+
+  NOTE: You must ensure you are collecting these artifacts from the
+  clients by adding them to the "Client Events" GUI.
+
+type: SERVER_EVENT
+
+parameters:
+  - name: ingestApiBase
+    description: API Base Url for LogScale server
+    type: string
+    default: https://cloud.community.humio.com/api
+  - name: ingestToken
+    description: Ingest token for API
+    type: string
+  - name: tagFields
+    description: Comma-separated list of field names to use as tags in the message; Can be renamed with <oldname>=<newname>.
+    default:
+    type: string
+  - name: numThreads
+    description: Number of threads to start up to post events
+    type: int
+    default: 1
+  - name: httpTimeout
+    description: Timeout (in seconds) for http connection attempts
+    type: int
+    default: 10
+  - name: batchingTimeoutMs
+    description: Timeout (in ms) to batch events prior to sending
+    type: int
+    default: 30000
+  - name: eventBatchSize
+    description: Count of events to batch prior to sending
+    type: int
+    default: 2000
+  - name: statsInterval
+    description: Interval to post statistics to log (in seconds, 0 to disable)
+    type: int
+    default: 600
+  - name: debug
+    description: Enable verbose logging
+    type: bool
+    default: false
+  - name: Artifacts
+    type: artifactset
+    artifact_type: CLIENT_EVENT
+    description: Client artifacts to monitor
+
+sources:
+  - query: |
+      LET artifacts_to_watch = SELECT Artifact FROM Artifacts
+        WHERE log(message="Uploading artifact " + Artifact + " to LogScale")
+
+      LET events = SELECT * FROM foreach(
+          row=artifacts_to_watch,
+          async=TRUE,   // Required for event queries in foreach()
+          query={
+             SELECT *, Artifact, timestamp(epoch=now()) AS timestamp
+             FROM watch_monitoring(artifact=Artifact)
+          })
+
+      SELECT * FROM logscale_upload(
+          query=events,
+          apibaseurl=ingestApiBase,
+          ingest_token=ingestToken,
+          threads=numThreads,
+          tag_fields=split(string=tagFields, sep=","),
+          batching_timeout_ms=batchingTimeoutMs,
+          event_batch_size=eventBatchSize,
+          http_timeout=httpTimeout,
+          debug=debug,
+          stats_interval=statsInterval)

artifacts/definitions/LogScale/Flows/Upload.yaml

@@ -0,0 +1,81 @@
+name: LogScale.Flows.Upload
+description: |
+  This server side event monitoring artifact waits for new artifacts
+  to be collected from endpoints and automatically posts those to a
+  LogScale (formerly Humio) ingestion endpoint.
+
+type: SERVER_EVENT
+
+parameters:
+  - name: ingestApiBase
+    description: API Base Url for LogScale server
+    type: string
+    default: https://cloud.community.humio.com/api
+  - name: ingestToken
+    description: Ingest token for API
+    type: string
+  - name: tagFields
+    description: Comma-separated list of field names to use as tags in the message; Can be renamed with <oldname>=<newname>.
+    default:
+    type: string
+  - name: numThreads
+    description: Number of threads to start up to post events
+    type: int
+    default: 1
+  - name: httpTimeout
+    description: Timeout (in seconds) for http connection attempts
+    type: int
+    default: 10
+  - name: batchingTimeoutMs
+    description: Timeout to batch events prior to sending
+    type: int
+    default: 30000
+  - name: eventBatchSize
+    description: Count of events to batch prior to sending
+    type: int
+    default: 2000
+  - name: statsInterval
+    description: Interval to post statistics to log (in seconds, 0 to disable)
+    type: int
+    default: 600
+  - name: debug
+    description: Enable verbose logging
+    type: bool
+    default: false
+  - name: ArtifactNameRegex
+    default: .
+    type: regex
+    description: Only upload these artifacts to elastic
+
+sources:
+  - query: |
+      LET completions = SELECT * FROM watch_monitoring(
+             artifact="System.Flow.Completion")
+             WHERE Flow.artifacts_with_results =~ ArtifactNameRegex
+
+      LET documents = SELECT * FROM foreach(row=completions,
+          query={
+             SELECT * FROM foreach(
+                 row=Flow.artifacts_with_results,
+                 query={
+                     SELECT *, _value AS Artifact,
+                            timestamp(epoch=now()) AS timestamp,
+                            ClientId, Flow.session_id AS FlowId
+                     FROM source(
+                        client_id=ClientId,
+                        flow_id=Flow.session_id,
+                        artifact=_value)
+                 })
+          })
+
+      SELECT * FROM logscale_upload(
+          query=documents,
+          apibaseurl=ingestApiBase,
+          ingest_token=ingestToken,
+          threads=numThreads,
+          tag_fields=split(string=tagFields, sep=","),
+          batching_timeout_ms=batchingTimeoutMs,
+          event_batch_size=eventBatchSize,
+          http_timeout=httpTimeout,
+          debug=debug,
+          stats_interval=statsInterval)

file_store/directory/buffer.go

@@ -204,6 +204,12 @@ func (self *FileBasedRingBuffer) _Truncate() {
 	_, _ = self.fd.WriteAt(serialized, 0)
 }
 
+func (self *FileBasedRingBuffer) PendingSize() int64 {
+	self.mu.Lock()
+	defer self.mu.Unlock()
+	return self.header.WritePointer - self.header.ReadPointer
+}
+
 func (self *FileBasedRingBuffer) Reset() {
 	self.mu.Lock()
 	defer self.mu.Unlock()

file_store/directory/listener.go

@@ -195,6 +195,10 @@ func (self *Listener) Close() {
 	}
 }
 
+func (self *Listener) FileBufferSize() int64 {
+	return self.file_buffer.PendingSize()
+}
+
 func (self *Listener) Debug() *ordereddict.Dict {
 	self.mu.Lock()
 	defer self.mu.Unlock()