Winlogbeat: Use bookmarks to persist last published event #6150
Conversation
|
|
||
| // CreateBookmarkFromEvent creates a new handle to a bookmark. Close must be called on | ||
| // returned EvtHandle when finished with the handle. | ||
| func CreateBookmarkFromXml(bookmarkXml string) (EvtHandle, error) { |
There was a problem hiding this comment.
func CreateBookmarkFromXml should be CreateBookmarkFromXML
func parameter bookmarkXml should be bookmarkXML
| return h, nil | ||
| } | ||
|
|
||
| // CreateBookmarkFromEvent creates a new handle to a bookmark. Close must be called on |
There was a problem hiding this comment.
comment on exported function CreateBookmarkFromXml should be of the form "CreateBookmarkFromXml ..."
adriansr
force-pushed
the
wb/feature/bookmarks
branch
from
61c2408
to
14f23fe
Compare
| // CreateBookmarkFromXml creates a new bookmark from the serialised representation | ||
| // of an existing bookmark. Close must be called on returned EvtHandle when | ||
| // finished with the handle. | ||
| func CreateBookmarkFromXml(bookmarkXml string) (EvtHandle, error) { |
There was a problem hiding this comment.
func CreateBookmarkFromXml should be CreateBookmarkFromXML
func parameter bookmarkXml should be bookmarkXML
| // CreateBookmarkFromXml creates a new bookmark from the serialised representation | ||
| // of an existing bookmark. Close must be called on returned EvtHandle when | ||
| // finished with the handle. | ||
| func CreateBookmarkFromXml(bookmarkXml string) (EvtHandle, error) { |
There was a problem hiding this comment.
func CreateBookmarkFromXml should be CreateBookmarkFromXML
func parameter bookmarkXml should be bookmarkXML
adriansr
force-pushed
the
wb/feature/bookmarks
branch
from
14f23fe
to
0f3eed9
Compare
adriansr
added
enhancement
in progress
adriansr
force-pushed
the
wb/feature/bookmarks
branch
from
0f3eed9
to
54a63d4
Compare
|
Jenkins, test it and not fail this time please |
winlogbeat/eventlog/eventlog.go
Outdated
| @@ -41,7 +41,7 @@ type EventLog interface { | |||
| // Open the event log. recordNumber is the last successfully read event log | |||
There was a problem hiding this comment.
The godocs should be updated.
winlogbeat/eventlog/eventlogging.go
Outdated
| @@ -9,6 +9,8 @@ import ( | |||
|
|
|||
| "github.com/joeshaw/multierror" | |||
|
|
|||
| "github.com/elastic/beats/winlogbeat/checkpoint" | |||
There was a problem hiding this comment.
This could be added to the group below.
| var bookmark win.EvtHandle | ||
| var err error | ||
| if len(state.Bookmark) > 0 { | ||
| bookmark, err = win.CreateBookmarkFromXML(state.Bookmark) |
There was a problem hiding this comment.
This is missing an error check. Looks like you intended to move the error check below outside the if/else.
| RecordNumber: r.RecordID, | ||
| Timestamp: r.TimeCreated.SystemTime, | ||
| } | ||
| if r.Offset.Bookmark, err = l.createBookmarkFromEvent(h); err != nil { |
There was a problem hiding this comment.
Any idea as to the impact of calling this for every event? Could you run these benchmarks and share the before and after results.
There was a problem hiding this comment.
I did run some tests at first and method was taking less than 1ms to complete. However, I also found out that every event was persisted so it was necessary to always create a bookmark anyway. Maybe there was something wrong in my configuration, a side-effect of running with -N.
The benchmark results:
Before:
=== RUN TestBenchmarkBatchReadSize
--- PASS: TestBenchmarkBatchReadSize (74.86s)
bench_test.go:80: batch_size=10, total_events=50000, batch_time=3.543758ms, events_per_sec=2821.863118192608, bytes_alloced_per_event=14 kB, total_allocs=12330717
bench_test.go:80: batch_size=100, total_events=50000, batch_time=33.800801ms, events_per_sec=2958.509770227043, bytes_alloced_per_event=14 kB, total_allocs=12260220
bench_test.go:80: batch_size=500, total_events=50000, batch_time=169.47269ms, events_per_sec=2950.32786698553, bytes_alloced_per_event=14 kB, total_allocs=12252311
bench_test.go:80: batch_size=1000, total_events=50000, batch_time=333.476478ms, events_per_sec=2998.7122510032027, bytes_alloced_per_event=14 kB, total_allocs=12251057
PASS
ok github.com/elastic/beats/winlogbeat/eventlog 74.900s
After:
=== RUN TestBenchmarkBatchReadSize
--- PASS: TestBenchmarkBatchReadSize (77.18s)
bench_test.go:80: batch_size=10, total_events=50000, batch_time=3.655664ms, events_per_sec=2735.4811601941537, bytes_alloced_per_event=14 kB, total_allocs=12430766
bench_test.go:80: batch_size=100, total_events=50000, batch_time=34.74005ms, events_per_sec=2878.522051637807, bytes_alloced_per_event=14 kB, total_allocs=12360267
bench_test.go:80: batch_size=500, total_events=50000, batch_time=173.232487ms, events_per_sec=2886.294647492996, bytes_alloced_per_event=14 kB, total_allocs=12352376
bench_test.go:80: batch_size=1000, total_events=50000, batch_time=343.0666ms, events_per_sec=2914.885914280201, bytes_alloced_per_event=14 kB, total_allocs=12351096
PASS
ok github.com/elastic/beats/winlogbeat/eventlog 77.221s
| @@ -197,9 +197,9 @@ func RenderEvent( | |||
| // include the RenderingInfo (message). If the event is not rendered then the | |||
| // XML will not include the message, and in this case RenderEvent should be | |||
| // used. | |||
| func RenderEventXML(eventHandle EvtHandle, renderBuf []byte, out io.Writer) error { | |||
| func RenderEventXML(eventHandle EvtHandle, flag EvtRenderFlag, renderBuf []byte, out io.Writer) error { | |||
There was a problem hiding this comment.
This function name is no longer fully reflective of the usage because it can render both events and bookmarks based on the flag. I suggest renaming it to be more general such as RenderXML or create RenderEventXML and RenderBookmarkXML and have them call this function (with it being renamed to something like renderXML).
winlogbeat/eventlog/wineventlog.go
Outdated
| @@ -12,6 +12,8 @@ import ( | |||
| "github.com/pkg/errors" | |||
| "golang.org/x/sys/windows" | |||
|
|
|||
| "github.com/elastic/beats/winlogbeat/checkpoint" | |||
There was a problem hiding this comment.
Group this import with the other elastic imports.
winlogbeat/checkpoint/checkpoint.go
Outdated
| @@ -45,6 +45,7 @@ type EventLogState struct { | |||
| Name string `yaml:"name"` | |||
| RecordNumber uint64 `yaml:"record_number"` | |||
| Timestamp time.Time `yaml:"timestamp"` | |||
| Bookmark string `yaml:"bookmark"` | |||
There was a problem hiding this comment.
Since this is optional for the eventlog API add ,omitempty to the yaml tag.
update_time: 2018-01-24T16:05:31.2972263Z
event_logs:
- name: WinlogbeatTestPython
record_number: 37134
timestamp: 2018-01-24T16:05:30Z
bookmark: ""
|
There doesn't appear to be any existing test that verifies Winlogbeat resumes from the position specified in the registry. I think this would be a good test to add. Something like
|
When using the Windows Event Log API, a bookmark is used to persist the last position read in the stream. This is a first step to support XML queries (potentially involving multiple channels). Also fixes a problem when using Forwarded Events.
adriansr
force-pushed
the
wb/feature/bookmarks
branch
from
54a63d4
to
3658953
Compare
The hostname reported by beats is fully-qualified wheter platform.node() might only include the host name.
adriansr
force-pushed
the
wb/feature/bookmarks
branch
from
0880765
to
80b86af
Compare
When using the Windows Event Log API, a bookmark is used to persist the
last position read in the stream. This is a first step to support XML
queries potentially involving multiple channels (#1054). Also fixes a problem
when using Forwarded Events (#3731).