[add_session_metadata] Always use correct code for backend in use. (#…

…41410) (#41413) With the add_session_metadata processor, the config backend option and actual backend in use doesn't always match; the 'auto' option doesn't match a real backend (kernel_tracing, procfs). This fixes some logic so that when the 'auto' option is used, the processor will always follow the code path intended for whatever the actual backend is use is. (cherry picked from commit 0024b2c) Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
elastic · Oct 24, 2024 · 9d23ff5 · 9d23ff5
1 parent 2ee70d1
commit 9d23ff5
Showing 1 changed file with 30 additions and 22 deletions.
diff --git a/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go b/x-pack/auditbeat/processors/sessionmd/add_session_metadata.go
@@ -26,8 +26,10 @@ import (
 )
 
 const (
-	processorName = "add_session_metadata"
-	logName       = "processor." + processorName
+	processorName     = "add_session_metadata"
+	logName           = "processor." + processorName
+	procfsType        = "procfs"
+	kernelTracingType = "kernel_tracing"
 )
 
 // InitializeModule initializes this module.
@@ -36,13 +38,14 @@ func InitializeModule() {
 }
 
 type addSessionMetadata struct {
-	ctx      context.Context
-	cancel   context.CancelFunc
-	config   config
-	logger   *logp.Logger
-	db       *processdb.DB
-	provider provider.Provider
-	backend  string
+	ctx          context.Context
+	cancel       context.CancelFunc
+	config       config
+	logger       *logp.Logger
+	db           *processdb.DB
+	provider     provider.Provider
+	backend      string
+	providerType string
 }
 
 func New(cfg *cfg.C) (beat.Processor, error) {
@@ -61,51 +64,56 @@ func New(cfg *cfg.C) (beat.Processor, error) {
 		return nil, fmt.Errorf("failed to create DB: %w", err)
 	}
 
-	if c.Backend != "kernel_tracing" {
-		backfilledPIDs := db.ScrapeProcfs()
-		logger.Infof("backfilled %d processes", len(backfilledPIDs))
-	}
-
 	var p provider.Provider
+	var pType string
 
 	switch c.Backend {
 	case "auto":
 		p, err = kerneltracingprovider.NewProvider(ctx, logger)
 		if err != nil {
 			// Most likely cause of error is not supporting ebpf or kprobes on system, try procfs
+			backfilledPIDs := db.ScrapeProcfs()
+			logger.Infof("backfilled %d processes", len(backfilledPIDs))
 			p, err = procfsprovider.NewProvider(ctx, logger, db, reader, c.PIDField)
 			if err != nil {
 				cancel()
 				return nil, fmt.Errorf("failed to create provider: %w", err)
 			}
 			logger.Info("backend=auto using procfs")
+			pType = procfsType
 		} else {
 			logger.Info("backend=auto using kernel_tracing")
+			pType = kernelTracingType
 		}
 	case "procfs":
+		backfilledPIDs := db.ScrapeProcfs()
+		logger.Infof("backfilled %d processes", len(backfilledPIDs))
 		p, err = procfsprovider.NewProvider(ctx, logger, db, reader, c.PIDField)
 		if err != nil {
 			cancel()
 			return nil, fmt.Errorf("failed to create procfs provider: %w", err)
 		}
+		pType = procfsType
 	case "kernel_tracing":
 		p, err = kerneltracingprovider.NewProvider(ctx, logger)
 		if err != nil {
 			cancel()
 			return nil, fmt.Errorf("failed to create kernel_tracing provider: %w", err)
 		}
+		pType = kernelTracingType
 	default:
 		cancel()
 		return nil, fmt.Errorf("unknown backend configuration")
 	}
 	return &addSessionMetadata{
-		ctx:      ctx,
-		cancel:   cancel,
-		config:   c,
-		logger:   logger,
-		db:       db,
-		provider: p,
-		backend:  c.Backend,
+		ctx:          ctx,
+		cancel:       cancel,
+		config:       c,
+		logger:       logger,
+		db:           db,
+		provider:     p,
+		backend:      c.Backend,
+		providerType: pType,
 	}, nil
 }
 
@@ -161,7 +169,7 @@ func (p *addSessionMetadata) enrich(ev *beat.Event) (*beat.Event, error) {
 	}
 
 	var fullProcess types.Process
-	if p.backend == "kernel_tracing" {
+	if p.providerType == kernelTracingType {
 		// kernel_tracing doesn't enrich with the processor DB;  process info is taken directly from quark cache
 		proc, err := p.provider.GetProcess(pid)
 		if err != nil {