[SIEM][Auditbeat] Docs for system/socket dataset #13537
Conversation
|
Pinging @elastic/siem |
adriansr
force-pushed
the
ab_socket_docs
branch
from
3292ac6 to
e1bcdcf
Compare
| packets. With TCP, some packets can be received shortly after a socket is | ||
| closed. If set too low, additional flows will be generated for those packets. | ||
|
|
||
| - `socket.perf_queue_size` (default: 4096) |
There was a problem hiding this comment.
I'm not sure if this option and the ones below should be prefixed with a disclaimer or not documented at all.
| @@ -21,7 +21,7 @@ type Config struct { | |||
| LostQueueSize int `config:"socket.lost_queue_size,min=1"` | |||
|
|
|||
| // ErrQueueSize defines the size of the error queue. A single error is fatal. | |||
| ErrQueueSize int `config:"socket.err_buffer_size,min=1"` | |||
| ErrQueueSize int `config:"socket.err_queue_size,min=1"` | |||
There was a problem hiding this comment.
renamed this one to align with the rest
| [float] | ||
| ==== Kernel configuration | ||
|
|
||
| A kernel built with the following configuration options enabled is required. |
There was a problem hiding this comment.
maybe I'm overdocumenting here
| (IPv6 enabled in the loopback device). | ||
|
|
||
| [float] | ||
| ==== Running on docker |
There was a problem hiding this comment.
is this even useful?
There was a problem hiding this comment.
Someone is going to ask this so it's good to anticipate it.
|
|
||
| - `socket.perf_queue_size` (default: 4096) | ||
|
|
||
| The number of tracing samples that can be queued for processing. A larger value |
There was a problem hiding this comment.
| The number of tracing samples that can be queued for processing. A larger value | |
| The number of tracing samples that can be queued for processing. A larger value |
| @@ -4,3 +4,128 @@ beta[] | |||
|
|
|||
| This is the `socket` dataset of the system module. | |||
There was a problem hiding this comment.
Seems like this comment got dropped by Github. Rewriting it...
Can you add an overview of the features this provides (like the selling points). It might be a little redundant with the second paragraph below, but that's ok. Like UDP and TCP flow tracking for ipv4/ipv6, records the user and process associated with the flow, and does not require a kernel module
There was a problem hiding this comment.
Done. Please have a look
adriansr
requested review from
benskelker
and removed request for
dedemorton
| - Enriches the flows with https://www.elastic.co/guide/en/ecs/current/ecs-process.html[process] | ||
| and https://www.elastic.co/guide/en/ecs/current/ecs-user.html[user] information. | ||
| - Provides information similar to Packetbeat's flow monitoring with reduced CPU | ||
| and memory usage. |
There was a problem hiding this comment.
I feel like the question "why use this when we have Packetbeat" should be answered but at the same time I'm afraid of making too-bold claims. It has a lesser impact on CPU and memory (and room for improvement), but a more in-depth benchmark is necessary.
andrewkroh
added
the
needs_backport
(cherry picked from commit a833e86)
adriansr
added
v7.4.0
and removed
needs_backport
…stic#13556) (cherry picked from commit b37e4ff)
Relates #13058