diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index adb13785f09b..3b96e629bd7b 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -255,6 +255,9 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff] *Auditbeat* +- Improve logging in system/socket {pull}41571[41571] + + *Auditbeat* diff --git a/x-pack/auditbeat/module/system/socket/state.go b/x-pack/auditbeat/module/system/socket/state.go index 347c5385921f..f102127e783c 100644 --- a/x-pack/auditbeat/module/system/socket/state.go +++ b/x-pack/auditbeat/module/system/socket/state.go @@ -570,6 +570,7 @@ func (s *state) ForkProcess(parentPID, childPID uint32, ts kernelTime) error { for k, v := range parent.resolvedDomains { child.resolvedDomains[k] = v } + s.log.Debugf("forking process %d with %d associated domains", childPID, len(child.resolvedDomains)) s.processes[childPID] = child } return nil @@ -579,6 +580,7 @@ func (s *state) TerminateProcess(pid uint32) error { if pid == 0 { return errors.New("can't terminate process with PID 0") } + s.log.Debugf("terminating process %d", pid) s.Lock() defer s.Unlock() delete(s.processes, pid) @@ -676,6 +678,7 @@ func (s *state) CreateSocket(ref flow) error { func (s *state) OnDNSTransaction(tr dns.Transaction) error { s.Lock() defer s.Unlock() + s.log.Debugf("adding DNS transaction for domain %s for client %s", tr.Domain, tr.Client.String()) s.dns.AddTransaction(tr) return nil } @@ -721,6 +724,10 @@ func (s *state) mutualEnrich(sock *socket, f *flow) { } func (s *state) createFlow(ref flow) error { + if ref.process != nil { + s.log.Debugf("creating flow for pid %s", ref.process.pid) + } + // Get or create a socket for this flow sock := s.getSocket(ref.sock) ref.createdTime = ref.lastSeenTime @@ -821,6 +828,9 @@ func (s *state) enrichDNS(f *flow) { IP: f.local.addr.IP, Port: f.local.addr.Port, } + if f.process != nil { + s.log.Debugf("registering endpoint %s for process %d", localUDP.String(), f.process.pid) + } s.dns.RegisterEndpoint(localUDP, f.process) } }