Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

misc/stats: Add zeek_net_timestamp_seconds

Browse source 
Adding a metric for the network time value itself should make it
possible to observe it stopping or growing slowly as compared to
realtime when Zeek isn't able to keep up.

Also, modify the telemetry/log.zeek test to include misc/stats and
log at a higher frequency with a more interesting pcap.
This commit is contained in:
Arne Welzel 2024-10-04 11:34:02 +02:00
parent 1822f4f6fe
commit e20aa66eae
4 changed files with 96 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

15
scripts/policy/misc/stats.zeek
View file

@ -130,9 +130,20 @@ global packet_lag_gf = Telemetry::register_gauge_family([
$help_text="Difference of network time and wallclock time in seconds.", $help_text="Difference of network time and wallclock time in seconds.",
]); ]);
# Gauge as motivated by:
# https://www.robustperception.io/are-increasing-timestamps-counters-or-gauges/
global network_time_cf = Telemetry::register_gauge_family([
$prefix="zeek",
$name="net-timestamp",
$unit="seconds",
$help_text="The current network time.",
]);
global no_labels: vector of string; global no_labels: vector of string;
hook Telemetry::sync() { hook Telemetry::sync()
{
Telemetry::gauge_family_set(network_time_cf, no_labels, time_to_double(network_time()));
local net_stats = get_net_stats(); local net_stats = get_net_stats();
Telemetry::counter_family_set(bytes_received_cf, no_labels, net_stats$bytes_recvd); Telemetry::counter_family_set(bytes_received_cf, no_labels, net_stats$bytes_recvd);
Telemetry::counter_family_set(packets_received_cf, no_labels, net_stats$pkts_recvd); Telemetry::counter_family_set(packets_received_cf, no_labels, net_stats$pkts_recvd);
@ -148,7 +159,7 @@ hook Telemetry::sync() {
Telemetry::gauge_family_set(packet_lag_gf, no_labels, Telemetry::gauge_family_set(packet_lag_gf, no_labels,
interval_to_double(current_time() - network_time())); interval_to_double(current_time() - network_time()));
} }
} }
event zeek_init() &priority=5 event zeek_init() &priority=5
{ {

76
testing/btest/Baseline/scripts.policy.frameworks.telemetry.log/telemetry.log.filtered
View file

@ -1,7 +1,71 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
XXXXXXXXXX.XXXXXX zeek counter zeek_ended_sessions_total reason inactivity 0.0 1300475167.096535 zeek counter zeek_net_received_bytes_total (empty) (empty) 87.0
XXXXXXXXXX.XXXXXX zeek counter zeek_total_sessions_total protocol tcp 1.0 1300475167.096535 zeek counter zeek_net_received_packets_total (empty) (empty) 1.0
XXXXXXXXXX.XXXXXX zeek gauge zeek_active_sessions protocol tcp 1.0 1300475167.096535 zeek counter zeek_ended_sessions_total reason inactivity 0.0
XXXXXXXXXX.XXXXXX zeek counter zeek_ended_sessions_total reason inactivity 0.0 1300475167.096535 zeek counter zeek_total_sessions_total protocol icmp 0.0
XXXXXXXXXX.XXXXXX zeek counter zeek_total_sessions_total protocol tcp 500.0 1300475167.096535 zeek counter zeek_total_sessions_total protocol udp 1.0
XXXXXXXXXX.XXXXXX zeek gauge zeek_active_sessions protocol tcp 500.0 1300475167.096535 zeek counter zeek_total_sessions_total protocol tcp 0.0
1300475167.096535 zeek gauge zeek_net_timestamp_seconds (empty) (empty) 1300475167.096535
1300475167.096535 zeek gauge zeek_active_sessions protocol icmp 0.0
1300475167.096535 zeek gauge zeek_active_sessions protocol udp 1.0
1300475167.096535 zeek gauge zeek_active_sessions protocol tcp 0.0
1300475168.652003 zeek counter zeek_net_received_bytes_total (empty) (empty) 1142.0
1300475168.652003 zeek counter zeek_net_received_packets_total (empty) (empty) 6.0
1300475168.652003 zeek counter zeek_ended_sessions_total reason inactivity 0.0
1300475168.652003 zeek counter zeek_total_sessions_total protocol icmp 0.0
1300475168.652003 zeek counter zeek_total_sessions_total protocol udp 3.0
1300475168.652003 zeek counter zeek_total_sessions_total protocol tcp 1.0
1300475168.652003 zeek gauge zeek_net_timestamp_seconds (empty) (empty) 1300475168.652003
1300475168.652003 zeek gauge zeek_active_sessions protocol icmp 0.0
1300475168.652003 zeek gauge zeek_active_sessions protocol udp 3.0
1300475168.652003 zeek gauge zeek_active_sessions protocol tcp 1.0
1300475169.780331 zeek counter zeek_net_received_bytes_total (empty) (empty) 23385.0
1300475169.780331 zeek counter zeek_net_received_packets_total (empty) (empty) 113.0
1300475169.780331 zeek counter zeek_ended_sessions_total reason inactivity 0.0
1300475169.780331 zeek counter zeek_total_sessions_total protocol icmp 0.0
1300475169.780331 zeek counter zeek_total_sessions_total protocol udp 17.0
1300475169.780331 zeek counter zeek_total_sessions_total protocol tcp 10.0
1300475169.780331 zeek gauge zeek_net_timestamp_seconds (empty) (empty) 1300475169.780331
1300475169.780331 zeek gauge zeek_active_sessions protocol icmp 0.0
1300475169.780331 zeek gauge zeek_active_sessions protocol udp 17.0
1300475169.780331 zeek gauge zeek_active_sessions protocol tcp 10.0
1300475170.811500 zeek counter zeek_net_received_bytes_total (empty) (empty) 23604.0
1300475170.811500 zeek counter zeek_net_received_packets_total (empty) (empty) 116.0
1300475170.811500 zeek counter zeek_ended_sessions_total reason inactivity 0.0
1300475170.811500 zeek counter zeek_total_sessions_total protocol icmp 0.0
1300475170.811500 zeek counter zeek_total_sessions_total protocol udp 18.0
1300475170.811500 zeek counter zeek_total_sessions_total protocol tcp 10.0
1300475170.811500 zeek gauge zeek_net_timestamp_seconds (empty) (empty) 1300475170.8115
1300475170.811500 zeek gauge zeek_active_sessions protocol icmp 0.0
1300475170.811500 zeek gauge zeek_active_sessions protocol udp 18.0
1300475170.811500 zeek gauge zeek_active_sessions protocol tcp 10.0
1300475171.886280 zeek counter zeek_net_received_bytes_total (empty) (empty) 24248.0
1300475171.886280 zeek counter zeek_net_received_packets_total (empty) (empty) 124.0
1300475171.886280 zeek counter zeek_ended_sessions_total reason inactivity 0.0
1300475171.886280 zeek counter zeek_total_sessions_total protocol icmp 0.0
1300475171.886280 zeek counter zeek_total_sessions_total protocol udp 21.0
1300475171.886280 zeek counter zeek_total_sessions_total protocol tcp 10.0
1300475171.886280 zeek gauge zeek_net_timestamp_seconds (empty) (empty) 1300475171.88628
1300475171.886280 zeek gauge zeek_active_sessions protocol icmp 0.0
1300475171.886280 zeek gauge zeek_active_sessions protocol udp 21.0
1300475171.886280 zeek gauge zeek_active_sessions protocol tcp 10.0
1300475173.116749 zeek counter zeek_net_received_bytes_total (empty) (empty) 24679.0
1300475173.116749 zeek counter zeek_net_received_packets_total (empty) (empty) 129.0
1300475173.116749 zeek counter zeek_ended_sessions_total reason inactivity 0.0
1300475173.116749 zeek counter zeek_total_sessions_total protocol icmp 0.0
1300475173.116749 zeek counter zeek_total_sessions_total protocol udp 22.0
1300475173.116749 zeek counter zeek_total_sessions_total protocol tcp 10.0
1300475173.116749 zeek gauge zeek_net_timestamp_seconds (empty) (empty) 1300475173.116749
1300475173.116749 zeek gauge zeek_active_sessions protocol icmp 0.0
1300475173.116749 zeek gauge zeek_active_sessions protocol udp 22.0
1300475173.116749 zeek gauge zeek_active_sessions protocol tcp 10.0
1300475173.475401 zeek counter zeek_net_received_bytes_total (empty) (empty) 25260.0
1300475173.475401 zeek counter zeek_net_received_packets_total (empty) (empty) 136.0
1300475173.475401 zeek counter zeek_ended_sessions_total reason inactivity 0.0
1300475173.475401 zeek counter zeek_total_sessions_total protocol icmp 0.0
1300475173.475401 zeek counter zeek_total_sessions_total protocol udp 24.0
1300475173.475401 zeek counter zeek_total_sessions_total protocol tcp 10.0
1300475173.475401 zeek gauge zeek_net_timestamp_seconds (empty) (empty) 1300475173.475401
1300475173.475401 zeek gauge zeek_active_sessions protocol icmp 0.0
1300475173.475401 zeek gauge zeek_active_sessions protocol udp 24.0
1300475173.475401 zeek gauge zeek_active_sessions protocol tcp 9.0

9
testing/btest/Baseline/scripts.policy.frameworks.telemetry.log/telemetry_histogram.log.filtered
View file

@ -1,3 +1,8 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
XXXXXXXXXX.XXXXXX zeek zeek_connection_duration_seconds (empty) (empty) 2.0,3.0,4.0,5.0,6.0,10.0,inf 0.0,0.0,0.0,0.0,0.0,0.0,0.0 0.0 0.0 XXXXXXXXXX.XXXXXX zeek zeek_connection_duration_seconds (empty) (empty) 0.0001,0.001,0.01,0.1,0.5,1.0,5.0,10.0,30.0,60.0,inf 0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0 0.0 0.0
XXXXXXXXXX.XXXXXX zeek zeek_connection_duration_seconds (empty) (empty) 2.0,3.0,4.0,5.0,6.0,10.0,inf 0.0,322.0,90.0,5.0,76.0,7.0,0.0 1650.264644 500.0 XXXXXXXXXX.XXXXXX zeek zeek_connection_duration_seconds (empty) (empty) 0.0001,0.001,0.01,0.1,0.5,1.0,5.0,10.0,30.0,60.0,inf 0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0 0.0 0.0
XXXXXXXXXX.XXXXXX zeek zeek_connection_duration_seconds (empty) (empty) 0.0001,0.001,0.01,0.1,0.5,1.0,5.0,10.0,30.0,60.0,inf 0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0 0.0 0.0
XXXXXXXXXX.XXXXXX zeek zeek_connection_duration_seconds (empty) (empty) 0.0001,0.001,0.01,0.1,0.5,1.0,5.0,10.0,30.0,60.0,inf 0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0 0.0 0.0
XXXXXXXXXX.XXXXXX zeek zeek_connection_duration_seconds (empty) (empty) 0.0001,0.001,0.01,0.1,0.5,1.0,5.0,10.0,30.0,60.0,inf 0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0 0.0 0.0
XXXXXXXXXX.XXXXXX zeek zeek_connection_duration_seconds (empty) (empty) 0.0001,0.001,0.01,0.1,0.5,1.0,5.0,10.0,30.0,60.0,inf 0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0 0.0 0.0
XXXXXXXXXX.XXXXXX zeek zeek_connection_duration_seconds (empty) (empty) 0.0001,0.001,0.01,0.1,0.5,1.0,5.0,10.0,30.0,60.0,inf 6.0,14.0,0.0,3.0,10.0,0.0,1.0,0.0,0.0,0.0,0.0 4.651298 34.0

10
testing/btest/scripts/policy/frameworks/telemetry/log.zeek
View file

@ -1,20 +1,22 @@
# @TEST-DOC: Test loading of telemetry/log and smoke check the telemetry.log file # @TEST-DOC: Test loading of telemetry/log and smoke check the telemetry.log file
# @TEST-EXEC: zcat <$TRACES/echo-connections.pcap.gz | zeek -b -Cr - %INPUT > out # @TEST-EXEC: zeek -b -Cr $TRACES/wikipedia.trace %INPUT > out
# @TEST-EXEC: grep 'zeek.*sessions' telemetry.log > telemetry.log.filtered # @TEST-EXEC: grep -E 'zeek_(net|.*sessions)' telemetry.log > telemetry.log.filtered
# @TEST-EXEC: grep 'zeek.*connection_duration' telemetry_histogram.log > telemetry_histogram.log.filtered # @TEST-EXEC: grep 'zeek.*connection_duration' telemetry_histogram.log > telemetry_histogram.log.filtered
# @TEST-EXEC: btest-diff telemetry.log.filtered # @TEST-EXEC: TEST_DIFF_CANONIFIER= btest-diff telemetry.log.filtered
# @TEST-EXEC: btest-diff telemetry_histogram.log.filtered # @TEST-EXEC: btest-diff telemetry_histogram.log.filtered
@load misc/stats
@load frameworks/telemetry/log @load frameworks/telemetry/log
redef Telemetry::log_interval = 1sec;
global connection_duration_hf = Telemetry::register_histogram_family([ global connection_duration_hf = Telemetry::register_histogram_family([
$prefix="zeek", $prefix="zeek",
$name="connection_duration", $name="connection_duration",
$unit="seconds", $unit="seconds",
$help_text="Monitored connection duration", $help_text="Monitored connection duration",
$bounds=vector(2.0, 3.0, 4.0, 5.0, 6.0, 10.0) $bounds=vector(0.0001, 0.001, 0.01, 0.1, 0.5, 1.0, 5.0, 10.0, 30.0, 60.0)
]); ]);
global connection_duration_h = Telemetry::histogram_with(connection_duration_hf); global connection_duration_h = Telemetry::histogram_with(connection_duration_hf);