Auditbeat: initial_scan action for new paths

[cwurm]

Introduces a new found action that is used by the scanner on startup (when scan_at_start: true) to mark files found in configured paths that it has not seen before.

Addresses #7821

[cwurm]

A bit more detail: The new logic follows Option 2 laid out in a comment in the original issue. Before the scanner is called, the Metricset checks which paths from the config are not contained in the db and are therefore assumed to be new. It passes this list to the scanner which allows it to correctly mark new dirs and files it sees as either found (when they are in a new path) or created (when they are in a previously known path).

[andrewkroh]

I'll try to take a deeper look at this today. Thanks for opening a PR!

[andrewkroh]

The comments are great. I just want to encourage you to use the godoc format (even for private methods) which is to start the sentence with the name of the method (e.g. findNewPaths finds the new paths...).

[cwurm]

Thanks for the pointer, I fixed it here and will try to remember going forward.

[adriansr]

Just one minor comment, otherwise LGTM.

[adriansr]

Can you update the function's comment to reflect the meaning of this parameter and maybe give it a more descriptive name?

[cwurm]

Done.

[adriansr]

There's an issue with the CLA related to the e-mail address you used for this commits. I guess it can be fixed by associating this e-mail address with your Github account

[cwurm]

There's an issue with the CLA related to the e-mail address you used for this commits. I guess it can be fixed by associating this e-mail address with your Github account

Thanks, fixed it.

Test failed in CI that didn't fail locally, I'm not sure why. Looking into it.

[cwurm]

Test failed in CI that didn't fail locally, I'm not sure why. Looking into it.

Found it: When the test runs, there's a race about whether the changes are found by the scanner or by filesystem notification (both are started at the same time). The scanner usually wins, and the actions it sets is what the test was originally written for. The filesystem reports slightly different actions (e.g. created|updated instead of created|attributes_modified). I've changed the test to only test for the common actions (e.g. created).

It's a bit of a shame though that the reported actions are not deterministic, and maybe this is something that we can normalize in the future.

I've pushed a commit, let's hope the CI is good with it. It's a non-deterministic failure, so it's a bit tricky. I tested locally with -run 1000 to be sure.

[andrewkroh]

I like the solution you reached here. I left a few comments.

[andrewkroh]

There's a double space between paths have. And it should have a period to end the sentence.

[cwurm]

Thanks, fixed.

[andrewkroh]

When using a map as a set data structure you can use map[string]struct{}. To me this is more clear because it's saying that you don't care about the value and that when you use map you will only be checking whether the key exists (rather than that the key exists and its value is true). Also it may save a few bytes.

m := map[string]struct{}{} // Init.

m[name] = struct{} // Add.

if _, exists := m[name]; exists {  // Contains.
  // Exists!
}

[cwurm]

Oh nice, I like that it takes 0 bytes - done.

[andrewkroh]

This seems like nice clear solution to the problem. 👍

[andrewkroh]

So this flag indicates that the event was generated due to the initial scan? If so how about we call it initial_scan rather than found?

[cwurm]

Makes sense - changed it.

[cwurm]

Thanks @andrewkroh - all implemented. Travis is unhappy, but it doesn't look related.

[andrewkroh]

LGTM.

[andrewkroh]

@cwurm A few notes on your commit message:

• The first line should be a short summary.

• Follow that by a blank line.

• Then do your detailed description.

• If you want the related issue to auto-close on merge (your choice) then use one of the keywords recognized by GH.

[cwurm]

Thanks @andrewkroh - I've changed it to follow the format and made it more descriptive. Let me know if anything is still missing.