[windows][cws][wkint-495] Add additional statistics to the security p… (

#25495)

* [windows] Update ETW with new functions; add ability to get ETW stats

intermediate checking. Have standalone commit to allow changing number of ETW buffers

add ability to get etw stats

clean up cherry-pick

* [windows][cws][wkint-495] Add additional statistics to the security probe

Title says it all.

Add a bunch of statistics for internal profiling of performance of the system probe cws
functionality.

* fix incorrect merge

pkg/security/metrics/metrics_windows.go

@@ -36,6 +36,12 @@ var (
  //MetricWindowsFileFlush is the metric for counting file flush notifications
  //Tags: -
  MetricWindowsFileFlush = newRuntimeMetric(".windows.file.flush")
+ //MetricWindowsFileWrite is the metric for counting file write notifications
+ //Tags: -
+ MetricWindowsFileWrite = newRuntimeMetric(".windows.file.write")
+ //MetricWindowsFileWriteProcessed is the metric for counting file write notifications
+ //Tags: -
+ MetricWindowsFileWriteProcessed = newRuntimeMetric(".windows.file.write_processed")
 
  //MetricWindowsFileSetInformation is the metric for counting file set information notifications
  //Tags: -
@@ -91,4 +97,28 @@ var (
  //MetricWindowsSizeOfRegistryPathResolver is the metric for counting the size of the registry cache
  //Tags: -
  MetricWindowsSizeOfRegistryPathResolver = newRuntimeMetric(".windows.registry_resolver.size")
+ //MetricWindowsETWChannelBlockedCount is the metric for counting the number of blocked ETW channels
+ //Tags: -
+ MetricWindowsETWChannelBlockedCount = newRuntimeMetric(".windows.etw_channel_blocked_count")
+ //MetricWindowsETWNumberOfBuffers is the metric for counting the number of ETW buffers
+ //Tags: -
+ MetricWindowsETWNumberOfBuffers = newRuntimeMetric(".windows.etw_number_of_buffers")
+ //MetricWindowsETWFreeBuffers is the metric for counting the number of free ETW buffers
+ //Tags: -
+ MetricWindowsETWFreeBuffers = newRuntimeMetric(".windows.etw_free_buffers")
+ //MetricWindowsETWEventsLost is the metric for counting the number of ETW events lost
+ //Tags: -
+ MetricWindowsETWEventsLost = newRuntimeMetric(".windows.etw_events_lost")
+ //MetricWindowsETWBuffersWritten is the metric for counting the number of ETW buffers written
+ //Tags: -
+ MetricWindowsETWBuffersWritten = newRuntimeMetric(".windows.etw_buffers_written")
+ //MetricWindowsETWLogBuffersLost is the metric for counting the number of ETW log buffers lost
+ //Tags: -
+ MetricWindowsETWLogBuffersLost = newRuntimeMetric(".windows.etw_log_buffers_lost")
+ //MetricWindowsETWRealTimeBuffersLost is the metric for counting the number of ETW real-time buffers lost
+ //Tags: -
+ MetricWindowsETWRealTimeBuffersLost = newRuntimeMetric(".windows.etw_real_time_buffers_lost")
+ //MetricWindowsETWTotalNotifications is the metric for counting the total number of ETW notifications
+ //Tags: -
+ MetricWindowsETWTotalNotifications = newRuntimeMetric(".windows.etw_total_notifications")
 )

pkg/security/probe/probe_windows.go

@@ -105,11 +105,13 @@ type stats struct {
  procStop uint64
 
  // etw file notifications
- fileCreate uint64
- fileCreateNew uint64
- fileCleanup uint64
- fileClose uint64
- fileFlush uint64
+ fileCreate uint64
+ fileCreateNew uint64
+ fileCleanup uint64
+ fileClose uint64
+ fileFlush uint64
+ fileWrite uint64
+ fileWriteProcessed uint64
 
  fileSetInformation uint64
  fileSetDelete uint64
@@ -129,6 +131,11 @@ type stats struct {
  //filePathResolver status
  fileCreateSkippedDiscardedPaths uint64
  fileCreateSkippedDiscardedBasenames uint64
+
+ // currently not used, reserved for future use
+ etwChannelBlocked uint64
+
+ totalEtwNotifications uint64
 }
 
 /*
@@ -269,6 +276,7 @@ func (p *WindowsProbe) setupEtw(ecb etwCallback) error {
 
  log.Info("Starting tracing...")
  err := p.fimSession.StartTracing(func(e *etw.DDEventRecord) {
+ p.stats.totalEtwNotifications++
  switch e.EventHeader.ProviderID {
  case etw.DDGUID(p.fileguid):
  switch e.EventHeader.EventDescriptor.ID {
@@ -324,7 +332,9 @@ func (p *WindowsProbe) setupEtw(ecb etwCallback) error {
  //fmt.Printf("Received Write event %d %s\n", e.EventHeader.EventDescriptor.ID, wa)
  log.Tracef("Received Write event %d %s\n", e.EventHeader.EventDescriptor.ID, wa)
  ecb(wa, e.EventHeader.ProcessID)
+ p.stats.fileWriteProcessed++
  }
+ p.stats.fileWrite++
 
  case idSetInformation:
  if si, err := p.parseInformationArgs(e); err == nil {
@@ -786,6 +796,33 @@ func (p *WindowsProbe) SendStats() error {
  if err := p.statsdClient.Gauge(metrics.MetricWindowsSizeOfRegistryPathResolver, float64(len(p.regPathResolver)), nil, 1); err != nil {
  return err
  }
+ if err := p.statsdClient.Gauge(metrics.MetricWindowsETWChannelBlockedCount, float64(p.stats.etwChannelBlocked), nil, 1); err != nil {
+ return err
+ }
+ if err := p.statsdClient.Gauge(metrics.MetricWindowsETWTotalNotifications, float64(p.stats.totalEtwNotifications), nil, 1); err != nil {
+ return err
+ }
+ if etwstats, err := p.fimSession.GetSessionStatistics(); err == nil {
+ if err := p.statsdClient.Gauge(metrics.MetricWindowsETWNumberOfBuffers, float64(etwstats.NumberOfBuffers), nil, 1); err != nil {
+ return err
+ }
+ if err := p.statsdClient.Gauge(metrics.MetricWindowsETWFreeBuffers, float64(etwstats.FreeBuffers), nil, 1); err != nil {
+ return err
+ }
+ if err := p.statsdClient.Gauge(metrics.MetricWindowsETWEventsLost, float64(etwstats.EventsLost), nil, 1); err != nil {
+ return err
+ }
+ if err := p.statsdClient.Gauge(metrics.MetricWindowsETWBuffersWritten, float64(etwstats.BuffersWritten), nil, 1); err != nil {
+ return err
+ }
+ if err := p.statsdClient.Gauge(metrics.MetricWindowsETWLogBuffersLost, float64(etwstats.LogBuffersLost), nil, 1); err != nil {
+ return err
+ }
+ if err := p.statsdClient.Gauge(metrics.MetricWindowsETWRealTimeBuffersLost, float64(etwstats.RealTimeBuffersLost), nil, 1); err != nil {
+ return err
+ }
+
+ }
  return nil
 }