[Packetbeat] [MongoDB] Report unknown opcodes once (elastic#10878) (e…

…lastic#10886)

This changes the mongoDB decoder reporting unknown opcodes to report
each unknown opcode only once, to avoid flooding the log file with
errors.

(cherry picked from commit 755e2aa)

CHANGELOG.next.asciidoc

@@ -44,6 +44,8 @@ https://github.com/elastic/beats/compare/v6.6.1...6.6[Check the HEAD diff]
 
 *Packetbeat*
 
+- Avoid reporting unknown MongoDB opcodes more than once. {pull}10878[10878]
+
 *Winlogbeat*
 
 *Functionbeat*

packetbeat/protos/mongodb/mongodb_parser.go

@@ -21,13 +21,19 @@ import (
 	"encoding/json"
 	"errors"
 	"strings"
+	"sync"
 
 	"github.com/elastic/beats/libbeat/common"
 	"github.com/elastic/beats/libbeat/logp"
 
 	"gopkg.in/mgo.v2/bson"
 )
 
+var (
+	unknownOpcodes = map[opCode]struct{}{}
+	mutex          sync.Mutex
+)
+
 func mongodbMessageParser(s *stream) (bool, bool) {
 	d := newDecoder(s.data)
 
@@ -56,7 +62,12 @@ func mongodbMessageParser(s *stream) (bool, bool) {
 	opCode := opCode(code)
 
 	if !validOpcode(opCode) {
-		logp.Err("Unknown operation code: %v", opCode)
+		mutex.Lock()
+		defer mutex.Unlock()
+		if _, reported := unknownOpcodes[opCode]; !reported {
+			logp.Err("Unknown operation code: %v", opCode)
+			unknownOpcodes[opCode] = struct{}{}
+		}
 		return false, false
 	}
 

packetbeat/tests/system/test_0025_mongodb_basic.py

@@ -219,3 +219,15 @@ def test_request_after_reply(self):
         o = objs[0]
         assert o["type"] == "mongodb"
         assert o["responsetime"] >= 0
+
+    def test_unknown_opcode_flood(self):
+        """
+        Tests that a repeated unknown opcode is reported just once.
+        """
+        self.render_config_template(
+            mongodb_ports=[9991]
+        )
+        self.run_packetbeat(pcap="mongodb_op_msg_opcode.pcap",
+                            debug_selectors=["mongodb"])
+        num_msgs = self.log_contains_count('Unknown operation code: ')
+        assert num_msgs == 1, "Unknown opcode reported more than once: {0}".format(num_msgs)