last few seconds' Zeek logs prior to log rotation may be lost #151
Comments
mmguero
added
bug
|
Looking closer at the configuration, I don't think it has to do with the scan frequency. As the documentation for filebeat states, that 10s value is "How often Filebeat checks for new files in the paths that are specified for harvesting". The files are left open, and are continually monitored, only being closed once the close inactive setting is hit, which is 90 minutes. So the only way it should be losing events is if the file has been inactive for 90 minutes, then all of a sudden within the last 10 seconds before rotation got some data before it was rechecked. I think the more likely scenario is how I'm handling the renamed files in logstash on the Malcolm side, which is basically "not handling it." Rather than doing what I'm doing, I should check and adjust for the temporarily-renamed files and log those events like normal. |
mmguero
changed the title
…g rotation may be lost
|
I think my commit (mmguero-dev/Malcolm@43e63a4) addresses this issue, at least as far as I've been able to come up with something to test it. What I did to test this solution was to set up Hedgehog and increase the Zeek rollover from 1 hour (3600 seconds) to 1 minute (60 seconds) to try to exacerbate the issue even more. I let this run for about 30 minutes so that it would rollover (rename then zip) about 30 times, resulting in just under 10,000 conn.log entries. After that I shut the sensor down, found and unzip all of the conn.log files that had been archived, and saved all of the zeek UID values out of them. I then went over to the Malcolm that had been receiving the events and did an individual document lookup for each of the UID values to make sure none had been lost. All were accounted for. I'm going to mark this as closed, but if this is encountered by our partner organization again or anyone, please feel free to reopen. |
Malcolm v23.03.0 is a release with enhancements, component version updates and bug fixes.
* Enhancements
- Replace Zeek's [misc/scan.zeek with ncsa/bro-simple-scan](https://github.com/zeek/zeek/blob/cdadc329859810244244c8800f0102543e4f134f/NEWS#L540-L541)
- terminate `start` and `restart` scripts once Malcolm has started properly (cisagov#240 and cisagov#241, thanks @Njinx)
- minor usability improvements for ISO-installed Malcolm and Hedgehog (#155)
+ Added a "Configure Malcolm" menu item (under the "Internet" GTK menu with the other Malcolm stuff) and launcher on the top panel of icons in Malcolm. This runs `./scripts/install.py --configure` in full screen. May look at starting this automatically on first boot in the future. (Malcolm)
+ Added Malcolm shortcut to gtk-3.0/bookmarks so it shows up in Thunar sidebar (Malcolm)
+ Added /opt/sensor/sensor_ctl shortcut to gtk-3.0/bookmarks so it shows up in Thunar sidebar (Hedgehog)
+ Have tilix from launcher panel start in /opt/sensor/sensor_ctl (Hedgehog)
- minor tweaks to defaults for `install.py --configure` (enable offline-capable file scanners by default)
- interrupt NetBox startup import script when `netbox-restore` is run
- added NetBox restore logic to `reset_and_auto_populate.sh` script (used mostly for demos and presentations)
* Component version updates
- Arkime to [v4.2.0](https://github.com/arkime/arkime/blob/93c89d68b25a4a56f7a6b8099a2661af9648ebaf/CHANGELOG#L39-L66)
- [OpenSearch](https://github.com/opensearch-project/OpenSearch/blob/bc50a2edcf29c3c41b7a777575c61e1874847d8a/release-notes/opensearch.release-notes-2.6.0.md) and [OpenSearch Dashboards](https://github.com/opensearch-project/OpenSearch-Dashboards/blob/69bcbfeea9bb345364e47f048cd5bcfe64c9c242/release-notes/opensearch-dashboards.release-notes-2.6.0.md) to 2.6.0
- [Logstash](https://www.elastic.co/guide/en/logstash/current/releasenotes.html) from v8.4.0 to v8.6.1
- [Beats](https://www.elastic.co/guide/en/beats/libbeat/current/release-notes-8.6.2.html) to v8.6.2
- Zeek to [v5.0.7](https://github.com/zeek/zeek/releases/tag/v5.0.7)
- OpenSearch-Py to [v2.2.0](https://github.com/opensearch-project/opensearch-py/releases/tag/v2.2.0) (and remove opensearch-dsl which is now part of opensearch-py)
- Supercronic to [v0.2.2](https://github.com/aptible/supercronic/releases/tag/v0.2.2)
- Capa to [v5.0.0](https://github.com/mandiant/capa/releases/tag/v5.0.0)
- Fluent Bit to [v2.0.9](https://github.com/fluent/fluent-bit/releases/tag/v2.0.9)
- Version updates to various Python package dependencies
* Fixes
- last few seconds' Zeek logs prior to log rotation may be lost (#151)
- in ISO-packaged Malcolm installation `scripts` directory, symlink `netbox-backup` and `netbox-restore` to `control.py`
- improve opensearchpy connect/health check logig in `pcap_watcher.py` in `pcap-monitor` container
Malcolm v23.03.0 is a release with enhancements, component version updates and bug fixes.
* Enhancements
- Replace Zeek's [misc/scan.zeek with ncsa/bro-simple-scan](https://github.com/zeek/zeek/blob/cdadc329859810244244c8800f0102543e4f134f/NEWS#L540-L541)
- terminate `start` and `restart` scripts once Malcolm has started properly (#240 and #241, thanks @Njinx)
- minor usability improvements for ISO-installed Malcolm and Hedgehog (idaholab#155)
+ Added a "Configure Malcolm" menu item (under the "Internet" GTK menu with the other Malcolm stuff) and launcher on the top panel of icons in Malcolm. This runs `./scripts/install.py --configure` in full screen. May look at starting this automatically on first boot in the future. (Malcolm)
+ Added Malcolm shortcut to gtk-3.0/bookmarks so it shows up in Thunar sidebar (Malcolm)
+ Added /opt/sensor/sensor_ctl shortcut to gtk-3.0/bookmarks so it shows up in Thunar sidebar (Hedgehog)
+ Have tilix from launcher panel start in /opt/sensor/sensor_ctl (Hedgehog)
- minor tweaks to defaults for `install.py --configure` (enable offline-capable file scanners by default)
- interrupt NetBox startup import script when `netbox-restore` is run
- added NetBox restore logic to `reset_and_auto_populate.sh` script (used mostly for demos and presentations)
* Component version updates
- Arkime to [v4.2.0](https://github.com/arkime/arkime/blob/93c89d68b25a4a56f7a6b8099a2661af9648ebaf/CHANGELOG#L39-L66)
- [OpenSearch](https://github.com/opensearch-project/OpenSearch/blob/bc50a2edcf29c3c41b7a777575c61e1874847d8a/release-notes/opensearch.release-notes-2.6.0.md) and [OpenSearch Dashboards](https://github.com/opensearch-project/OpenSearch-Dashboards/blob/69bcbfeea9bb345364e47f048cd5bcfe64c9c242/release-notes/opensearch-dashboards.release-notes-2.6.0.md) to 2.6.0
- [Logstash](https://www.elastic.co/guide/en/logstash/current/releasenotes.html) from v8.4.0 to v8.6.1
- [Beats](https://www.elastic.co/guide/en/beats/libbeat/current/release-notes-8.6.2.html) to v8.6.2
- Zeek to [v5.0.7](https://github.com/zeek/zeek/releases/tag/v5.0.7)
- OpenSearch-Py to [v2.2.0](https://github.com/opensearch-project/opensearch-py/releases/tag/v2.2.0) (and remove opensearch-dsl which is now part of opensearch-py)
- Supercronic to [v0.2.2](https://github.com/aptible/supercronic/releases/tag/v0.2.2)
- Capa to [v5.0.0](https://github.com/mandiant/capa/releases/tag/v5.0.0)
- Fluent Bit to [v2.0.9](https://github.com/fluent/fluent-bit/releases/tag/v2.0.9)
- Version updates to various Python package dependencies
* Fixes
- last few seconds' Zeek logs prior to log rotation may be lost (idaholab#151)
- in ISO-packaged Malcolm installation `scripts` directory, symlink `netbox-backup` and `netbox-restore` to `control.py`
- improve opensearchpy connect/health check logig in `pcap_watcher.py` in `pcap-monitor` container
(Reported to us by a partner organization:)
When using Malcolm with several Hedgehogs, we encountered the following issue:
Some Zeek logs under /home/sensor/bro_logs/logs/ cannot be found in the OpenSearch database.
We noticed the following pattern: The “last” entries of a Zeek log (e.g
ntp.00:00:00-01:00:00.log.gz) are often missing in OpenSearch. These are always log entries that were added shortly before Zeek's log rotation. Usually, within the last seconds of each hour.Is it possible that individual entries are lost due to Zeek's log rotation [1], as Filebeat only checks these files every 10s [2]?
[1] https://github.com/cisagov/Malcolm/blob/main/shared/bin/zeekdeploy.sh#L100
[2]https://github.com/cisagov/Malcolm/blob/main/sensor-iso/interface/sensor_ctl/filebeat/filebeat.yml#L15
The text was updated successfully, but these errors were encountered: