Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ごく稀にログが欠損する可能性を排除できない問題を修正 #175

Closed
tkhr-ueda opened this issue Feb 20, 2024 · 0 comments · Fixed by #183
Closed

ごく稀にログが欠損する可能性を排除できない問題を修正 #175

tkhr-ueda opened this issue Feb 20, 2024 · 0 comments · Fixed by #183
Assignees
@tkhr-ueda
Labels
bug Something isn't working
Milestone
STEP2.9リリース

Comments

@tkhr-ueda
Copy link
Contributor

問題点

ログ集約処理の実行直後に、新たなログファイルが生成(ローテート)され、その後rmコマンドが実行された場合にログの欠損が生じる可能性がある。

該当する処理

OsecT/osect_sensor/Infrastructure/edge_cron/work/ot_tools/bro.sh

Lines 17 to 18 in 6604b9b

awk '$9<60{print}' $(find /usr/local/zeek/logs -name "conn.*.log") > "/usr/local/zeek/logs/conn_replace.log"
rm $(find /usr/local/zeek/logs -name "conn.*.log")

OsecT/osect_sensor/Infrastructure/edge_cron/work/ot_tools/p0f.sh

Lines 4 to 6 in 6604b9b

cat /var/log/p0f-k.log.* > p0f-k.log
chmod 644 p0f-k.log
rm /var/log/p0f-k.log.*

OsecT/osect_sensor/Infrastructure/edge_cron/work/ot_tools/suricata.sh

Lines 5 to 6 in 6604b9b

cat /var/log/suricata/eve?*.json > $4/eve.json
rm /var/log/suricata/eve?*.json

OsecT/osect_sensor/Infrastructure/edge_cron/work/ot_tools/yaf.sh

Lines 3 to 19 in 6604b9b

merge_log () {
cat $1 > $2
sed -i '/^#/d' $2
sed -i '1i #ts start-time end-time duration rtt proto sip sp dip dp srcMacAddress destMacAddress iflags uflags riflags ruflags isn risn tag rtag pktoct rpkt roct end-reason' $2
}
cd $1/$2 || exit
flow=$(find "/var/log/yaf" -name "flow*.yaf")
for flowfile in $flow; do
/usr/local/bin/yafscii --tabular --print-header --mac --in $flowfile --out flow.csv
cat flow.csv | /opt/ot_tools/yaf.awk > "$flowfile".log
rm "$flowfile" flow.csv
done
merge_log "/var/log/yaf/flow*.log" "yaf_flow.log"
rm /var/log/yaf/flow*.log

解決方針

集約対象のログファイルのリストを変数に格納した後、集約処理や削除処理を実行する際に当該変数を参照する。
@tkhr-ueda tkhr-ueda self-assigned this Feb 20, 2024
@tkhr-ueda tkhr-ueda added the bug Something isn't working label Feb 20, 2024
@tkhr-ueda tkhr-ueda added this to the to be decided milestone Feb 20, 2024
tkhr-ueda added a commit that referenced this issue Mar 21, 2024
@tkhr-ueda
Merge remote-tracking branch 'origin/main' into bug-#175
5d34105
@tkhr-ueda tkhr-ueda mentioned this issue Mar 21, 2024
Merged
nbhgytzheng added a commit that referenced this issue Mar 22, 2024
@nbhgytzheng
Merge pull request #183 from nttcom/bug-#175
f5c86e4 
#175 ごく稀にログが欠損する可能性を排除できない問題を修正
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tkhr-ueda tkhr-ueda

Labels
bug Something isn't working
Projects
None yet
Milestone
STEP2.9リリース
Development

Successfully merging a pull request may close this issue.

#175 ごく稀にログが欠損する可能性を排除できない問題を修正 nttcom/OsecT
2 participants
@takuma0121 @tkhr-ueda