Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Process dies and go-audit stops logging #86

Open
3 tasks done
thisisatest012 opened this issue Jan 8, 2021 · 2 comments
Open
3 tasks done

Process dies and go-audit stops logging #86

thisisatest012 opened this issue Jan 8, 2021 · 2 comments

Comments

@thisisatest012
Copy link

thisisatest012 commented Jan 8, 2021

  • I've read and understood the Contributing guidelines and have done my best effort to follow them.
  • I've read and agree to the Code of Conduct.
  • I've searched for any related issues and avoided creating a duplicate issue.

Description

After proper deployment of go-audit, the service functions as it should for some time and then it randomly stops logging to file (var/log/go-audit.log). Service shows as functioning and restarting the service does not fix the issue. Increasing the socket.buffer size in go-audit.yaml does not fix the issue.

This issue was reproducible in both Ubuntu and opensuse. Reverting to older VM snapshots resulted in logging restored, however, after some time or even a reboot the service still stop logging to file. I don't think this is a resource issue and both VM's have plenty of drive space.

Reproducible in:

go-audit version: 1.0.0
OS version(s): Ubuntu 20.04.1 LTS
OS version(s): opensuse 15.2

Expected result:

Process does not stop logging.

Actual result:

Process stops logging after working for some time.

Attachments:

root@ubuntu:/var/log# service go-audit status
● go-audit.service - go-audit
Loaded: loaded (/etc/systemd/system/go-audit.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-01-07 17:42:06 PST; 35min ago
Main PID: 13144 (go-audit)
Tasks: 7 (limit: 2281)
Memory: 6.3M
CGroup: /system.slice/go-audit.service
└─13144 /usr/local/bin/go-audit -config /etc/go-audit.yaml

Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #193
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #194
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #195
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #196
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #197
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #198
Jan 07 17:42:06 ubuntu go-audit[13144]: Ignoring syscall 42 containing message type 1306 matching string saddr=(0200....7F|01> Jan 07 17:42:06 ubuntu go-audit[13144]: Ignoring syscall `` containing message type 1305matching string.*`
Jan 07 17:42:06 ubuntu go-audit[13144]: Socket receive buffer size: 212992
Jan 07 17:42:06 ubuntu go-audit[13144]: Started processing events in the range [1300, 1399]

I could not find any other systems logs that hint any related issues... Any help would be much appreciated!

@slw07g
Copy link

slw07g commented Nov 21, 2021

Out of curiosity, which version of golang did you use to build go-audit?
I noticed go-audit wouldn't capture events when built with go 1.13, but it worked fine on ubuntu 20.04 when built with go 1.17.

@slw07g
Copy link

slw07g commented Nov 21, 2021

If the process dies, I'm guessing there's some uncaught exception. May help to manually run it in stdout mode in a terminal, and see what traceback message appears when it crashes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants