You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've searched for any related issues and avoided creating a duplicate issue.
Description
After proper deployment of go-audit, the service functions as it should for some time and then it randomly stops logging to file (var/log/go-audit.log). Service shows as functioning and restarting the service does not fix the issue. Increasing the socket.buffer size in go-audit.yaml does not fix the issue.
This issue was reproducible in both Ubuntu and opensuse. Reverting to older VM snapshots resulted in logging restored, however, after some time or even a reboot the service still stop logging to file. I don't think this is a resource issue and both VM's have plenty of drive space.
Reproducible in:
go-audit version: 1.0.0
OS version(s): Ubuntu 20.04.1 LTS
OS version(s): opensuse 15.2
Expected result:
Process does not stop logging.
Actual result:
Process stops logging after working for some time.
Attachments:
root@ubuntu:/var/log# service go-audit status
● go-audit.service - go-audit
Loaded: loaded (/etc/systemd/system/go-audit.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-01-07 17:42:06 PST; 35min ago
Main PID: 13144 (go-audit)
Tasks: 7 (limit: 2281)
Memory: 6.3M
CGroup: /system.slice/go-audit.service
└─13144 /usr/local/bin/go-audit -config /etc/go-audit.yaml
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #193
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #194
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #195
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #196
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #197
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #198
Jan 07 17:42:06 ubuntu go-audit[13144]: Ignoring syscall 42 containing message type 1306 matching string saddr=(0200....7F|01> Jan 07 17:42:06 ubuntu go-audit[13144]: Ignoring syscall `` containing message type 1305matching string.*`
Jan 07 17:42:06 ubuntu go-audit[13144]: Socket receive buffer size: 212992
Jan 07 17:42:06 ubuntu go-audit[13144]: Started processing events in the range [1300, 1399]
I could not find any other systems logs that hint any related issues... Any help would be much appreciated!
The text was updated successfully, but these errors were encountered:
Out of curiosity, which version of golang did you use to build go-audit?
I noticed go-audit wouldn't capture events when built with go 1.13, but it worked fine on ubuntu 20.04 when built with go 1.17.
If the process dies, I'm guessing there's some uncaught exception. May help to manually run it in stdout mode in a terminal, and see what traceback message appears when it crashes.
Description
After proper deployment of go-audit, the service functions as it should for some time and then it randomly stops logging to file (var/log/go-audit.log). Service shows as functioning and restarting the service does not fix the issue. Increasing the socket.buffer size in go-audit.yaml does not fix the issue.
This issue was reproducible in both Ubuntu and opensuse. Reverting to older VM snapshots resulted in logging restored, however, after some time or even a reboot the service still stop logging to file. I don't think this is a resource issue and both VM's have plenty of drive space.
Reproducible in:
go-audit version: 1.0.0
OS version(s): Ubuntu 20.04.1 LTS
OS version(s): opensuse 15.2
Expected result:
Process does not stop logging.
Actual result:
Process stops logging after working for some time.
Attachments:
root@ubuntu:/var/log# service go-audit status
● go-audit.service - go-audit
Loaded: loaded (/etc/systemd/system/go-audit.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-01-07 17:42:06 PST; 35min ago
Main PID: 13144 (go-audit)
Tasks: 7 (limit: 2281)
Memory: 6.3M
CGroup: /system.slice/go-audit.service
└─13144 /usr/local/bin/go-audit -config /etc/go-audit.yaml
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #193
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #194
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #195
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #196
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #197
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #198
Jan 07 17:42:06 ubuntu go-audit[13144]: Ignoring syscall
42
containing message type1306
matching stringsaddr=(0200....7F|01> Jan 07 17:42:06 ubuntu go-audit[13144]: Ignoring syscall `` containing message type
1305matching string
.*`Jan 07 17:42:06 ubuntu go-audit[13144]: Socket receive buffer size: 212992
Jan 07 17:42:06 ubuntu go-audit[13144]: Started processing events in the range [1300, 1399]
I could not find any other systems logs that hint any related issues... Any help would be much appreciated!
The text was updated successfully, but these errors were encountered: