-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bad syscollector network iface values handling #21296
Comments
This change is for a major version. |
AnalysisThis issue is strongly related to this one #21194. This was not properly solved because it was so intrusive, but as a workaround, we changed the flatbuffer schema data type to allow negative values, which are a consequence of the bad data type conversion on the agent side. That leads to invalid values stored in the syscollector local database, and those are sent as sync messages to the manager, causing the issue we described above. Also as part of the same issue, because of a delta message, we experience something similar. The value is casted somehow in We need to mention this issue as well #21340 which wrongly casts a Error reproducedUsing a mocked Inter-| Receive | Transmit
face |bytes packets errs drop fifo frame compressed multicast|bytes packets errs drop fifo colls carrier compressed
lo: 36278034 206260 0 0 0 0 0 0 36278034 206260 0 0 0 0 0 0
enp0s3: 3341848418 2382203 0 0 0 0 0 0 40075805 506967 0 0 0 0 0 0
enp0s8: 79699938 510663 0 0 0 0 0 0 8627671553 5968446 0 0 0 0 0 0
enp0s9: 574415 3453 0 0 0 0 0 311 2116 28 0 0 0 0 0 0
docker0: 3520716 86560 0 0 0 0 0 0 941439628 253045 0 0 0 0 0 0 We can see two values that cause issues here, 3341848418 and 8627671553. Note For interface Note For interface
{"name":"enp0s3","adapter":"","type":"ethernet","state":"up","mtu":1500,"mac":"02:d0:f1:1a:d8:67","tx_packets":506967,"rx_packets":2382203,"tx_bytes":40075805,"rx_bytes":-953118878,"tx_errors":0,"rx_errors":0,"tx_dropped":0,"rx_dropped":0,"checksum":"805a5d2ea89c38cc35d38c66738c4620a143a589","item_id":"7a60750dd3c25c53f21ff7f44b4743664ddbb66a","db_status_field_dm":1},
{"name":"enp0s8","adapter":"","type":"ethernet","state":"up","mtu":1500,"mac":"08:00:27:af:c0:42","tx_packets":5968446,"rx_packets":510663,"tx_bytes":37736961,"rx_bytes":79699938,"tx_errors":0,"rx_errors":0,"tx_dropped":0,"rx_dropped":0,"checksum":"3b236826f633f3d92248708a464cbd4eb274385f","item_id":"989b6a387c8b314c67793584881c06393b32923e","db_status_field_dm":1}, Syscollector sync case2024/04/30 18:02:44 wazuh-modulesd:syscollector[66757] logging_helper.c:40 at taggedLogFunction(): DEBUG: Sync sent: {"component":"syscollector_network_iface","data":{"attributes":{"adapter":null,"checksum":"805a5d2ea89c38cc35d38c66738c4620a143a589","item_id":"7a60750dd3c25c53f21ff7f44b4743664ddbb66a","mac":"02:d0:f1:1a:d8:67","mtu":1500,"name":"enp0s3","rx_bytes":-953118878,"rx_dropped":0,"rx_errors":0,"rx_packets":2382203,"scan_time":"2024/04/30 21:02:44","state":"up","tx_bytes":40075805,"tx_dropped":0,"tx_errors":0,"tx_packets":506967,"type":"ethernet"},"index":"7a60750dd3c25c53f21ff7f44b4743664ddbb66a","timestamp":""},"type":"state"}
2024/04/30 18:02:44 wazuh-modulesd:syscollector[66757] logging_helper.c:40 at taggedLogFunction(): DEBUG: Sync sent: {"component":"syscollector_network_iface","data":{"attributes":{"adapter":null,"checksum":"3b236826f633f3d92248708a464cbd4eb274385f","item_id":"989b6a387c8b314c67793584881c06393b32923e","mac":"08:00:27:af:c0:42","mtu":1500,"name":"enp0s8","rx_bytes":79699938,"rx_dropped":0,"rx_errors":0,"rx_packets":510663,"scan_time":"2024/04/30 21:02:44","state":"up","tx_bytes":37736961,"tx_dropped":0,"tx_errors":0,"tx_packets":5968446,"type":"ethernet"},"index":"989b6a387c8b314c67793584881c06393b32923e","timestamp":""},"type":"state"}
Both values are wrong Syscollector delta case2024/04/30 18:35:18 wazuh-modulesd:syscollector[67797] logging_helper.c:40 at taggedLogFunction(): DEBUG: Delta sent: {"data":{"adapter":null,"checksum":"805a5d2ea89c38cc35d38c66738c4620a143a589","item_id":"7a60750dd3c25c53f21ff7f44b4743664ddbb66a","mac":"02:d0:f1:1a:d8:67","mtu":1500,"name":"enp0s3","rx_bytes":3341848418,"rx_dropped":0,"rx_errors":0,"rx_packets":2382203,"scan_time":"2024/04/30 21:35:17","state":"up","tx_bytes":40075805,"tx_dropped":0,"tx_errors":0,"tx_packets":506967,"type":"ethernet"},"operation":"MODIFIED","type":"dbsync_network_iface"}
2024/04/30 18:35:18 wazuh-modulesd:syscollector[67797] logging_helper.c:40 at taggedLogFunction(): DEBUG: Delta sent: {"data":{"adapter":null,"checksum":"3b236826f633f3d92248708a464cbd4eb274385f","item_id":"989b6a387c8b314c67793584881c06393b32923e","mac":"08:00:27:af:c0:42","mtu":1500,"name":"enp0s8","rx_bytes":79699938,"rx_dropped":0,"rx_errors":0,"rx_packets":510663,"scan_time":"2024/04/30 21:35:17","state":"up","tx_bytes":37736961,"tx_dropped":0,"tx_errors":0,"tx_packets":5968446,"type":"ethernet"},"operation":"MODIFIED","type":"dbsync_network_iface"}
scan_id = 0
scan_time = 2024/04/30 21:39:27
name = enp0s3
adapter =
type = ethernet
state = up
mtu = 1500
mac = 02:d0:f1:1a:d8:67
tx_packets = 506967
rx_packets = 2382203
tx_bytes = 40075805
rx_bytes = 2147483647
tx_errors = 0
rx_errors = 0
tx_dropped = 0
rx_dropped = 0
checksum = 805a5d2ea89c38cc35d38c66738c4620a143a589
item_id = 7a60750dd3c25c53f21ff7f44b4743664ddbb66a
ProposalChange all the fields causing issues to |
Issue blockedDue to the update of the CTI content, which is handled in 4.8.0, some tests will continue to fail We will wait until 4.8.0 is merged in this branch |
🔓 Issue unblocked by #23784. |
Description
As a consequence of the error found
2024/01/04 13:51:53 :router[138953] logging_helper.c:25 at taggedLogFunction(): ERROR: Error sending message to provider: Error parsing message, 1: 573: error: invalid number: "-956995642", constant does not fit [0; 4294967295]
and addressed here #21194
After a little investigation, we found several mishandling values for some Syscollector fields
Expand
Agent
Manager
The maximum size of a uint value is = 4294967295, which in bytes is almost 4GB. We can reach that number easily by downloading a single ISO file.
DoD
The text was updated successfully, but these errors were encountered: