Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

An error occurs when sending messages into the Palo Alto input #10

Closed
danotorrey opened this issue Feb 25, 2019 · 5 comments

Comments

Projects
None yet
2 participants
@danotorrey
Copy link
Contributor

commented Feb 25, 2019

An error occurs when sending messages into the Palo Alto input. The specific error is unknown, but we are working to obtain it. A PCAP has also been obtained, which is being used to investigate the issue further.

More details will be added to this issue shortly as the specific issue that is occurring is identified.

@danotorrey danotorrey added the bug label Feb 25, 2019

@danotorrey danotorrey self-assigned this Feb 25, 2019

@danotorrey

This comment has been minimized.

Copy link
Contributor Author

commented Feb 25, 2019

I am not able to reproduce any errors or issues when replaying the attached message to the Palo Alto input (same with the rest of the messages in the PCAP file).

PA message.txt

@waynekearns I need the following before I can proceed with investigating:

  1. Description of the specific issue that is occurring. What symptom occurred that indicated there was an issue with this Palo Alto input? Was there an error, or logs were not being received? These details will help me to address the specific issue they are encountering.

  2. Can we please collect a debug log from when the issue happens? Here are instructions for enabling debug logging for a plugin. Here's the CURL command for reference:

curl -I -X PUT http://username:password@localhost:9000/api/system/loggers/org.graylog.integrations/level/debug \
-H 'X-Requested-By: graylog-api-user' \
-X PUT \
-I

This should help provide clarity on the specific issue that is occurring, then I can continue to investigate.

@danotorrey

This comment has been minimized.

Copy link
Contributor Author

commented Feb 26, 2019

We are making progress on this issue, but it is not solved yet. The first issue was the the Palo Alto input was using the TcpTransport instead of the correct SyslogTcpTransport. This fixed part of the issue, but there is still a parsing error that only occurs with actual packets in prod and not the text version of the message exported from Wireshark. I’m planning to replay the PCAP first thing in the morning to identify and fix the remaining issue.

@danotorrey

This comment has been minimized.

Copy link
Contributor Author

commented Feb 26, 2019

A fix has been implemented, and @waynekearns will be testing it soon.

@danotorrey

This comment has been minimized.

Copy link
Contributor Author

commented Feb 26, 2019

@waynekearns has tested and confirmed that this issue is fixed. 👍

I’ll submit a PR with tests today, and we’ll include it in the next bug fix release. It is OK to continue using the snapshot JAR until then.

@bernd

This comment has been minimized.

Copy link
Member

commented Mar 11, 2019

Fixed in #11

@bernd bernd closed this Mar 11, 2019

bernd added a commit that referenced this issue Mar 11, 2019

Fix Palo Alto input parsing issue (#11)
* Use Syslog TCP transport to correctly handle frame length
* Fully migrate to Syslog TCP Transport
* Trim line breaks from the message before parsing
* Add tests
* Roll back log message

Fixes #10

(cherry picked from commit d99cdc2)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.