New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

to_ip(): message gets dropped on non-IP strings due to wrong exception handling #28

Closed
tokred opened this Issue May 12, 2016 · 0 comments

Comments

Projects
None yet
2 participants
@tokred

tokred commented May 12, 2016

Problem description

When a certain message field is parsed with to_ip() that does not contain a valid IP but e.g. a FQDN, an unhandled java.lang.IllegalArgumentException is thrown for each message:

2016-05-11T11:15:41.589+02:00 WARN  [ProcessBufferProcessor] Unable to process message <196c6d35-1812-11e6-9ea6-5254309fb3a8>: org.graylog.plugins.pipelineprocessor.ast.exceptions.FunctionEvaluationException: java.lang.IllegalArgumentException: 'logstash01.foo.com' is not an IP string literal.

I did some code digging and IpAddressConversion.evaluate() seems to catch twice an IllegalFormatException although the function InetAddresses.forString() throws a formatIllegalArgumentException instead (according to com.google.common.net.InetAddresses).

As a result, the message gets dropped entirely and a WARN is logged.

Steps to reproduce the problem

  1. Create a pipeline with a rule that uses to_ip and route to a stream, e.g.
rule "IP subnet"
when
  cidr_match("10.20.30.0/24", to_ip($message.source))
then
  route_to_stream("teststream");
end
  1. Connect pipeline to a message path where the source field not only contains IPs but also FQDN strings.
  2. Messages do not reach the stream and warnings are logged.

Environment

  • Graylog Version: 2.0.0
  • Pipeline Processor plugin version: 1.0.0-beta.2
  • Elasticsearch Version: 2.3.1
  • MongoDB Version:
  • Operating System:
  • Browser version:

@kroepke kroepke added the bug label May 13, 2016

kroepke added a commit that referenced this issue May 17, 2016

IpAddressConversion caught wrong exception
the first try block caught a too specific version of the IllegalArgumentException, allowing the exception to unwind too much.
properly return null or the default value in this case.

fix issue #28

joschi added a commit that referenced this issue May 17, 2016

IpAddressConversion caught wrong exception (#32)
The first try block caught a too specific version of the IllegalArgumentException, allowing the exception to unwind too much. Properly return null or the default value in this case.

Fixes #28

@kroepke kroepke closed this in 2025d36 Jul 20, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment