-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor analyze #110
Refactor analyze #110
Conversation
b80ca47
to
00016d1
Compare
e0c8e4b
to
5713d85
Compare
I just tested out this branch as of commit 5713d85 and it seems effective at addressing the deadlock symptom I'd reported in #71. I did see something else unexpected which @mattnibs said he'll respond to. The repro setup is similar to what's described in #71 in terms of having my custom Zeek and Suricata installed with the wrapper scripts, one of which depends on
That was the one unexpected speedbump I'd hit: I'd created this config YAML when an explicit
On repeated runs, I got this appropriate failure message 5 out of 5 times. By comparison when I was using the same repro steps in current tip of As for the speedbump, looking at the changes in the linked PR, it looks like the required |
The old way analyze was written was prone to hard to reproduce / hard to debug concurrency bugs. Rewrite analyze to simplify things. This commit divorces the analyze process command phase and the log tailer phase which were previously unified. This arrangement makes it easier to isolate the two phases of analyze which makes it easier to diagnose issues. This refactor fixes the deadlock bug encountered when one analyzer process would error out in the midst of analysis. Also: - Have the load commit use the add / commit endpoints instead of the deprecated log post endpoints. Closes #109 Closes #71
5713d85
to
cce2fa3
Compare
Co-authored-by: Noah Treuhaft <noah.treuhaft@gmail.com>
Co-authored-by: Noah Treuhaft <noah.treuhaft@gmail.com>
Co-authored-by: Noah Treuhaft <noah.treuhaft@gmail.com>
Co-authored-by: Noah Treuhaft <noah.treuhaft@gmail.com>
I just re-ran my test with the newer commit |
The old way analyze was written was prone to hard to reproduce / hard to
debug concurrency bugs. Rewrite analyze to simplify things. This commit
divorces the analyze process command phase and the log tailer phase
which were previously unified. This arrangement makes it easier to
isolate the two phases of analyze which makes it easier to diagnose issues.
This refactor fixes the deadlock bug encountered when one analyzer process
would error out in the midst of analysis.
Also:
deprecated log post endpoints.
Closes #109
Closes #71