Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

logging - non-blocking writes to socket - v3 #2651

Closed
wants to merge 3 commits into from
Closed

logging - non-blocking writes to socket - v3 #2651

wants to merge 3 commits into from

Conversation

jasonish
Copy link
Member

@jasonish jasonish commented Apr 5, 2017

Previous PR: #2649

Changes from last PR:

  • Check for offline/live runmode during log file setup. As the time value for this is set after the outputs are initialized, one more global seemed to be the least intrusive way to get at this value in logging setup. Another option was to passive the SCInstance around some, but that would have been more intrusive.

Previous Description

One way to address sockets that are blocking on write, (which also blocks Suricata in general) is to drop the event if the write to the socket will block.

This isn't as feature-full as for an internal message queue could be which could buffer the packets until the socket no longer blocks, but in many cases buffering just delays having to drop events, especially if the other end of the socket continually can't keep up.

Here we do socket writes with a non-blocking send and up a counter if it failed to send. The second commit is an example of a logger logging the drop count. But we probably want a real stat for this that is in the event log.

Changes from last PR:

  • Log drops for eve in one location on exit (only if there are drops)
  • Retry loop cleanup.
  • If not running live, don't do a non-blocking write.

I looked at a stats counter, but it was non-trivial to one via the stats API to do the various entry points into the logger (ie: flow). Will revisit though.

Prscript

@jasonish
logging: don't block on socket writes
c3585db 
Writing to a unix socket can cause Suricata to block in the
packet path. This could happen if the read-endpoint of the
unix socket stays connected, but stops reading, or simply
can't read fast enough as part of its event processing.

To choose packets over events, do non-blocking socket
writes and drop the event if the write would block and
update a dropped counter.
@jasonish
eve: log number of events dropped at exit
cb9a806
@jasonish
logging: only do non-blocking writes if live
f892e3a 
If running against a pcap there is no reason to drop events,
a blocking socket is fine here. So only do non-blocking writes
when running off a live device.
@jasonish jasonish mentioned this pull request Apr 5, 2017
Closed
@inliniac inliniac mentioned this pull request Apr 6, 2017
Merged
@inliniac
Copy link
Contributor

inliniac commented Apr 7, 2017

Merged in #2655, thanks Jason!

@inliniac inliniac closed this Apr 7, 2017
@jasonish jasonish deleted the dev-logging-socket-3 branch April 11, 2017 18:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
2 participants
@jasonish @inliniac