Crash while parsing syslog for netfilter logs

[fukawi2]

I got the attached crash while trying to parse netfilter (iptables) logs from /var/log/syslog. Full command and output below.

Crash report (renamed to .txt. because GitHub won't permit .toml files as attachments): report-79c5d249-00d8-4ad4-bfbe-29b534be5307.txt

Input file was slightly less than 310,076,892 lines (counted immediately after the crash while typing this Issue).

$ ./agrind -f /var/log/syslog --output json 'kernel:* | parse "* * kernel: [*] * IN=* OUT=* SRC=* DST=* LEN=* TOS=* PREC=* TTL=* ID=* PROTO=* SPT=* DPT=* WINDOW=* RES=* * URGP=*" as timestamp, hostname, x, tag, ifIn, ifOut, src, dst, len, tos, prec, ttl, id, protocol, sport, dport, window, res, flags, urgp | count'
Well, this is embarrassing.

ag had a problem and crashed. To help us diagnose the problem you can send us a crash report.

We have generated a report file at "/tmp/report-a8b8a71c-bdb4-484a-a0ee-7be663a3a952.toml". Submit an issue or email with the subject of "ag Crash Report" and include the report as an attachment.

- Authors: Russell Cohen <russell.r.cohen@gmail.com>

We take privacy seriously, and do not perform any automated error collection. In order to improve the software, we rely on people to submit reports.

Thank you kindly!
278

[fukawi2]

FWIW, I get the same crash if I cat /var/log/syslog | ./agrind .... instead of making ag read it using -f argument.

Using grep kernel: /var/log/syslog | ./agrind '* | parse .... does NOT crash. I'm guessing some kind of weird character in one of the log lines that ag isn't handling nicely. Hopefully the crash report has enough info for you to work it out - I don't really want to dig through 310mm log lines to find it 😂

(For my own reference if I do need to refer to the archived log file: /var/log/syslog-20230502-1683025201.gz)

[rcoh]

thanks for the report! will release a version with the fix today

[rcoh]

releaesed #v0.19.1

[fukawi2]

Thanks! :) 🚀