New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Linux syscollector: retrieve MAC addresses from "/sys/class/net/<ifname>/address". #2550
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@DarkMatterCore thanks for this PR.
However, the interface's MAC address does not appear in the database:
$ sqlite3 /var/ossec/queue/db/000.db "select name,mac from sys_netiface;"
enp0s8|
enp0s3|
And Syscollector displays those errors:
2019/02/09 20:10:22 wazuh-modulesd:syscollector[3615] syscollector_linux.c:1078 at sys_network_linux(): ERROR: Invalid MAC address length for interface "enp0s8" at "/sys/class/net/enp0s8/address".
2019/02/09 20:10:22 wazuh-modulesd:syscollector[3615] syscollector_linux.c:1078 at sys_network_linux(): ERROR: Invalid MAC address length for interface "enp0s8" at "/sys/class/net/enp0s8/address".
2019/02/09 20:10:22 wazuh-modulesd:syscollector[3615] syscollector_linux.c:1078 at sys_network_linux(): ERROR: Invalid MAC address length for interface "enp0s8" at "/sys/class/net/enp0s8/address".
2019/02/09 20:10:22 wazuh-modulesd:syscollector[3615] syscollector_linux.c:1078 at sys_network_linux(): ERROR: Invalid MAC address length for interface "enp0s3" at "/sys/class/net/enp0s3/address".
2019/02/09 20:10:22 wazuh-modulesd:syscollector[3615] syscollector_linux.c:1078 at sys_network_linux(): ERROR: Invalid MAC address length for interface "enp0s3" at "/sys/class/net/enp0s3/address".
2019/02/09 20:10:22 wazuh-modulesd:syscollector[3615] syscollector_linux.c:1078 at sys_network_linux(): ERROR: Invalid MAC address length for interface "enp0s3" at "/sys/class/net/enp0s3/address".
Please consider the fix described.
I confirm that this PR with that patch gets the MAC address on:
- CentOS 6 (VM on Vagrant)
- CentOS 7 (VM on Vagrant)
- Ubuntu 18.10 (VM on Vagrant)
- Debian 9 on Raspberry Pi 3.
Thank you.
Best.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@DarkMatterCore Thanks for the fix!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This error appears in CentOS 5:
2019/02/10 20:09:52 wazuh-modulesd:syscollector: ERROR: Invalid MAC address length for interface "sit0" at "/sys/class/net/sit0/address".
In fact, the simple internet transition interface has no MAC address;
$ ip addr show sit0
4: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
This condition should not produce an error but a debug log.
In fact, the system file exists but it has a shorter zero-filled MAC address:
$ cat /sys/class/net/sit0/address
00:00:00:00
Some tunneling interfaces have a shorter MAC, like "00:00:00:00"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now it works in:
- CentOS 5
- CentOS 6
- CentOS 7
- Ubuntu 18.10
- Raspbian 9
…me>/address". (#2550) * Linux syscollector: retrieve MAC addresses from "/sys/class/net/<ifname>/address". * Fixed wrong fread() call + variable naming convention. * Let Syscollector get a shorter MAC address. Some tunneling interfaces have a shorter MAC, like "00:00:00:00"
This PR fixes issue #2532 by reading the real MAC address for each interface using data at "/sys/class/net//address" instead of only getting it from interfaces with AF_PACKET sockets, avoiding problems with bonded interfaces sharing the same MAC address at software level.