Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reconnect EventLog and EventChannel when service is restarted #3836

Merged
merged 14 commits into from
Nov 26, 2019
Merged

Reconnect EventLog and EventChannel when service is restarted #3836

merged 14 commits into from
Nov 26, 2019

Conversation

DaveVG1
Copy link
Contributor

@DaveVG1 DaveVG1 commented Aug 12, 2019
edited
Loading

Related issue
#3792

Description

This PR fixes the error occurred while stopping the EventLog service in Windows. If a localfile had eventchannel or eventlog as log_format. If eventlog was set, the following message was being shown infinitely:

DEBUG: Error reading event log: 6
DEBUG: Error reading event log: 6
DEBUG: Error reading event log: 6
DEBUG: Error reading event log: 6

And the log collection function didn't work again for these logs (though the EventLog service is restarted.
In the case of eventchannel no message was being shown but the log collection function wasn't working again for these logs either.

Configuration options

  • For eventchannel:
<!-- Log analysis -->
  <localfile>
    <location>Application</location>
    <log_format>eventchannel</log_format>
  </localfile>

  <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
      EventID != 5152 and EventID != 5157]</query>
  </localfile>

  <localfile>
    <location>System</location>
    <log_format>eventchannel</log_format>
  </localfile>
  • For eventlog:
<!-- Log analysis -->
  <localfile>
    <location>Application</location>
    <log_format>eventlog</log_format>
  </localfile>

  <localfile>
    <location>Security</location>
    <log_format>eventlog</log_format>
    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
      EventID != 5152 and EventID != 5157]</query>
  </localfile>

  <localfile>
    <location>System</location>
    <log_format>eventlog</log_format>
  </localfile>

Logs/Alerts example

  • For eventlog:
2019/08/12 11:10:42 ossec-agent[12844] read_win_el.c:527 at readel(): DEBUG: Error reading event log: 1722
2019/08/12 11:10:42 ossec-agent[12844] read_win_el.c:527 at readel(): DEBUG: Error reading event log: 1722
2019/08/12 11:10:42 ossec-agent[12844] read_win_el.c:527 at readel(): DEBUG: Error reading event log: 1722
2019/08/12 11:10:46 ossec-agent[12844] read_win_el.c:515 at readel(): DEBUG: EventLog was closed and re-opened
2019/08/12 11:10:46 ossec-agent[12844] read_win_el.c:515 at readel(): DEBUG: EventLog was closed and re-opened
2019/08/12 11:10:46 ossec-agent[12844] read_win_el.c:515 at readel(): DEBUG: EventLog was closed and re-opened

After this, we trigger a eventlog event and the alerts appears:

** Alert 1565601128.877280: - windows,policy_changed,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,
2019 Aug 12 09:12:08 (Win) 10.0.0.1->WinEvtLog
Rule: 18113 (level 8) -> 'Windows Audit Policy changed.'
User: (no user)
2019 Aug 12 11:12:05 WinEvtLog: Security: AUDIT_SUCCESS(4719): Microsoft-Windows-Security-Auditing: (no user): no domain: COMPUTERNAME: System audit policy was changed. Subject:  Security ID:  S-1-5-18  Account Name:  DESKTOP-04BL6CF$  Account Domain:  WORKGROUP  Logon ID:  0x3e7  Audit Policy Change:  Category:  %%8274  Subcategory:  %%12800  Subcategory GUID: {0cce921d-69ae-11d9-bed3-505054503030}  Changes:  %%8449
type: Security
subject.security_id: S-1-5-18
subject.account_name: COMPUTERNAME
subject.account_domain: WORKGROUP
subject.logon_id: 0x3e7
  • For eventchannel:
2019/08/12 11:14:00 ossec-agent[12308] read_win_event_channel.c:528 at event_channel_callback(): DEBUG: Trying to restart channel 'Security'...
2019/08/12 11:14:00 ossec-agent[12308] read_win_event_channel.c:528 at event_channel_callback(): DEBUG: Trying to restart channel 'Application'...
2019/08/12 11:14:00 ossec-agent[12308] read_win_event_channel.c:528 at event_channel_callback(): DEBUG: Trying to restart channel 'System'...
2019/08/12 11:14:00 ossec-agent[12308] read_win_event_channel.c:659 at win_start_event_channel(): ERROR: Could not EvtSubscribe() for (Security) which returned (1717)
2019/08/12 11:14:00 ossec-agent[12308] read_win_event_channel.c:659 at win_start_event_channel(): ERROR: Could not EvtSubscribe() for (Application) which returned (1717)
2019/08/12 11:14:00 ossec-agent[12308] read_win_event_channel.c:659 at win_start_event_channel(): ERROR: Could not EvtSubscribe() for (System) which returned (1717)
2019/08/12 11:14:04 ossec-agent[12308] win_agent.c:503 at SendMSG(): DEBUG: Sending info to server (ctime2)...
2019/08/12 11:14:04 ossec-agent[12308] win_agent.c:703 at send_win32_info(): DEBUG: Sending keep alive message.
2019/08/12 11:14:05 ossec-agent[12308] read_win_event_channel.c:528 at event_channel_callback(): DEBUG: Trying to restart channel 'System'...

2019/08/12 11:14:05 ossec-agent[12308] read_win_event_channel.c:528 at event_channel_callback(): DEBUG: Trying to restart channel 'Application'...

After this, we trigger a eventchannel event and the alerts appears:

** Alert 1565601296.881471: - windows, windows_security,policy_changed,pci_dss_10.6.1,gpg13_10.1,gdpr_IV_35.7.d,
2019 Aug 12 09:14:56 (Win) 10.0.0.1->EventChannel
Rule: 60112 (level 8) -> 'Windows Audit Policy changed'
{"win":{"system":{"providerName":"Microsoft-Windows-Security-Auditing","providerGuid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","eventID":"4719","version":"0","level":"0","task":"13568","opcode":"0","keywords":"0x8020000000000000","systemTime":"2019-08-12T09:14:55.326974700Z","eventRecordID":"7412761","processID":"836","threadID":"10528","channel":"Security","computer":"COMPUTERID","severityValue":"AUDIT_SUCCESS","message":"Se cambió la directiva de auditoría del sistema."},"eventdata":{"subjectUserSid":"S-1-5-18","subjectUserName":"COMPUTERNAME","subjectDomainName":"WORKGROUP","subjectLogonId":"0x3e7","categoryId":"%%8274","subcategoryId":"%%12800","subcategoryGuid":"{0cce921d-69ae-11d9-bed3-505054503030}","auditPolicyChangesId":"%%8449","category":"Object Access","subcategory":"File System","auditPolicyChanges":"Success added"}}}
win.system.providerName: Microsoft-Windows-Security-Auditing
win.system.providerGuid: {54849625-5478-4994-a5ba-3e3b0328c30d}
win.system.eventID: 4719
win.system.version: 0
win.system.level: 0
win.system.task: 13568
win.system.opcode: 0
win.system.keywords: 0x8020000000000000
win.system.systemTime: 2019-08-12T09:14:55.326974700Z
win.system.eventRecordID: 7412761
win.system.processID: 836
win.system.threadID: 10528
win.system.channel: Security
win.system.computer: COMPUTERNAME
win.system.severityValue: AUDIT_SUCCESS
win.system.message: Se cambió la directiva de auditoría del sistema.
win.eventdata.subjectUserSid: S-1-5-18
win.eventdata.subjectUserName: COMPUTERNAME
win.eventdata.subjectDomainName: WORKGROUP
win.eventdata.subjectLogonId: 0x3e7
win.eventdata.categoryId: %%8274
win.eventdata.subcategoryId: %%12800
win.eventdata.subcategoryGuid: {0cce921d-69ae-11d9-bed3-505054503030}
win.eventdata.auditPolicyChangesId: %%8449
win.eventdata.category: Object Access
win.eventdata.subcategory: File System
win.eventdata.auditPolicyChanges: Success added

Tests

  • Compilation without warnings in every supported platform
    • Linux
    • Windows
    • MAC OS X
  • Source installation
  • Package installation
  • Source upgrade
  • Package upgrade
  • Review logs syntax and correct language
  • QA templates contemplate the added capabilities
  • Memory tests for Windows
    • Scan-build report
    • Coverity
    • Dr. Memory
  • Retrocompatibility with older Wazuh versions
  • Working on cluster environments
  • Added unit tests (for new features)
  • Stress test for affected components

@DaveVG1
Copy link
Contributor Author

DaveVG1 commented Aug 12, 2019

Dr Memory

  • eventchannel:
Error #1: UNINITIALIZED READ: reading register al
# 0 read_attr                          [config/syscheck-config.c:692]
# 1 Read_Syscheck                      [config/syscheck-config.c:880]
# 2 read_main_elements                 [config/config.c:99]
# 3 ReadConfig                         [config/config.c:245]
# 4 Read_Syscheck_Config               [syscheckd/config.c:58]
# 5 Start_win32_Syscheck               [syscheckd/syscheck.c:123]
# 6 skthread                           [win32/win_agent.c:59]
# 7 KERNEL32.dll!BaseThreadInitThunk  +0x18     (0x76100419 <KERNEL32.dll+0x20419>)
Note: @0:00:03.923 in thread 11456
Note: instruction: cmp    %al $0x2f

Error #2: UNINITIALIZED READ: reading register al
# 0 read_attr                          [config/syscheck-config.c:692]
# 1 Read_Syscheck                      [config/syscheck-config.c:880]
# 2 read_main_elements                 [config/config.c:99]
# 3 ReadConfig                         [config/config.c:245]
# 4 Read_Syscheck_Config               [syscheckd/config.c:58]
# 5 Start_win32_Syscheck               [syscheckd/syscheck.c:123]
# 6 skthread                           [win32/win_agent.c:59]
# 7 KERNEL32.dll!BaseThreadInitThunk  +0x18     (0x76100419 <KERNEL32.dll+0x20419>)
Note: @0:00:03.928 in thread 11456
Note: instruction: cmp    %al $0x5c
  • eventlog:
Error #1: UNINITIALIZED READ: reading register al
# 0 read_attr                          [config/syscheck-config.c:692]
# 1 Read_Syscheck                      [config/syscheck-config.c:880]
# 2 read_main_elements                 [config/config.c:99]
# 3 ReadConfig                         [config/config.c:245]
# 4 Read_Syscheck_Config               [syscheckd/config.c:58]
# 5 Start_win32_Syscheck               [syscheckd/syscheck.c:123]
# 6 skthread                           [win32/win_agent.c:59]
# 7 KERNEL32.dll!BaseThreadInitThunk  +0x18     (0x76100419 <KERNEL32.dll+0x20419>)
Note: @0:00:03.647 in thread 14836
Note: instruction: cmp    %al $0x2f

Error #2: UNINITIALIZED READ: reading register al
# 0 read_attr                          [config/syscheck-config.c:692]
# 1 Read_Syscheck                      [config/syscheck-config.c:880]
# 2 read_main_elements                 [config/config.c:99]
# 3 ReadConfig                         [config/config.c:245]
# 4 Read_Syscheck_Config               [syscheckd/config.c:58]
# 5 Start_win32_Syscheck               [syscheckd/syscheck.c:123]
# 6 skthread                           [win32/win_agent.c:59]
# 7 KERNEL32.dll!BaseThreadInitThunk  +0x18     (0x76100419 <KERNEL32.dll+0x20419>)
Note: @0:00:03.652 in thread 14836
Note: instruction: cmp    %al $0x5c

@DaveVG1 DaveVG1 requested a review from bah07 August 12, 2019 09:30
@DaveVG1 DaveVG1 marked this pull request as ready for review August 12, 2019 09:31
@DaveVG1 DaveVG1 requested review from cristgl and removed request for cristgl August 13, 2019 08:34
@crolopez crolopez self-requested a review September 9, 2019 11:06
@JcabreraC JcabreraC self-requested a review September 11, 2019 14:53
crolopez
crolopez suggested changes Sep 11, 2019
View reviewed changes
Copy link
Contributor

@crolopez crolopez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is an inconsistency between the visibility of the message given when the service stops using the eventchannel or eventlog logformat.

In Eventlog mode, we receive the following debug message:

Error reading event log: 1722

wazuh/src/logcollector/read_win_el.c

Line 527 in 9201024

mdebug1("Error reading event log: %d", id);

However, if we use the eventchannel mode, we will see the following error message:

Could not EvtSubscribe() for (Security) which returned (1722)

wazuh/src/logcollector/read_win_event_channel.c

Lines 656 to 659 in 9201024

mferror(
"Could not EvtSubscribe() for (%s) which returned (%lu)",
channel->evt_log,
GetLastError());

I think that both messages should give the same information and have the same visibility (debug or error).

@JcabreraC JcabreraC self-requested a review September 11, 2019 16:23
chemamartinez
chemamartinez reviewed Sep 17, 2019
View reviewed changes
src/logcollector/read_win_el.c Outdated

/* Event log was closed and re-opened */
else if (id == ERROR_INVALID_HANDLE) {
mdebug1("EventLog service has been restarted. Trying to reconnect '%s' channel...", el->name);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we sure here that the service is restarted? or just that is not running? Let's try to don't finish the log messages with suspension dots.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This error is prompted when EventLog is restarted and Wazuh tries to read a message from it. I'm not aware whether it could appear if something else happens (we haven't seen that behavior before). Anyway, the message could be changed just in case.

src/logcollector/read_win_el.c Outdated
else if (id == RPC_S_SERVER_UNAVAILABLE || id == RPC_S_UNKNOWN_IF) {
/* Prevent message flooding when EventLog is stopped */
if (counter == 0) {
mwarn("Eventlog is down. Please restart the service.");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change Please restart the service by Unable to collect logs from channel %s.

src/logcollector/read_win_event_channel.c Outdated Show resolved Hide resolved
src/logcollector/read_win_event_channel.c
@@ -522,12 +523,22 @@ DWORD WINAPI event_channel_callback(EVT_SUBSCRIBE_NOTIFY_ACTION action, os_chann
{
if (action == EvtSubscribeActionDeliver) {
send_channel_event(evt, channel);
} else {
while(1) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please check whether this blocking condition causes blocking in the reading of other channels.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You cannot read other channels if EventLog is down. If you mean logcollector in general it will still work (I tried with a localfile and it'll work).

src/logcollector/read_win_event_channel.c Outdated
if (query) {
/* Create copy of query string */
if ((channel->query = strdup(query)) == NULL) {
mferror(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why using mferror instead of merror. If they work similar, use merror like the rest of the module.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mferror is used just lines above that's why I decided to used it.

@chemamartinez chemamartinez changed the base branch from 3.9 to 3.11 September 17, 2019 14:00
chemamartinez
chemamartinez suggested changes Sep 24, 2019
View reviewed changes
src/logcollector/read_win_event_channel.c Outdated Show resolved Hide resolved
src/logcollector/read_win_event_channel.c Outdated Show resolved Hide resolved
@JcabreraC
Copy link
Member

JcabreraC commented Sep 24, 2019
edited
Loading

Now we can define a reconnection time to eventchannel.

Use the label <reconnect_time> inside localfile to define the time in seconds until we try to connect again to eventchannel.

Test

Change the localfile configuration in ossec.conf :

<localfile>
    <location>Application</location>
    <log_format>eventchannel</log_format>
    <reconnect_time>40</reconnect_time>
  </localfile>

  <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
  </localfile>

  <localfile>
    <location>System</location>
    <log_format>eventchannel</log_format>
    <reconnect_time>20</reconnect_time>
  </localfile>

When the eventchannel service is down, it will show the following message in the agent ossec.log file:

2019/09/24 16:20:49 ossec-agent[3012] read_win_event_channel.c:531 at event_channel_callback(): DEBUG: Trying to reconnect Application channel in 40 seconds.
2019/09/24 16:20:49 ossec-agent[3012] read_win_event_channel.c:531 at event_channel_callback(): DEBUG: Trying to reconnect Security channel in 5 seconds.
2019/09/24 16:20:49 ossec-agent[3012] read_win_event_channel.c:531 at event_channel_callback(): DEBUG: Trying to reconnect System channel in 20 seconds.

2019/09/24 16:20:54 ossec-agent[3012] read_win_event_channel.c:531 at event_channel_callback(): DEBUG: Trying to reconnect Security channel in 5 seconds.
2019/09/24 16:20:59 ossec-agent[3012] read_win_event_channel.c:531 at event_channel_callback(): DEBUG: Trying to reconnect Security channel in 5 seconds.

2019/09/24 16:21:04 ossec-agent[3012] read_win_event_channel.c:531 at event_channel_callback(): DEBUG: Trying to reconnect Security channel in 5 seconds.
2019/09/24 16:21:09 ossec-agent[3012] read_win_event_channel.c:531 at event_channel_callback(): DEBUG: Trying to reconnect System channel in 20 seconds.
2019/09/24 16:21:09 ossec-agent[3012] read_win_event_channel.c:531 at event_channel_callback(): DEBUG: Trying to reconnect Security channel in 5 seconds.

2019/09/24 16:21:14 ossec-agent[3012] read_win_event_channel.c:531 at event_channel_callback(): DEBUG: Trying to reconnect Security channel in 5 seconds.
2019/09/24 16:21:19 ossec-agent[3012] read_win_event_channel.c:531 at event_channel_callback(): DEBUG: Trying to reconnect Security channel in 5 seconds.

2019/09/24 16:21:24 ossec-agent[3012] read_win_event_channel.c:531 at event_channel_callback(): DEBUG: Trying to reconnect Security channel in 5 seconds.
2019/09/24 16:21:29 ossec-agent[3012] read_win_event_channel.c:531 at event_channel_callback(): DEBUG: Trying to reconnect System channel in 20 seconds.
2019/09/24 16:21:29 ossec-agent[3012] read_win_event_channel.c:531 at event_channel_callback(): DEBUG: Trying to reconnect Security channel in 5 seconds.
2019/09/24 16:21:29 ossec-agent[3012] read_win_event_channel.c:531 at event_channel_callback(): DEBUG: Trying to reconnect Application channel in 40 seconds.

@JcabreraC JcabreraC mentioned this pull request Sep 25, 2019
Closed
@JcabreraC
Copy link
Member

PR with the modification of the documentation for this function: wazuh/wazuh-documentation#1859

crolopez
crolopez previously requested changes Sep 25, 2019
View reviewed changes
Copy link
Contributor

@crolopez crolopez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new option reconnect_time must be displayed in the configuration request. Please, add it to the _getLocalfilesListJSON function.

wazuh/src/logcollector/config.c

Line 100 in f3fcc09

void _getLocalfilesListJSON(logreader *list, cJSON *array, int gl) {

Take into account that this field should only appear in those blocks whose logformat is event-channel (for Windows agents).

This should also apply for the only-future-events option. Take the opportunity to correct this.

We can see that the only-future-events option is appearing in a syslog block in the following API output:

{
  "error": 0,
  "data": {
     "localfile": [
        {
           "file": "Application",
           "logformat": "eventchannel",
           "ignore_binaries": "no",
           "target": [
              "agent"
           ],
           "frequency": 999,
           "only-future-events": "yes"
        },
        {
           "file": "Security",
           "logformat": "eventchannel",
           "query": "Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and\n      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and\n      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and\n      EventID != 5152 and EventID != 5157]",
           "ignore_binaries": "no",
           "target": [
              "agent"
           ],
           "frequency": 999,
           "only-future-events": "yes"
        },
        {
           "file": "System",
           "logformat": "eventchannel",
           "ignore_binaries": "no",
           "target": [
              "agent"
           ],
           "frequency": 999,
           "only-future-events": "yes"
        },
        {
           "file": "active-response\\active-responses.log",
           "logformat": "syslog",
           "ignore_binaries": "no",
           "target": [
              "agent"
           ],
           "only-future-events": "yes"
        },
        {
           "file": "C:\\logs\\test.log",
           "logformat": "syslog",
           "ignore_binaries": "no",
           "target": [
              "agent"
           ],
           "only-future-events": "yes"
        }
     ]
  }
}

@chemamartinez
Copy link
Contributor

Notice that the configuration on-demand shows the frequency option for the Windows Event channels, which have no sense. Can we fix it in this PR?

@JcabreraC
Copy link
Member

The frequency, only-future-events and reconnect_time fields are now better displayed in the logcollector API request.

# curl -u foo:bar -k -X GET "http://10.0.0.1:55000/agents/014/config/logcollector/localfile?pretty"
{
   "error": 0,
   "data": {
      "localfile": [
         {
            "file": "Application",
            "logformat": "eventchannel",
            "ignore_binaries": "no",
            "target": [
               "agent"
            ],
            "only-future-events": "yes",
            "reconnect_time": 40
         },
         {
            "file": "Security",
            "logformat": "eventchannel",
            "query": "Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and\n      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and\n      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and\n      EventID != 5152 and EventID != 5157]",
            "ignore_binaries": "no",
            "target": [
               "agent"
            ],
            "only-future-events": "yes",
            "reconnect_time": 5
         },
         {
            "file": "System",
            "logformat": "eventchannel",
            "ignore_binaries": "no",
            "target": [
               "agent"
            ],
            "only-future-events": "yes",
            "reconnect_time": 20
         },
         {
            "file": "active-response\\active-responses.log",
            "logformat": "syslog",
            "ignore_binaries": "no",
            "target": [
               "agent"
            ]
         },
         {
            "file": "C:\\logs\\test.log",
            "logformat": "syslog",
            "ignore_binaries": "no",
            "target": [
               "agent"
            ]
         },
         {
            "logformat": "command",
            "command": "df -P",
            "alias": "df -P",
            "ignore_binaries": "no",
            "target": [
               "agent"
            ],
            "frequency": 360
         },
         {
            "logformat": "full_command",
            "command": "df -P",
            "alias": "df -P",
            "ignore_binaries": "no",
            "target": [
               "agent"
            ],
            "frequency": 360
         }
      ]
   }
}

@wazuh/frontend the new tag reconnect_time must be displayed in the kibana app.

@pablotr9 pablotr9 mentioned this pull request Sep 25, 2019
Closed
@pablotr9 pablotr9 mentioned this pull request Oct 1, 2019
Closed
chemamartinez
chemamartinez suggested changes Oct 4, 2019
View reviewed changes
src/config/localfile-config.c Outdated
@@ -136,6 +138,13 @@ int Read_Localfile(XML_NODE node, void *d1, __attribute__((unused)) void *d2)
logf[pl].out_format[n]->target = target ? strdup(target) : NULL;
os_strdup(node[i]->content, logf[pl].out_format[n]->format);
logf[pl].out_format[n + 1] = NULL;
} else if (strcmp(node[i]->element, xml_localfile_reconnect_time) == 0) {
int time = atoi(node[i]->content);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's use the standard format in Wazuh for timing settings, allowing a suffix such as s, m, h...

chemamartinez
chemamartinez suggested changes Nov 7, 2019
View reviewed changes
src/logcollector/read_win_el.c Show resolved Hide resolved
src/logcollector/read_win_event_channel.c Outdated
@@ -537,9 +550,10 @@ void win_start_event_channel(char *evt_log, char future, char *query)
EVT_HANDLE bookmark = NULL;
EVT_HANDLE result = NULL;
int status = 0;
static int counter = 0;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here: Logcollector is multithreading so using a static variable here is thread-unsafe unless it is protected by mutexes when writing and reading it. Let's protect that variable or look for another way to show the log just once.

@SalvaMilenario
Copy link
Contributor

Hi

I have solved in 'eventchannel' the problem of the multiple messages that notified @cristgl.

Regards.

@SalvaMilenario SalvaMilenario force-pushed the fix-eventlog-restart-3792 branch 2 times, most recently from 606a3aa to 9bb62c3 Compare November 12, 2019 15:06
@SalvaMilenario
Copy link
Contributor

Hi

I have been repeating the test that @cristgl made. I have reproduced the problem of the message 2019/11/12 10:44:43 ossec-agent: WARNING: The eventlog service is down was shown multiple times. Unable to collect logs from its channels. and the commit 6ad55a4 solves it. Now have sent one message for every channel that stops in eventchannel.

In addition, I have added the standard format in Wazuh for timing settings in the option reconnect_time, allowing a suffix such as s for the seconds, m for the minutes, h for the hours, d for the days and w for the weeks. 9bb62c3

Regards.

@chemamartinez chemamartinez changed the base branch from 3.11 to 3.12 November 26, 2019 10:13
chemamartinez
chemamartinez reviewed Nov 26, 2019
View reviewed changes
src/config/localfile-config.h Outdated
@@ -14,6 +14,7 @@
#define EVENTLOG "eventlog"
#define EVENTCHANNEL "eventchannel"
#define DATE_MODIFIED 1
#define MIN_EVENTCHANNEL_REC_TIME 5
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changing this define to DEFAULT_EVENTCHANNEL_REC_TIME. The minimum allowed value will be one second.

@chemamartinez chemamartinez merged commit 57b56b1 into 3.12 Nov 26, 2019
@chemamartinez chemamartinez deleted the fix-eventlog-restart-3792 branch November 26, 2019 11:21
@chemamartinez chemamartinez mentioned this pull request Nov 26, 2019
Closed
@chemamartinez chemamartinez mentioned this pull request Jan 28, 2020
Open
@spothound spothound mentioned this pull request Jul 17, 2020
Closed
@cborla cborla mentioned this pull request Jun 15, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chemamartinez chemamartinez chemamartinez approved these changes

@JcabreraC JcabreraC JcabreraC approved these changes

@crolopez crolopez crolopez left review comments

@bah07 bah07 Awaiting requested review from bah07

@cristgl cristgl Awaiting requested review from cristgl

Assignees

@bah07 bah07

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@DaveVG1 @JcabreraC @chemamartinez @cristgl @SalvaMilenario @crolopez @bah07