Merge remote-tracking branch 'pbcullen/topic/pbcullen/shadow-file-han…

…dling' * pbcullen/topic/pbcullen/shadow-file-handling: reformat changes Gracefully handle empty/missing shadow file
zeek · Apr 26, 2024 · ad6d70d · ad6d70d
2 parents 7fdbb73 + dc54b14
commit ad6d70d
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 9 deletions.
diff --git a/CHANGES b/CHANGES
@@ -1,3 +1,13 @@
+7.0.0-dev.187 | 2024-04-26 12:29:18 -0700
+
+  * Gracefully handle empty/missing shadow file (Peter Cullen, Corelight)
+
+    When a shadow file is empty/missing during rotation, Zeek aborts
+    with an error message, but if the shadow file was empty, it'll still
+    be there after the restart, causing an endless restart loop. This
+    solution gracefully handles the rotation in such cases using the
+    default file extension and post processing function.
+
 7.0.0-dev.184 | 2024-04-26 11:17:52 -0700
 
   * GH-3671: Factor in caplens in ICMPAnalyzer::DeliverPacket length calculations (Christian Kreibich, Corelight)

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-7.0.0-dev.184
+7.0.0-dev.187
diff --git a/src/logging/writers/ascii/Ascii.cc b/src/logging/writers/ascii/Ascii.cc
@@ -116,10 +116,14 @@ TEST_CASE("writers.ascii prefix_basename_with") {
 
 static std::optional<LeftoverLog> parse_shadow_log(const std::string& fname) {
     auto sfname = prefix_basename_with(fname, shadow_file_prefix);
+    string default_ext = "." + Ascii::LogExt();
+    if ( BifConst::LogAscii::gzip_level > 0 )
+        default_ext += ".gz";
 
     LeftoverLog rval = {};
     rval.filename = fname;
     rval.shadow_filename = std::move(sfname);
+    rval.extension = default_ext;
 
     auto sf_stream = fopen(rval.shadow_filename.data(), "r");
 
@@ -165,15 +169,16 @@ static std::optional<LeftoverLog> parse_shadow_log(const std::string& fname) {
     auto sf_lines = util::tokenize_string(sf_view, '\n');
 
     if ( sf_lines.size() < 2 ) {
-        rval.error = util::
-            fmt("Found leftover log, '%s', but the associated shadow "
-                " file, '%s', required to process it is invalid",
-                rval.filename.data(), rval.shadow_filename.data());
-        return rval;
+        reporter->Warning(
+            "Found leftover log, '%s', but the associated shadow "
+            " file, '%s', required to process it is invalid: using default "
+            " for extension (%s) and post_proc_func",
+            rval.filename.data(), rval.shadow_filename.data(), default_ext.data());
+    }
+    else {
+        rval.extension = sf_lines[0];
+        rval.post_proc_func = sf_lines[1];
     }
-
-    rval.extension = sf_lines[0];
-    rval.post_proc_func = sf_lines[1];
 
     struct stat st;