Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mysql.log not generated while execute some rows-affected commands #334

Open
singchia opened this Issue Apr 12, 2019 · 1 comment

Comments

Projects
None yet
2 participants
@singchia
Copy link

singchia commented Apr 12, 2019

1. linux env:

> cat /etc/centos-release  
CentOS Linux release 7.3.1611 (Core)
> uname -r   
3.10.0-514.el7.x86_64

2. bro env:

> /usr/local/bro/bin/bro -v  
/usr/local/bro/bin/bro version 2.6-205

and the scripts exist and never be modified since installed

> ll /usr/local/bro/share/bro/base/protocols/mysql  
-rw-r--r-- 1 root root   13 Apr 10 13:47 __load__.bro
-rw-r--r-- 1 root root  867 Apr 10 13:47 consts.bro
-rw-r--r-- 1 root root 2846 Apr 10 13:47 main.bro

3. mysql env:
server:

>  /usr/libexec/mysqld -V  
/usr/libexec/mysqld  Ver 5.5.60-MariaDB for Linux on x86_64 (MariaDB Server)
190412 16:59:15 [Note] /usr/libexec/mysqld (mysqld 5.5.60-MariaDB) starting as process 98902 ...

client:

> /usr/bin/mysql -V  
/usr/bin/mysql  Ver 14.14 Distrib 5.7.25, for Linux (x86_64) using  EditLine wrapper

4. conn.log got 3306 connection:

1555060574.930048	Ca8ipuBV6vszG5hze	10.203.66.36	38368	10.203.66.33	3306	tcp	-	0.001689	0	0	RSTOS0	T	T	0	ScR	2	84	0	0-  
1555060575.097041	CSyLOc2fguaYmyCkAa	10.203.66.36	54206	10.203.66.33	3306	tcp	-	0.002673	0	0	SH	T	T	0	ScAF	5	268	0	0-

5. tcpdump can capture the related packets:

> tcpdump -i eth0 port 3306 -en -v  
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes  
16:40:07.529314 d0:4d:f5:8a:46:dc > d0:0d:3f:22:58:a6, ethertype IPv4 (0x0800), length 82: (tos 0x0, ttl 64, id 35172, offset 0, flags [DF], proto TCP (6), length 68)  
    10.203.66.36.51050 > 10.203.66.33.mysql: Flags [P.], cksum 0x21a9 (correct), seq 103526754:103526770, ack 368575680, win 254, options [nop,nop,TS val 330303613 ecr 3205172492], length 16  
16:40:07.529638 d0:0d:3f:22:58:a6 > d0:4d:f5:8a:46:dc, ethertype IPv4 (0x0800), length 198: (tos 0x8, ttl 64, id 15406, offset 0, flags [DF], proto TCP (6), length 184)  
    10.203.66.33.mysql > 10.203.66.36.51050: Flags [P.], cksum 0x9a85 (incorrect -> 0xe100), seq 1:133, ack 16, win 235, options [nop,nop,TS val 3205308385 ecr 330303613], length 132
16:40:07.530516 d0:4d:f5:8a:46:dc > d0:0d:3f:22:58:a6, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 35173, offset 0, flags [DF], proto TCP (6), length 52)  
    10.203.66.36.51050 > 10.203.66.33.mysql: Flags [.], cksum 0x3990 (correct), ack 133, win 262, options [nop,nop,TS val 330303615 ecr 3205308385], length 0  
@jsiwek

This comment has been minimized.

Copy link
Member

jsiwek commented Apr 13, 2019

If you have TCP checksums being offloaded to the NIC (I see one incorrect cksum in your tcpdump output), that can be a common reason for missing logs. See:

https://www.zeek.org/documentation/faq.html#why-isn-t-zeek-producing-the-logs-i-expect-a-note-about-checksums

Or if that's not the issue, it's easiest if you can upload a pcap file that can be used to reproduce the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.