Giters

slackhq / go-audit

go-audit is an alternative to the auditd daemon that ships with many distros

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Process dies and go-audit stops logging

thisisatest012 opened this issue · comments

commented
  • I've read and understood the Contributing guidelines and have done my best effort to follow them.
  • I've read and agree to the Code of Conduct.
  • I've searched for any related issues and avoided creating a duplicate issue.

Description

After proper deployment of go-audit, the service functions as it should for some time and then it randomly stops logging to file (var/log/go-audit.log). Service shows as functioning and restarting the service does not fix the issue. Increasing the socket.buffer size in go-audit.yaml does not fix the issue.

This issue was reproducible in both Ubuntu and opensuse. Reverting to older VM snapshots resulted in logging restored, however, after some time or even a reboot the service still stop logging to file. I don't think this is a resource issue and both VM's have plenty of drive space.

Reproducible in:

go-audit version: 1.0.0
OS version(s): Ubuntu 20.04.1 LTS
OS version(s): opensuse 15.2

Expected result:

Process does not stop logging.

Actual result:

Process stops logging after working for some time.

Attachments:

root@ubuntu:/var/log# service go-audit status
● go-audit.service - go-audit
Loaded: loaded (/etc/systemd/system/go-audit.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-01-07 17:42:06 PST; 35min ago
Main PID: 13144 (go-audit)
Tasks: 7 (limit: 2281)
Memory: 6.3M
CGroup: /system.slice/go-audit.service
└─13144 /usr/local/bin/go-audit -config /etc/go-audit.yaml

Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #193
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #194
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #195
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #196
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #197
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #198
Jan 07 17:42:06 ubuntu go-audit[13144]: Ignoring syscall 42 containing message type 1306 matching string saddr=(0200....7F|01> Jan 07 17:42:06 ubuntu go-audit[13144]: Ignoring syscall `` containing message type 1305matching string.*`
Jan 07 17:42:06 ubuntu go-audit[13144]: Socket receive buffer size: 212992
Jan 07 17:42:06 ubuntu go-audit[13144]: Started processing events in the range [1300, 1399]

I could not find any other systems logs that hint any related issues... Any help would be much appreciated!

commented

Out of curiosity, which version of golang did you use to build go-audit?
I noticed go-audit wouldn't capture events when built with go 1.13, but it worked fine on ubuntu 20.04 when built with go 1.17.

commented

If the process dies, I'm guessing there's some uncaught exception. May help to manually run it in stdout mode in a terminal, and see what traceback message appears when it crashes.