Project

General

Profile

Actions

Bug #74

closed

The logging subsystem is not thread safe.

Added by Will Metcalf about 14 years ago. Updated about 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Creating multiple output threads results in corrupted log files as it appears as if thread is creating it's own LogFileCtx instead of sharing one between threads.

ThreadVars *tv_outputs1 = TmThreadCreatePacketHandler("Outputs",
"alert-queue1", "simple", "packetpool", "packetpool", "varslot");
SetupOutputs(tv_outputs1);
TmThreadSetCPUAffinity(tv_outputs1, 0);
if (TmThreadSpawn(tv_outputs1) != TM_ECODE_OK) {
printf("ERROR: TmThreadSpawn failed\n");
exit(EXIT_FAILURE);
}
........
ThreadVars *tv_outputs4 = TmThreadCreatePacketHandler("Outputs",
"alert-queue4", "simple", "packetpool", "packetpool", "varslot");
SetupOutputs(tv_outputs4);
TmThreadSetCPUAffinity(tv_outputs4, 1);
if (TmThreadSpawn(tv_outputs4) != TM_ECODE_OK) {
printf("ERROR: TmThreadSpawn failed\n");
exit(EXIT_FAILURE);
}

lsof +d /var/log/suricata/
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
bash 3125 root cwd DIR 253,0 32768 44564496 /var/log/suricata/
suricata 27006 root 3u REG 253,0 17167 44564481 /var/log/suricata/stats.log
suricata 27006 root 8w REG 253,0 433146 44564482 /var/log/suricata/fast.log
suricata 27006 root 9w REG 253,0 631211 44564485 /var/log/suricata/unified2.alert.1264608900
suricata 27006 root 10w REG 253,0 806873 44564484 /var/log/suricata/http.log
suricata 27006 root 11w REG 253,0 433146 44564482 /var/log/suricata/fast.log
suricata 27006 root 12w REG 253,0 631211 44564485 /var/log/suricata/unified2.alert.1264608900
suricata 27006 root 13w REG 253,0 806873 44564484 /var/log/suricata/http.log
suricata 27006 root 14w REG 253,0 433146 44564482 /var/log/suricata/fast.log
suricata 27006 root 15w REG 253,0 631211 44564485 /var/log/suricata/unified2.alert.1264608900
suricata 27006 root 16w REG 253,0 806873 44564484 /var/log/suricata/http.log
suricata 27006 root 17w REG 253,0 433146 44564482 /var/log/suricata/fast.log
suricata 27006 root 18w REG 253,0 631211 44564485 /var/log/suricata/unified2.alert.1264608900
suricata 27006 root 19w REG 253,0 806873 44564484 /var/log/suricata/http.log
lsof 27061 root cwd DIR 253,0 32768 44564496 /var/log/suricata/
lsof 27062 root cwd DIR 253,0 32768 44564496 /var/log/suricata/

barnyard226645: FATAL ERROR: Unknown record type read: 1697542248

01/27/10-16:15:01.654910 [**] [1:2008974:4] ET USER_AGENTS Suspicious User Agent (User-Agent: Mozilla/4.0 (compatible)) [**] [Classification: A Net01/27/10-16:15:01.646490 [**] [1:2008974:4] ET USER_AGENTS Suspicious User Agent (User-Agent: Mozilla/4.0 (compatible)) [**] [Classification: A Network Trojan was detected] [Priority: 3] {6} y.y.y.y:1243 -> y.y.y.y:80


Files

0001-Fix-issue-74.patch (5.28 KB) 0001-Fix-issue-74.patch Jason Ish, 01/31/2010 01:54 AM
Actions #1

Updated by Will Metcalf about 14 years ago

I guess I should say "output" instead of logging subsys. Don't want to pick on Anoop ;-).....

Actions #2

Updated by Victor Julien about 14 years ago

  • Assignee changed from Pablo Rincon to Jason Ish

This issue may actually have been caused by Ish' latest output work... reassigning.

Actions #3

Updated by Jason Ish about 14 years ago

The attached patch should fix this issue.

Actions #4

Updated by Victor Julien about 14 years ago

  • Status changed from Resolved to Closed

Applied, thanks Jason.

Actions

Also available in: Atom PDF