Bug #74
closedThe logging subsystem is not thread safe.
Description
Creating multiple output threads results in corrupted log files as it appears as if thread is creating it's own LogFileCtx instead of sharing one between threads.
ThreadVars *tv_outputs1 = TmThreadCreatePacketHandler("Outputs",
"alert-queue1", "simple", "packetpool", "packetpool", "varslot");
SetupOutputs(tv_outputs1);
TmThreadSetCPUAffinity(tv_outputs1, 0);
if (TmThreadSpawn(tv_outputs1) != TM_ECODE_OK) {
printf("ERROR: TmThreadSpawn failed\n");
exit(EXIT_FAILURE);
}
........
ThreadVars *tv_outputs4 = TmThreadCreatePacketHandler("Outputs",
"alert-queue4", "simple", "packetpool", "packetpool", "varslot");
SetupOutputs(tv_outputs4);
TmThreadSetCPUAffinity(tv_outputs4, 1);
if (TmThreadSpawn(tv_outputs4) != TM_ECODE_OK) {
printf("ERROR: TmThreadSpawn failed\n");
exit(EXIT_FAILURE);
}
lsof +d /var/log/suricata/
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
bash 3125 root cwd DIR 253,0 32768 44564496 /var/log/suricata/
suricata 27006 root 3u REG 253,0 17167 44564481 /var/log/suricata/stats.log
suricata 27006 root 8w REG 253,0 433146 44564482 /var/log/suricata/fast.log
suricata 27006 root 9w REG 253,0 631211 44564485 /var/log/suricata/unified2.alert.1264608900
suricata 27006 root 10w REG 253,0 806873 44564484 /var/log/suricata/http.log
suricata 27006 root 11w REG 253,0 433146 44564482 /var/log/suricata/fast.log
suricata 27006 root 12w REG 253,0 631211 44564485 /var/log/suricata/unified2.alert.1264608900
suricata 27006 root 13w REG 253,0 806873 44564484 /var/log/suricata/http.log
suricata 27006 root 14w REG 253,0 433146 44564482 /var/log/suricata/fast.log
suricata 27006 root 15w REG 253,0 631211 44564485 /var/log/suricata/unified2.alert.1264608900
suricata 27006 root 16w REG 253,0 806873 44564484 /var/log/suricata/http.log
suricata 27006 root 17w REG 253,0 433146 44564482 /var/log/suricata/fast.log
suricata 27006 root 18w REG 253,0 631211 44564485 /var/log/suricata/unified2.alert.1264608900
suricata 27006 root 19w REG 253,0 806873 44564484 /var/log/suricata/http.log
lsof 27061 root cwd DIR 253,0 32768 44564496 /var/log/suricata/
lsof 27062 root cwd DIR 253,0 32768 44564496 /var/log/suricata/
barnyard226645: FATAL ERROR: Unknown record type read: 1697542248
01/27/10-16:15:01.654910 [**] [1:2008974:4] ET USER_AGENTS Suspicious User Agent (User-Agent: Mozilla/4.0 (compatible)) [**] [Classification: A Net01/27/10-16:15:01.646490 [**] [1:2008974:4] ET USER_AGENTS Suspicious User Agent (User-Agent: Mozilla/4.0 (compatible)) [**] [Classification: A Network Trojan was detected] [Priority: 3] {6} y.y.y.y:1243 -> y.y.y.y:80
Files
Updated by Will Metcalf almost 15 years ago
I guess I should say "output" instead of logging subsys. Don't want to pick on Anoop ;-).....
Updated by Victor Julien almost 15 years ago
- Assignee changed from Pablo Rincon to Jason Ish
This issue may actually have been caused by Ish' latest output work... reassigning.
Updated by Jason Ish almost 15 years ago
- File 0001-Fix-issue-74.patch 0001-Fix-issue-74.patch added
- Status changed from New to Resolved
The attached patch should fix this issue.
Updated by Victor Julien almost 15 years ago
- Status changed from Resolved to Closed
Applied, thanks Jason.