Open cl-tim opened 1 year ago
I'm also seeing this message in the logs appearing over and over around these "not correctly formatted" errors - not sure if it's related:
2023-09-09T14:53:09.412782579Z (node:7) MaxListenersExceededWarning: Possible EventEmitter memory leak detected. 11 abort listeners added to [EventEmitter]. Use emitter.setMaxListeners() to increase limit
Hi @cl-tim , i dont think there is any problem with the platform. Looks like your bundle if full of bad domains. In this case the platform check and fail and if your bundle is full of failure it will takes times but will finished at some point.
We can see in your logs that is not a loop but 2 different domains.
{"value":"adsl."}
{"value":"dhcp."}
Now if you are able to have some error logs that looping on the same error, please add the bundle in the ticket for us to be able to reproduce.
For the Possible EventEmitter memory leak detected its a warning of the elasticsearch client, nothing to worry about.
Yeah I'm seeing it looping on the same error. I just picked those two samples to show there was more than one bad domain.
I'll attach the logs when I can export them. Do you need just the opencti container log, or logs from the other containers too?
If you can upload a bundle that i can try to reproduce the loop, thanks
Description
Invalid Domain Names from external sources are causing workers to stop processing some queues.
Environment
Reproducible Steps
N/A - STIX bundle seems to have come from the Google DNS connector, but difficult to tell as it has affected several enrichment connectors.
Expected Output
Engine should skip the invalid record but it's just attempting to ingest it over and over. I have 250k queued bundles that aren't getting processed now.
Actual Output
N/A
Additional information
Two samples of these errors from the opencti container log:
2023-09-09T10:27:33.760594046Z {"category":"APP","error":{"data":{"category":"business","http_status":400,"observableSyntaxResult":"Valid domain name","reason":"Observable of type Domain-Name is not correctly formatted."},"stacktrace":["FunctionalError: Business validation","at error (/opt/opencti/build/src/config/errors.js:8:10)","at FunctionalError (/opt/opencti/build/src/config/errors.js:87:50)","at addStixCyberObservable (/opt/opencti/build/src/domain/stixCyberObservable.js:214:11)","at Object.resolve [as stixCyberObservableAdd] (/opt/opencti/build/src/resolvers/stixCyberObservable.js:123:51)","at fieldResolver (/opt/opencti/build/src/graphql/authDirective.js:59:24)","at resolveFn (/opt/opencti/build/node_modules/apollo-server-core/src/utils/schemaInstrumentation.ts:106:18)","at executeField (/opt/opencti/build/node_modules/graphql/execution/execute.js:492:20)","at callbackFn (/opt/opencti/build/node_modules/graphql/execution/execute.js:377:22)","at promiseReduce (/opt/opencti/build/node_modules/graphql/jsutils/promiseReduce.js:23:9)","at executeFieldsSerially (/opt/opencti/build/node_modules/graphql/execution/execute.js:373:29)","at executeOperation (/opt/opencti/build/node_modules/graphql/execution/execute.js:347:14)","at execute (/opt/opencti/build/node_modules/graphql/execution/execute.js:136:20)","at execute (/opt/opencti/build/node_modules/apollo-server-core/src/requestPipeline.ts:501:20)","at processGraphQLRequest (/opt/opencti/build/node_modules/apollo-server-core/src/requestPipeline.ts:407:28)"]},"inner_relation_creation":0,"level":"error","message":"API Call","operation":"StixCyberObservableAdd","operation_query":"mutation StixCyberObservableAdd($type:String!$stix_id:StixId$x_opencti_score:Int$x_opencti_description:String$createIndicator:Boolean$createdBy:String$objectMarking:[String]$objectLabel:[String]$objectOrganization:[String]$externalReferences:[String]$AutonomousSystem:AutonomousSystemAddInput$Directory:DirectoryAddInput$DomainName:DomainNameAddInput$EmailAddr:EmailAddrAddInput$EmailMessage:EmailMessageAddInput$EmailMimePartType:EmailMimePartTypeAddInput$Artifact:ArtifactAddInput$StixFile:StixFileAddInput$X509Certificate:X509CertificateAddInput$IPv4Addr:IPv4AddrAddInput$IPv6Addr:IPv6AddrAddInput$MacAddr:MacAddrAddInput$Mutex:MutexAddInput$NetworkTraffic:NetworkTrafficAddInput$Process:ProcessAddInput$Software:SoftwareAddInput$Url:UrlAddInput$UserAccount:UserAccountAddInput$WindowsRegistryKey:WindowsRegistryKeyAddInput$WindowsRegistryValueType:WindowsRegistryValueTypeAddInput$CryptographicKey:CryptographicKeyAddInput$CryptocurrencyWallet:CryptocurrencyWalletAddInput$Hostname:HostnameAddInput$Text:TextAddInput$UserAgent:UserAgentAddInput$BankAccount:BankAccountAddInput$PhoneNumber:PhoneNumberAddInput$PaymentCard:PaymentCardAddInput$MediaContent:MediaContentAddInput){stixCyberObservableAdd(type:$type stix_id:$stix_id x_opencti_score:$x_opencti_score x_opencti_description:$x_opencti_description createIndicator:$createIndicator createdBy:$createdBy objectMarking:$objectMarking objectLabel:$objectLabel externalReferences:$externalReferences objectOrganization:$objectOrganization AutonomousSystem:$AutonomousSystem Directory:$Directory DomainName:$DomainName EmailAddr:$EmailAddr EmailMessage:$EmailMessage EmailMimePartType:$EmailMimePartType Artifact:$Artifact StixFile:$StixFile X509Certificate:$X509Certificate IPv4Addr:$IPv4Addr IPv6Addr:$IPv6Addr MacAddr:$MacAddr Mutex:$Mutex NetworkTraffic:$NetworkTraffic Process:$Process Software:$Software Url:$Url UserAccount:$UserAccount WindowsRegistryKey:$WindowsRegistryKey WindowsRegistryValueType:$WindowsRegistryValueType CryptographicKey:$CryptographicKey CryptocurrencyWallet:$CryptocurrencyWallet Hostname:$Hostname Text:$Text UserAgent:$UserAgent BankAccount:$BankAccount PhoneNumber:$PhoneNumber PaymentCard:$PaymentCard MediaContent:$MediaContent){id standard_id entity_type parent_types indicators{edges{node{id pattern pattern_type}}}}}","size":267,"time":1,"timestamp":"2023-09-09T10:27:33.760Z","type":"WRITE_ERROR","user":{"group_ids":["7ab351e3-15e5-4cf8-bc6e-8cea07c0c174","7b2aaa03-bef3-4e4b-84c4-a16e07359d5b","5336f103-3afc-4fa2-93b6-3786804b5b25"],"ip":"::ffff:172.18.0.6","organization_ids":[],"socket":"query","user_id":"bc867313-45a9-4ad6-b090-20e59293f2bd"},"variables":{"DomainName":{"value":"adsl."},"createIndicator":false,"createdBy":null,"externalReferences":null,"objectLabel":null,"objectMarking":null,"objectOrganization":null,"stix_id":null,"type":"Domain-Name","update":true,"x_opencti_description":null,"x_opencti_score":null},"version":"5.10.1"}
2023-09-09T10:23:26.645190279Z {"category":"APP","error":{"data":{"category":"business","http_status":400,"observableSyntaxResult":"Valid domain name","reason":"Observable of type Domain-Name is not correctly formatted."},"stacktrace":["FunctionalError: Business validation","at error (/opt/opencti/build/src/config/errors.js:8:10)","at FunctionalError (/opt/opencti/build/src/config/errors.js:87:50)","at addStixCyberObservable (/opt/opencti/build/src/domain/stixCyberObservable.js:214:11)","at Object.resolve [as stixCyberObservableAdd] (/opt/opencti/build/src/resolvers/stixCyberObservable.js:123:51)","at fieldResolver (/opt/opencti/build/src/graphql/authDirective.js:59:24)","at resolveFn (/opt/opencti/build/node_modules/apollo-server-core/src/utils/schemaInstrumentation.ts:106:18)","at executeField (/opt/opencti/build/node_modules/graphql/execution/execute.js:492:20)","at callbackFn (/opt/opencti/build/node_modules/graphql/execution/execute.js:377:22)","at promiseReduce (/opt/opencti/build/node_modules/graphql/jsutils/promiseReduce.js:23:9)","at executeFieldsSerially (/opt/opencti/build/node_modules/graphql/execution/execute.js:373:29)","at executeOperation (/opt/opencti/build/node_modules/graphql/execution/execute.js:347:14)","at execute (/opt/opencti/build/node_modules/graphql/execution/execute.js:136:20)","at execute (/opt/opencti/build/node_modules/apollo-server-core/src/requestPipeline.ts:501:20)","at processGraphQLRequest (/opt/opencti/build/node_modules/apollo-server-core/src/requestPipeline.ts:407:28)"]},"inner_relation_creation":0,"level":"error","message":"API Call","operation":"StixCyberObservableAdd","operation_query":"mutation StixCyberObservableAdd($type:String!$stix_id:StixId$x_opencti_score:Int$x_opencti_description:String$createIndicator:Boolean$createdBy:String$objectMarking:[String]$objectLabel:[String]$objectOrganization:[String]$externalReferences:[String]$AutonomousSystem:AutonomousSystemAddInput$Directory:DirectoryAddInput$DomainName:DomainNameAddInput$EmailAddr:EmailAddrAddInput$EmailMessage:EmailMessageAddInput$EmailMimePartType:EmailMimePartTypeAddInput$Artifact:ArtifactAddInput$StixFile:StixFileAddInput$X509Certificate:X509CertificateAddInput$IPv4Addr:IPv4AddrAddInput$IPv6Addr:IPv6AddrAddInput$MacAddr:MacAddrAddInput$Mutex:MutexAddInput$NetworkTraffic:NetworkTrafficAddInput$Process:ProcessAddInput$Software:SoftwareAddInput$Url:UrlAddInput$UserAccount:UserAccountAddInput$WindowsRegistryKey:WindowsRegistryKeyAddInput$WindowsRegistryValueType:WindowsRegistryValueTypeAddInput$CryptographicKey:CryptographicKeyAddInput$CryptocurrencyWallet:CryptocurrencyWalletAddInput$Hostname:HostnameAddInput$Text:TextAddInput$UserAgent:UserAgentAddInput$BankAccount:BankAccountAddInput$PhoneNumber:PhoneNumberAddInput$PaymentCard:PaymentCardAddInput$MediaContent:MediaContentAddInput){stixCyberObservableAdd(type:$type stix_id:$stix_id x_opencti_score:$x_opencti_score x_opencti_description:$x_opencti_description createIndicator:$createIndicator createdBy:$createdBy objectMarking:$objectMarking objectLabel:$objectLabel externalReferences:$externalReferences objectOrganization:$objectOrganization AutonomousSystem:$AutonomousSystem Directory:$Directory DomainName:$DomainName EmailAddr:$EmailAddr EmailMessage:$EmailMessage EmailMimePartType:$EmailMimePartType Artifact:$Artifact StixFile:$StixFile X509Certificate:$X509Certificate IPv4Addr:$IPv4Addr IPv6Addr:$IPv6Addr MacAddr:$MacAddr Mutex:$Mutex NetworkTraffic:$NetworkTraffic Process:$Process Software:$Software Url:$Url UserAccount:$UserAccount WindowsRegistryKey:$WindowsRegistryKey WindowsRegistryValueType:$WindowsRegistryValueType CryptographicKey:$CryptographicKey CryptocurrencyWallet:$CryptocurrencyWallet Hostname:$Hostname Text:$Text UserAgent:$UserAgent BankAccount:$BankAccount PhoneNumber:$PhoneNumber PaymentCard:$PaymentCard MediaContent:$MediaContent){id standard_id entity_type parent_types indicators{edges{node{id pattern pattern_type}}}}}","size":267,"time":2,"timestamp":"2023-09-09T10:23:26.644Z","type":"WRITE_ERROR","user":{"group_ids":["7ab351e3-15e5-4cf8-bc6e-8cea07c0c174","7b2aaa03-bef3-4e4b-84c4-a16e07359d5b","5336f103-3afc-4fa2-93b6-3786804b5b25"],"ip":"::ffff:172.18.0.6","organization_ids":[],"socket":"query","user_id":"bc867313-45a9-4ad6-b090-20e59293f2bd"},"variables":{"DomainName":{"value":"dhcp."},"createIndicator":false,"createdBy":null,"externalReferences":null,"objectLabel":null,"objectMarking":null,"objectOrganization":null,"stix_id":null,"type":"Domain-Name","update":true,"x_opencti_description":null,"x_opencti_score":null},"version":"5.10.1"}
Screenshots (optional)