Client output (syslog) too verbose

Werkov commented 1 year ago

Environment

rpm -q velociraptor-client velociraptor-client-0.6.7.4~git63.4a1ed09d-lp153.16.1.x86_64 uname -r 5.14.21-150400.24.38-default

Steps to reproduce

run make olddefconfig (in Linux kernel tree)
observe output of journalctl -u velociraptor-client.service

Actual behavior

A single invocation of make olddefconfig produces ~800 log messages. Mainly pairs of:

Jun 20 13:41:46 host velociraptor[139992]: [INFO] 2023-06-20T13:41:46+02:00 File Ring Buffer: Enqueue {"header":"{\"ReadPointer\":50,\"WritePointer\":3200,\"MaxSize\":1073741874,\"AvailableBytes\":3030,\"LeasedBytes\":0}","leased_pointer":50}                              
Jun 20 13:41:46 host velociraptor[139992]: [INFO] 2023-06-20T13:41:46+02:00 read_file: /proc/76624/cmdline: lstat /proc/76624: no such file or directory

Expected behavior

Messages that may occur in great amount during short time ("amplifiers") backed by no malicious activity should not pollute the global syslog (e.g. log with lower level (or handle the underlying cause here)).

djoreilly commented 9 months ago

You are seeing INFO level logs because the client is started with verbose logging enabled -v https://build.opensuse.org/package/view_file/security:sensor/velociraptor/sysconfig.velociraptor-client?expand=1

Werkov commented 9 months ago

Thanks for the pointer.

Shouldn't the increased verbosity an opt-in (for hosts where debugging is needed) instead of opt-out?

djoreilly commented 9 months ago

@jeffmahoney what do you think?

jeffmahoney commented 9 months ago

I think we need to adjust the priority of messages that indicate connection failure/disconnect/reconnect before we back off the verbosity. Otherwise it's unreported that the client isn't actually doing anything.

SUSE / linux-security-sensor