ERROR - Failed to get Computer Name from Audits

[schrodyn]

Hi,

I created a zip file of all the files Redline in "AuditDirectory/Audits/Hostname/" and uploaded it to NightHawk. After it's uploaded I see nothing.

Looking at /opt/nighthawk/var/log/nighthawk-uwsgi.log I see:

2016-08-20 16:15:44.468361821 +0000 UTC - nightHawkTriage - ERROR - Failed to get Computer Name from Audits

Before this I see logs like these:

2016-08-20T16:15:44Z - nightHawk - DEBUG - Checking if /opt/nighthawk/var/workspace/9kO6KHfT/w32services is Redline Directory

I see this a bunch of times for each file that was in the zip.

[roshanmaskey]

Hi Schrodyn,

Based on the error logs, it failed to get computer number. The parser relies on manifest.json file and w32system audit file to extract computer name.

Can you confirm the zip archive has manifest file and w32system? Could you list the files in your zip file.

If you have not collected w32system or manifest file is missing you can upload to system using commandline by manually specifying computer name.

/opt/nighthawk/bin/nightHawk -v -N casename -C computername -f path_ to_audit_file

[schrodyn]

Hey,

Thanks for getting back to me. I have a manifest.json for each audit, is there a particular one I need to add? I tried to include, in the Zip I uploaded, the manifest.json from the w32system audit - and I do also have the w32system audit in the Zip package which includes the tag with the endpoint's hostname. It still gave the same error.

Failed to get Computer Name from Audits

Adding an audit from the cli works fine, thanks for the tip. It barfed when I attempted to add the registry audit due to the size, the VM only has 4GB of memory as I'm just testing NightHawk out on my laptop.

FYI:

`[root@nighthawk 2016082100]# nightHawk -v -N CASE00 -C MYHOSTNAME -f w32registryraw_fd59b182-49ba-4bd2-b911-a821f0fea7ec 2016-08-21T07:16:16Z - nightHawk - INFO - Processing single audit file from MYHOSTNAME fatal error: runtime: out of memory

runtime stack: runtime.throw(0x8a84f0, 0x16) /usr/local/go/src/runtime/panic.go:547 +0x90 runtime.sysMap(0xc989f00000, 0x100000, 0x7fdf19c77c00, 0xa7f598) /usr/local/go/src/runtime/mem_linux.go:206 +0x9b runtime.(_mheap).sysAlloc(0xa65b20, 0x100000, 0x0) /usr/local/go/src/runtime/malloc.go:429 +0x191 runtime.(_mheap).grow(0xa65b20, 0x8, 0x0) /usr/local/go/src/runtime/mheap.go:651 +0x63 runtime.(_mheap).allocSpanLocked(0xa65b20, 0x1, 0x7fdf10e36390) /usr/local/go/src/runtime/mheap.go:553 +0x4f6 runtime.(_mheap).alloc_m(0xa65b20, 0x1, 0x3, 0x7fdf10e36390) /usr/local/go/src/runtime/mheap.go:437 +0x119 runtime.(_mheap).alloc.func1() /usr/local/go/src/runtime/mheap.go:502 +0x41 runtime.systemstack(0x7fdf19c77d60) /usr/local/go/src/runtime/asm_amd64.s:307 +0xab runtime.(_mheap).alloc(0xa65b20, 0x1, 0x10000000003, 0x414774) /usr/local/go/src/runtime/mheap.go:503 +0x63 runtime.(_mcentral).grow(0xa66f40, 0x0) /usr/local/go/src/runtime/mcentral.go:209 +0x93 runtime.(_mcentral).cacheSpan(0xa66f40, 0x7fdf10e36390) /usr/local/go/src/runtime/mcentral.go:89 +0x47d runtime.(*mcache).refill(0x7fdf1ac2e4b0, 0x3, 0x7fdf10e36390) /usr/local/go/src/runtime/mcache.go:119 +0xcc runtime.mallocgc.func2() /usr/local/go/src/runtime/malloc.go:642 +0x2b runtime.systemstack(0xc820017500) /usr/local/go/src/runtime/asm_amd64.s:291 +0x79 runtime.mstart() /usr/local/go/src/runtime/proc.go:1051

goroutine 1 [running]: runtime.systemstack_switch() /usr/local/go/src/runtime/asm_amd64.s:245 fp=0xc82009a5e0 sp=0xc82009a5d8 runtime.mallocgc(0x20, 0x7be0e0, 0x0, 0x0) /usr/local/go/src/runtime/malloc.go:643 +0x869 fp=0xc82009a6b8 sp=0xc82009a5e0 runtime.newobject(0x7be0e0, 0xc8928f1290) /usr/local/go/src/runtime/malloc.go:781 +0x42 fp=0xc82009a6e0 sp=0xc82009a6b8 runtime.convT2E(0x7be0e0, 0xc82009ac08, 0x0, 0x0, 0x0) /usr/local/go/src/runtime/iface.go:140 +0x97 fp=0xc82009a708 sp=0xc82009a6e0 encoding/xml.(_Decoder).rawToken(0xc8200889a0, 0x0, 0x0, 0x0, 0x0) /usr/local/go/src/encoding/xml/xml.go:528 +0x2ad fp=0xc82009ad98 sp=0xc82009a708 encoding/xml.(_Decoder).Token(0xc8200889a0, 0x0, 0x0, 0x0, 0x0) /usr/local/go/src/encoding/xml/xml.go:248 +0xe7f fp=0xc82009b060 sp=0xc82009ad98 encoding/xml.(_Decoder).unmarshal(0xc8200889a0, 0x738200, 0xc95a2c6cc0, 0x198, 0xc989efedc0, 0x0, 0x0) /usr/local/go/src/encoding/xml/read.go:471 +0xe4d fp=0xc82009b8c8 sp=0xc82009b060 encoding/xml.(_Decoder).unmarshalPath(0xc8200889a0, 0xc89293dc60, 0x82f260, 0xc95a2c6ca0, 0x199, 0x0, 0x0, 0x0, 0xc989efedc0, 0x1, ...) /usr/local/go/src/encoding/xml/read.go:627 +0x3b6 fp=0xc82009ba30 sp=0xc82009b8c8 encoding/xml.(_Decoder).unmarshal(0xc8200889a0, 0x82f260, 0xc95a2c6ca0, 0x199, 0xc989efe980, 0x0, 0x0) /usr/local/go/src/encoding/xml/read.go:479 +0x20a7 fp=0xc82009c298 sp=0xc82009ba30 encoding/xml.(_Decoder).unmarshal(0xc8200889a0, 0x727e60, 0xc82000a2e0, 0x197, 0xc989efe980, 0x0, 0x0) /usr/local/go/src/encoding/xml/read.go:374 +0x2777 fp=0xc82009cb00 sp=0xc82009c298 encoding/xml.(_Decoder).unmarshalPath(0xc8200889a0, 0xc89293dba0, 0x7fcc20, 0xc82000a280, 0x199, 0x0, 0x0, 0x0, 0xc989efe980, 0x1, ...) /usr/local/go/src/encoding/xml/read.go:627 +0x3b6 fp=0xc82009cc68 sp=0xc82009cb00 encoding/xml.(_Decoder).unmarshal(0xc8200889a0, 0x7fcc20, 0xc82000a280, 0x199, 0xc89293fa80, 0x0, 0x0) /usr/local/go/src/encoding/xml/read.go:479 +0x20a7 fp=0xc82009d4d0 sp=0xc82009cc68 encoding/xml.(_Decoder).DecodeElement(0xc8200889a0, 0x7124a0, 0xc820026058, 0x0, 0x0, 0x0) /usr/local/go/src/encoding/xml/read.go:133 +0x1c3 fp=0xc82009d580 sp=0xc82009d4d0 encoding/xml.(_Decoder).Decode(0xc8200889a0, 0x7124a0, 0xc820026058, 0x0, 0x0) /usr/local/go/src/encoding/xml/read.go:121 +0x4a fp=0xc82009d5b8 sp=0xc82009d580 encoding/xml.Unmarshal(0xc8a0116000, 0x50b8e791, 0x7ffffe00, 0x7124a0, 0xc820026058, 0x0, 0x0) /usr/local/go/src/encoding/xml/read.go:115 +0x270 fp=0xc82009d750 sp=0xc82009d5b8 nightHawk.(*RlRegistryRaw).ParseAuditData(0xc82000a280, 0x7fff66742710, 0x7, 0x7fff66742708, 0x4, 0xc8200e4920, 0x14, 0x0, 0x0, 0xc82000e650, ...) /usr/local/src/nighthawkresponse/nighthawk_go/src/nightHawk/module.go:229 +0x18f fp=0xc82009d818 sp=0xc82009d750 nightHawk.LoadAuditData(0x1, 0x7fff66742710, 0x7, 0x7fff66742708, 0x4, 0xc8200e4920, 0x14, 0x0, 0x0, 0x7fff6674271b, ...) /usr/local/src/nighthawkresponse/nighthawk_go/src/nightHawk/audit.go:182 +0x39f1 fp=0xc8200a3a68 sp=0xc82009d818 main.LoadSingleAuditFile(0x7fff66742708, 0x4, 0xc8200e4920, 0x14, 0x0, 0x0, 0x7fff66742710, 0x7, 0x7fff6674271b, 0x33, ...) /usr/local/src/nighthawkresponse/nighthawk_go/nightHawk.go:149 +0x1cd fp=0xc8200a3e00 sp=0xc8200a3a68 main.main() /usr/local/src/nighthawkresponse/nighthawk_go/nightHawk.go:110 +0x73d fp=0xc8200a3f20 sp=0xc8200a3e00 runtime.main() /usr/local/go/src/runtime/proc.go:188 +0x2b0 fp=0xc8200a3f70 sp=0xc8200a3f20 runtime.goexit() /usr/local/go/src/runtime/asm_amd64.s:1998 +0x1 fp=0xc8200a3f78 sp=0xc8200a3f70

goroutine 17 [syscall, 2 minutes, locked to thread]: runtime.goexit() /usr/local/go/src/runtime/asm_amd64.s:1998 +0x1`

[roshanmaskey]

Hi Mate,

You have encountered the issue because the way code handles the file processing. It attempts to load entire file content (which was a lazy coding) and with large file you got memory exception.

For current release there is no fix. I will add the fix in version 1.0.4.

[schrodyn]

Hey,

That's grand, I can wait for the fix in v1.0.4.

Any idea what's wrong with the import and the missing machine name? Loading from the CLI doesn't bother me but it would be nice to upload the zip through the webUI.

Cheers.

[roshanmaskey]

Hi schrodyn, You can now upload MIR audits using Web UI (version 1.0.3). The only requirement is that the MIR audit should contain system information.

In regards to out-of-memory you can temporarily fix this issue by giving more RAM to VM.