kulukami
commented
1 year ago @ppd520 请提供完整上下文,包括并不限于:
- 后端 ac / manager 对应版本(分支)
- ac 下发给 agent 的完整 配置 数据
- agent 完整上下文日志
Closed ppd520 closed 1 year ago
kulukami
commented
1 year ago @ppd520 请提供完整上下文,包括并不限于:
ppd520
commented
1 year ago @ppd520 请提供完整上下文,包括并不限于:
- 后端 ac / manager 对应版本(分支)
- ac 下发给 agent 的完整 配置 数据
- agent 完整上下文日志
Elkeidup安装的这个版本 https://github.com/bytedance/Elkeid/releases/tag/v1.7.3
下发给agent的配置:
{ "id_list": [ "db8aec2c-367b-5e39-9036-a4e5db5a3173" ], "data": { "config": [ { "name": "scanner", "version": "3.1.9.1", "download_url": [ "http://10.128.200.18:8080/agent/plugin/scanner/scanner-3.1.9.1.tar.gz" ], "type": "tar.gz", "sha256": "528ddd83cdcdcba90d11efa4a34279f2593b7489a8e71143ef11abf6a513fb9e", "signature": "4114058a2c2c8dbf40a04360dcc1a3de8b229a420e23c5ea3d4d3c2f005c6047", "detail": "" }, { "name": "collector", "version": "1.0.0.81", "sha256": "2e3225f66bb267411cc82b13c982656fdabde10e3d55161f0a6d999594fc0d16", "download_url": [ "http://10.128.200.3:8080/agent/plugin/collector/collector-linux-amd64-1.0.0.81.plg" ] }, { "name": "driver", "version": "1.7.0.6", "sha256": "0b0380b1fa0a240ee4fd637b421281c87f19714ab81498cbd1d7a1383f5537d7", "download_url": [ "http://10.128.200.3:8080/agent/plugin/driver/driver-linux-amd64-1.7.0.6.plg" ] }, { "name": "journal_watcher", "version": "1.0.0.10", "sha256": "982d575e604f2118622faa50099759d5c3b021ec549f0440f5703e4a8968709d", "download_url": [ "http://10.128.200.3:8080/agent/plugin/journal_watcher/journal_watcher-linux-amd64-1.0.0.10.plg" ] } ] } }
agent日志
2022-11-10T07:59:49.985Z INFO plugin/plugin.go:197 syncing plugins...
2022-11-10T07:59:49.985Z INFO plugin/plugin_linux.go:61 plugin is loading... {"plugin": "scanner", "pver": "3.1.9.1", "psign": "528ddd83cdcdcba90d11efa4a34279f2593b7489a8e71143ef11abf6a513fb9e"}
2022-11-10T07:59:50.953Z INFO plugin/plugin_linux.go:100 plugin's process will start {"plugin": "scanner", "pver": "3.1.9.1", "psign": "528ddd83cdcdcba90d11efa4a34279f2593b7489a8e71143ef11abf6a513fb9e"}
2022-11-10T07:59:50.956Z ERROR plugin/plugin.go:207 when load plugin scanner:3.1.9.1, an error occurred: fork/exec /etc/elkeid/plugin/scanner/scanner: exec format error
2022-11-10T07:59:50.956Z INFO plugin/plugin_linux.go:61 plugin is loading... {"plugin": "driver", "pver": "1.7.0.6", "psign": "0b0380b1fa0a240ee4fd637b421281c87f19714ab81498cbd1d7a1383f5537d7"}
2022-11-10T07:59:51.053Z INFO plugin/plugin_linux.go:100 plugin's process will start {"plugin": "driver", "pver": "1.7.0.6", "psign": "0b0380b1fa0a240ee4fd637b421281c87f19714ab81498cbd1d7a1383f5537d7"}
2022-11-10T07:59:51.054Z INFO plugin/plugin.go:209 plugin has been loaded {"plugin": "driver", "pver": "1.7.0.6", "psign": "0b0380b1fa0a240ee4fd637b421281c87f19714ab81498cbd1d7a1383f5537d7"}
2022-11-10T07:59:51.054Z INFO plugin/plugin.go:225 sync done
2022-11-10T07:59:51.058Z INFO plugin/plugin_linux.go:151 gorountine of receiving plugin's data will exit {"plugin": "driver", "pver": "1.7.0.6", "psign": "0b0380b1fa0a240ee4fd637b421281c87f19714ab81498cbd1d7a1383f5537d7"}
2022-11-10T07:59:51.058Z INFO plugin/plugin_linux.go:130 plugin has exited with code 0 {"plugin": "driver", "pver": "1.7.0.6", "psign": "0b0380b1fa0a240ee4fd637b421281c87f19714ab81498cbd1d7a1383f5537d7"}
kulukami
commented
1 year ago 1.7.3 可能没有适配 1.9.1 的 tar.gz 插件 推测 agent 接受到的 task 结构体中没有 type=tar.gz 字段,可以尝试以下方法确认:
1.为 agent 添加 log 打印出接收到的 task。 https://github.com/bytedance/Elkeid/blob/v1.7.3/agent/plugin/plugin_linux.go#L43 2.检查下 mongodb 中 agent_heartbeat 表的 对应 agent_id 数据, config 是否一致(type 字段是否漏掉)
同时建议等待 1.9.1 正式 release 后配合后端一同升级
Describe the bug scanner插件升级之后,scanner插件启动失败;且重新安装agent后,scanner插件也未启动,agent依旧去找升级失败的插件。
To Reproduce Steps to reproduce the behavior:
when load plugin scanner:3.1.9.1, an error occurred: fork/exec /etc/elkeid/plugin/scanner, 用file命令查看scanner文件,是gzip data。Expected behavior 升级任务执行成功后, scanner 插件正常启动,且为升级后的版本。
截图
OS information (please complete the following information):