search

certego / fw1-loggrabber

FW1-Loggrabber is a command-line tool to grab logfiles from remote Checkpoint devices using OPSEC LEA (Log Export API)
GNU General Public License v2.0
53 stars 35 forks source link

Possible memory leak #33

Closed Geek2France closed 7 years ago

Geek2France commented 7 years ago

Hi,

I launch fw1-loggrabber in a docker container to pull firewall flow logs. The container crashs after approximatively 24 hours because the process fw1-loggrabber consumed all the memory available and the kernel kill it (OOM killer).

The virtual machine used to launch the docker container has 2 GB of RAM. I see the fw1-loggrabber process memory consumption grows linearly.

I also launch another docker container (in the same docker host) to pull firewall audit logs. This container doesn't crash. It consumes only 2 MB of RAM.

Should i have more memory available in my virtual machine ? If yes, how much memory ? If no, it seems to be a memory leak :(.

Can you help me please ? Thanks. Gabriel MACHADO.

adepasquale commented 7 years ago

Could you please share the content of your fw1-loggrabber.conf configuration file?

Geek2France commented 7 years ago

You can see below configuration files for each containers:

cat fw1-loggrabber_flow.conf

DEBUG_LEVEL=0
FW1_OUTPUT=logs
FW1_TYPE=ng
FW1_MODE=normal
ONLINE_MODE=yes
RESOLVE_MODE=no
LOGGING_CONFIGURATION=file
OUTPUT_FILE_PREFIX=fw1-loggrabber_flow
OUTPUT_FILE_ROTATESIZE=1073741824

cat fw1-loggrabber_audit.conf

DEBUG_LEVEL=0
FW1_OUTPUT=logs
FW1_TYPE=ng
FW1_MODE=audit
ONLINE_MODE=yes
RESOLVE_MODE=no
LOGGING_CONFIGURATION=file
OUTPUT_FILE_PREFIX=fw1-loggrabber_audit
OUTPUT_FILE_ROTATESIZE=1073741824
adepasquale commented 7 years ago

We've had mixed feedback about the internal file rotation feature. You have currently set ~1GB as the maximum size of the output file before it is rotated.

Could you please try disabling the rotation as shown here? You must then use logrotate or equivalent to handle the rotation.

https://github.com/certego/fw1-loggrabber/blob/master/fw1-loggrabber.conf#L40-L42

Geek2France commented 7 years ago

Thank you for your help.

I disabled size rotation file. The rotation is now handled by logrotate. It rotates the file when it reaches a size greater than 10 MB. In fact, the file is rotated when the file size is between 12 MB and 17 MB.

Unfortunately the memory usage is still growing.

adepasquale commented 7 years ago

Thanks. A question before we do further checks: are you using latest commit ab8e506 from master or are you using release v2.1?

Geek2France commented 7 years ago

I use the latest commit ab8e5064a125de8eb3c04e588ce87a0f006cf888

adepasquale commented 7 years ago

Could you please try if the above fix works for you?

Geek2France commented 7 years ago

Good work.

The process consumes now less than 3 MB of memory. I will reenable size rotation file. I 'll close the issue if there is no more problem.

Thank you very much.

adepasquale commented 7 years ago

Ok thanks for reporting!

Geek2France commented 7 years ago

The issue about memory leak can be closed. It also works with size rotation file.

I have just one question. What happened if i stop the process during a lapse of time ? When i will restart it, will i receive the missing logs or just the logs produced at the moment ?

adepasquale commented 7 years ago

Thanks, I am closing the issue.

Please note this is not Check Point customer support so my answer might be inaccurate/incorrect. To my understanding, if you stop pulling logs they are simply kept in a queue; when you restart pulling them again, you should be able to read them all from the queue (cfr. ONLINE_MODE).