FreeBSD - unifiedbeat v2 - Registrar file not updated

[talsion]

Dear cleesmith,

First thank you for your amazing work on this dedicated beat.

I have successfully built it on FreeBSD and it works like a charm except for one thing: the registrar file (.unifiedbeat) is almost never updated and sometimes even overwritten with default value '{}' when exiting.

When I analyze the logs produced by unifiedbeat I do not see the "Stop: updated registry file.", nor do I see a "Stop: failed to update registry file" entry.

But I do see the "Stop: waiting for spooling and publishing to shutdown." message followed by the "U2SpoolAndPublish: told to quit; graceful return." entry.

Any idea why this is happening ?

[cleesmith]

No idea, as I can not reproduce this. Did you build with Go 1.5.3? Are all of your files with the given unified2_prefix: really unified2 files? They can't be pcap files.

How are you terminating the process? ... kill pid or kill -9 pid? Does it actually terminate?

The code depends on libbeat calling the Stop func and go-unified2 updating the filename/offset. The only time I've seen a empty .unifiedbeat file is when I deleted the unified2 file being tailed, which isn't a normal thing to do. Also, the intended usage was that this executes in lock-step with snort/suricata in order to have near real-time alerts ... otherwise it falls behind and it can take a long time to catch up with sensor logs. The final logged lines should be:

2016-02-18T08:35:03-05:00 INFO Stop: waiting for spooling and publishing to shutdown.
2016-02-18T08:35:03-05:00 INFO U2SpoolAndPublish: told to quit; graceful return.
2016-02-18T08:35:03-05:00 INFO Stop: updated registry file.
2016-02-18T08:35:03-05:00 INFO Cleaning up Unifiedbeat before shutting down.
2016-02-18T08:35:03-05:00 INFO Cleanup: is spooling and publishing running? 'false'
2016-02-18T08:35:03-05:00 INFO Cleanup: closed GeoIp2Reader.
2016-02-18T08:35:03-05:00 INFO Exit beat completed

Can you share a /var/log/unifiedbeat/unifiedbeat file?

[talsion]

The last version of Go in the FreeBSD 10.2 packages is the 1.5.1 version.

For my tests I only have one snort file and it is a valid unified2 file.

I tried to terminate the process with CTRL+C and multiple signals (HUP, INT, QUIT, ABRT, TERM) all with the same results accept for a few random cases where the .unifiedbeat file is properly updated. After these tests I only killed it using "kill pid" or ctrl+c.

I do not touch the monitored unified file so it can not be the issue.

I agree with the intended usage, but if I restart the snort host I do not want to have duplicate alerts as it will reprocess the whole log file.

You can find attached the log file for the last execution: unifiedbeat.txt

Currently I only generate few snort event and I configured unifiedbeat to output them on the console for test purposes only.

Thanks for your answer and your time.

[cleesmith]

While I still can not reproduce your issue, I did change the code to not rely on a channel to write the registry file. You may want to try the latest changes, and let me know if that works. I don't think compiling with Go 1.5.1 would be an issue, but I'm not sure. Forgot to ask before, but can you share your unifiedbeat.yml file ?

[talsion]

I just compiled unifiedbeat based on your latest changes and it solved the issue.

The .unifiedbeat file is properly updated even when I start unifiedbeat as a service.

As a result, the process does not exit as fast as before but the modifications are done as expected.

Thank you for your time and for this project.

[cleesmith]

Yes, without using a quit channel it has to set a boolean then it waits 5 seconds to be sure. The channel technique is preferred, but if it doesn't work then this will have to do. Thanks for the feedback and testing. I hope it is useful for you.