search

mandiant / macos-UnifiedLogs

Apache License 2.0
204 stars 14 forks source link

Failed to parse log message for `getaddrinfo options: 0` #7

Closed fukusuket closed 1 year ago

fukusuket commented 1 year ago

Describe the issue Failed to parse log message for getaddrinfo options: 0 as follows.

Step to Reproduce

  1. git clone https://github.com/mandiant/macos-UnifiedLogs.git (c857f6fcde71afc150a7bf73c47d122ebcb29b46)
  2. cd examples/unifiedlog_parser
  3. cargo build --release
  4. ../target/release/unifiedlog_parser -l true -o out.csv

Expected behavior No warnings.

Actual behavior The following warning is printed

10:58:54 [WARN] [macos-unifiedlogs] Unknown getaddrinfo options: 0
10:58:54 [WARN] [macos-unifiedlogs] Unknown getaddrinfo options: 0
10:58:54 [WARN] [macos-unifiedlogs] Unknown getaddrinfo options: 0
10:58:54 [WARN] [macos-unifiedlogs] Unknown getaddrinfo options: 0
...

Environment

Additional context When I checked with the builtin log command, I was able to confirm the following log message. 

fukusuke@fukusukenoAir ~ %  log show --predicate 'eventMessage CONTAINS "getaddrinfo" and eventMessage CONTAINS "options: 0x0 "'
Filtering the log data using "composedMessage CONTAINS "getaddrinfo" AND composedMessage CONTAINS "options: 0x0 ""
Skipping info and debug messages, pass --info and/or --debug to include.
Timestamp                       Thread     Type        Activity             PID    TTL
2023-05-30 09:35:10.694055+0900 0x24890    Default     0x0                  499    0    mDNSResponder: [com.apple.mdns:dnssd_server] [R3114] getaddrinfo start -- flags: 0xC808D000, ifindex: 0, protocols: 0, hostname: <mask.hash: '9gRtAPDFjP3TqhKR60S6Lw=='>, options: 0x0 {}, client pid: 7585 (com.apple.Safar)

--style json

{
  "traceID": 4711746661122052,
  "eventMessage": "[R3114] getaddrinfo start -- flags: 0xC808D000, ifindex: 0, protocols: 0, hostname: <mask.hash: '9gRtAPDFjP3TqhKR60S6Lw=='>, options: 0x0 {}, client pid: 7585 (com.apple.Safar)",
  "eventType": "logEvent",
  "source": null,
  "formatString": "[R%u] getaddrinfo start -- flags: 0x%X, ifindex: %d, protocols: %u, hostname: %{sensitive,mask.hash}s, options: %{mdns:gaiopts}X, client pid: %lld (%{public}s)",
  "activityIdentifier": 0,
  "subsystem": "com.apple.mdns",
  "category": "dnssd_server",
  "threadID": 149648,
  "senderImageUUID": "00AA92CE-B5C8-3C17-82B3-C618AB43D536",
  "backtrace": {
    "frames": [
      {
        "imageOffset": 505932,
        "imageUUID": "00AA92CE-B5C8-3C17-82B3-C618AB43D536"
      }
    ]
  },
  "bootUUID": "FF30E7BF-4187-42AC-8F48-E8CAF8C6C9DA",
  "processImagePath": "/usr/sbin/mDNSResponder",
  "timestamp": "2023-05-30 09:35:10.694055+0900",
  "senderImagePath": "/usr/sbin/mDNSResponder",
  "machTimestamp": 991557232492,
  "messageType": "Default",
  "processImageUUID": "00AA92CE-B5C8-3C17-82B3-C618AB43D536",
  "processID": 499,
  "senderProgramCounter": 505932,
  "parentActivityIdentifier": 0,
  "timezoneName": ""
}