search

phaag / nfsen

Legacy NfSen code
Other
23 stars 11 forks source link

nfsend breaking when an alert is triggered #8

Closed thezoggy closed 1 year ago

thezoggy commented 1 year ago

nfsen/nfdump (both latest from git), works fine. After setting up a test alert and it triggering I see it sent an email but then kills nfsen.

email:

Subject: Alert triggered

Alert 'test' triggered at timeslot 202302200845

Then nfsen stopped working shortly afterwards, logs show that it looks like I have some packages missing thats needed:

Feb 20 08:50:31 netflow4.vm nfsen[3873028]: PANIC nfsend dies: Can't locate object method "tid" via package "threads" at /usr/share/perl/5.30/XSLoader.pm line 111.
Feb 20 08:50:31 netflow4.vm nfsen[3873028]: Signal comm server to terminate
...
Feb 20 08:50:31 netflow4.vm nfsen[3873028]: PANIC nfsend dies: Can't locate URI/_idna.pm in @INC (you may need to install the URI::_idna module) (@INC contains: /data/nfsen/libexec /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.30.0 /usr/local/share/perl/5.30.0 /usr/lib/x86_64-linux-gnu/perl5/5.30 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.30 /usr/share/perl/5.30 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at /usr/share/perl5/IO/Socket/SSL/PublicSuffix.pm line 124.
Feb 20 08:50:31 netflow4.vm nfsen[3873028]: Signal comm server to terminate
...
Feb 20 08:50:31 netflow4.vm nfsen[3873028]: PANIC nfsend dies: Can't locate Net/IDN/Encode.pm in @INC (you may need to install the Net::IDN::Encode module) (@INC contains: /data/nfsen/libexec /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.30.0 /usr/local/share/perl/5.30.0 /usr/lib/x86_64-linux-gnu/perl5/5.30 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.30 /usr/share/perl/5.30 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at /usr/share/perl5/IO/Socket/SSL/PublicSuffix.pm line 130.

I'm using ubuntu 20.04 LTS and below are the packages I have installed:

for nfdump:

sudo apt-get install git wget unzip man apt-utils dialog pkg-config libtool autoconf autogen bison byacc flex make libpcap-dev libbz2-dev rrdtool bzip2

and for nfsen (nfprofile/nftrack):

sudo apt-get install  librrdp-perl librrds-perl librrd-dev

for nfsen custom scripts scripts (manage ordering/updating profiles)

sudo apt-get install libdbi-perl
borjam commented 1 year ago

Since ages ago I have been compiling Perl on FreeBSD without threads in order to use it for Nfsen.

I haven't tried a multi threaded Perl yet with the new version, but the first error is what I used to see when I used the default options to compile Perl, ie, using threads.

thezoggy commented 1 year ago

As "URI::_idna" is liburi-perl trying that one out

sudo apt-get install liburi-perl

Seems to fix the idna/idn stuff but still pukes after sending test email

Feb 27 17:10:34 netflow4.vm nfsen[3546996]: PANIC nfsend dies: Can't locate object method "tid" via package "threads" at /usr/share/perl/5.30/XSLoader.pm line 111.
borjam commented 1 year ago 
Feb 27 17:10:34 netflow4.vm nfsen[3546996]: PANIC nfsend dies: Can't locate object method "tid" via package "threads" at /usr/share/perl/5.30/XSLoader.pm line 111.

That error is caused (unless I am very wrong) by multi threaded Perl. I have been installing Nfsen on FreeBSD compiling Perl without threading support.

Try that, it will probably solve your issue.

thezoggy commented 1 year ago

from what your saying, i can mask the problem by not using a threaded perl because alerts arent thread safe?

borjam commented 1 year ago

NfDump 1.7.x is multi threaded. NfSen is not.

Moreover, it´s not an issue of thread safety, but thread awareness. Some old Perl code gets confused by a variable/method called "tid" which seems to mean thread id. If you compile a non multi threaded Perl, problem solved.

That's how I´ve been running Nfsen for ages.

Try compiling Perl with -Dusethreads=n

Unless you run a lot of Perl code it will not cause problems.

phaag commented 1 year ago

I did not lock into this issue, but from what you report, I am sure, there is a problem with the Perl installation or the modules. The code base of NfSen is that old, that threads are not used anywhere. At that time, Perl had massive problems with threads. Therefore I support @borjam to try to compile Perl without threading. Most likely there is a module dependancy somewhere down the path when an alert is configured or triggered. Threads and Perl never were really friends ...

thezoggy commented 1 year ago

but wouldnt it be a negative to do perl without threading with nfdump 1.7.x ?

phaag commented 1 year ago

There is no relation to threading within nfdump. The perl code has no impact on nfdump.

thezoggy commented 1 year ago

gotcha, this box just uses default ubuntu 20.04 packages and it looks like perl 5.8.x just enabled threading by default now. so rather than mess with building perl it was easier for me to just remove "Alerts" from the menu on nfsen.php to prevent someone from setting up an alert to break the box.