search

strongdm / log-export-container

A docker container for easily export strongDM query logs
Apache License 2.0
8 stars 9 forks source link

syslog-csv with rdp sessions - illegal quoting csv input format #38

Closed acesdm closed 2 years ago

acesdm commented 2 years ago

Describe the bug RDP resource logging to LEC with syslog-csv input format throws errors

To Reproduce Steps to reproduce the behavior:

  1. setup an RDP resource logging to LEC.
  2. setup syslog-csv format
  3. connect to RDP resource from SDM
  4. See error

2021-11-16T20:38:18+00:00 fluent.warn {"error":"#<RuntimeError: failed to expandrecord[\"1\"].scan(/([0-9]+-[0-9]+-[0-9]+T[0-9]+:[0-9]+:[0-9]+Z)./).last.first: error = undefined methodfirst' for nil:NilClass>","location":"/usr/lib/ruby/gems/2.7.0/gems/fluentd-1.14.2/lib/fluent/plugin/filter_record_transformer.rb:310:in rescue in expand'","tag":"class.start","time":1637095098,"record":{"1":"2021-11-16T14:38:18-06:00 c-ubu3 strongDM[7918]: 2021-11-16 20:38:18.01160498 +0000 UTC","2":"start","3":"r21148CWjq5TZJY5HlllgGTiIkx2","4":"rs-43cbbc93610d3911","5":"c-win2k12","6":"a-377c217b61002a87","7":"Aaron Enfield","8":"{\"version\":1,\"width\":0,\"height\":0,\"duration\":1.008157898,\"command\":null,\"title\":null,\"env\":{},\"type\":\"rdp-basic\",\"fileName\":null,\"fileSize\":0,\"stdout\":null,\"lastChunkId\":0,\"clientCommand\":null,\"pod\":null,\"container\":null,\"requestMethod\":\"\",\"requestURI\":\"\",\"requestBody\":null}\\n","9":"6a0fe0ca745baa07c20701b81d627df9f36cebbf","sourceAddress":"70.122.23.211","sourceHostname":"cpe-70-122-23-211.austin.res.rr.com"},"message":"dump an error event: error_class=RuntimeError error=\"failed to expandrecord[\\"1\\"].scan(/([0-9]+-[0-9]+-[0-9]+T[0-9]+:[0-9]+:[0-9]+Z)./).last.first: error = undefined methodfirst' for nil:NilClass\" location=\"/usr/lib/ruby/gems/2.7.0/gems/fluentd-1.14.2/lib/fluent/plugin/filter_record_transformer.rb:310:in rescue in expand'\" tag=\"class.start\" time=2021-11-16 20:38:18.050791136 +0000 record={\"1\"=>\"2021-11-16T14:38:18-06:00 c-ubu3 strongDM[7918]: 2021-11-16 20:38:18.01160498 +0000 UTC\", \"2\"=>\"start\", \"3\"=>\"r21148CWjq5TZJY5HlllgGTiIkx2\", \"4\"=>\"rs-43cbbc93610d3911\", \"5\"=>\"c-win2k12\", \"6\"=>\"a-377c217b61002a87\", \"7\"=>\"Aaron Enfield\", \"8\"=>\"{\\\"version\\\":1,\\\"width\\\":0,\\\"height\\\":0,\\\"duration\\\":1.008157898,\\\"command\\\":null,\\\"title\\\":null,\\\"env\\\":{},\\\"type\\\":\\\"rdp-basic\\\",\\\"fileName\\\":null,\\\"fileSize\\\":0,\\\"stdout\\\":null,\\\"lastChunkId\\\":0,\\\"clientCommand\\\":null,\\\"pod\\\":null,\\\"container\\\":null,\\\"requestMethod\\\":\\\"\\\",\\\"requestURI\\\":\\\"\\\",\\\"requestBody\\\":null}\\\\n\", \"9\"=>\"6a0fe0ca745baa07c20701b81d627df9f36cebbf\", \"sourceAddress\"=>\"70.122.23.211\", \"sourceHostname\"=>\"cpe-70-122-23-211.austin.res.rr.com\"}"}

If you change to LOG_EXPORT_CONTAINER_INPUT=syslog-json, no issues.

Expected behavior no error

Screenshots If applicable, add screenshots to help explain your problem.

Additional context

This is how I started LEC sudo docker run -p 5140:5140 -v ~/log-export-container-main/fluentd/etc/output-datadog.conf:/fluentd/etc/output-datadog.conf -e LOG_EXPORT_CONTAINER_INPUT=syslog-csv -e LOG_EXPORT_CONTAINER_OUTPUT=datadog -e LOG_EXPORT_CONTAINER_OUTPUT=stdout public.ecr.aws/strongdm/log-export-container

ubuntu@ACE-AWS-SSH2:~$ cat ~/log-export-container-main/fluentd/etc/output-datadog.conf
<store>
  @type               datadog
  @id                 "ACE-AWS-SSH2"
  api_key             "f47f70c0e7a01c14df151684d4d7d1d5"

  dd_source           'sdm'

  # for more config options
  # see https://github.com/DataDog/fluent-plugin-datadog
</store>
wallrony commented 2 years ago

@acesdm I followed the same steps you described and I cannot able to reproduce the error. I made this environment:

  1. Create a virtual machine with windows and enable RDP;
  2. Setup a relay to connect to the RDP instance;
  3. Add the RDP to StrongDM web App;
  4. Setup LogExportContainer with syslog-csv input and stdout output;
  5. Try to connect RDP using the port override given by SDM.

I followed these steps and got the outputs perfectly. Please, clarify the following point: In the command that you shared has two outputs defined: datadog and stdout. Which is the correct? When I execute the same command it creates the fluent.conf file with stdout output, which I guess that it's incorrect because your proposal means that the error comes from datadog.

Please, check the fluent.conf file inside your docker container to make sure about what you're testing.

camposer commented 2 years ago

We were not able to reproduce this problem. Our setup: A Linux (Ubuntu 21) running LEC in host mode with a local relay. RDP Server was running in Windows 10 Pro on a VM hosted in VirtualBox v6.1.

From our understanding there's is no bug, it might be better to have a quick meeting in order to better understand the problem.

acesdm commented 2 years ago

I can't reproduce it anymore. Ok to close.