Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Analysis time button bug fix #859

Merged
merged 12 commits into from
May 13, 2023
Merged

Analysis time button bug fix #859

merged 12 commits into from
May 13, 2023

Conversation

egbicker
Copy link
Contributor

@egbicker egbicker commented Apr 26, 2023
edited by jw3
Loading

Fixes to allow the time selection button to properly filter syslog events.

Closes #832

@egbicker
Copy link
Contributor Author

egbicker commented May 3, 2023

@jw3 I think there might be an issue when parsing the when variable in the Rust layer. I added my best guess at a print statement in my most recent commit to see the value of e.rs.event.when in crates/pyo3/src/analysis.rs temporal_filter function and got None. Looking at sudo systemctl status fapolicyd.service and sudo journalctl it looks like the time format is not rfc3339.

image
image

@jw3
Copy link
Member

jw3 commented May 3, 2023

Whats this say grep FileFormat /etc/rsyslog.conf

@egbicker
Copy link
Contributor Author

egbicker commented May 3, 2023
edited
Loading

module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")

@jw3
Copy link
Member

jw3 commented May 3, 2023

#868 describes what you are seeing.

Quick fix is to update the syslog format. The playbook does that, I am guessing you didnt set this vm up from there.

- name: set syslog format
  replace:
    path: /etc/rsyslog.conf
    regexp: "RSYSLOG_TraditionalFileFormat"
    replace: "RSYSLOG_FileFormat"

@jw3
Copy link
Member

jw3 commented May 3, 2023

Btw, this is a good find 👍 .

That format change was made way back in development of the analysis view, I had forgot about it since then, but it definitely needs to be more robust.

@egbicker
Copy link
Contributor Author

egbicker commented May 3, 2023

@jw3 This seems to be working after I cleared out the entries with the old format. Do you think its worth adding that grep as a check before enabling the time selection or is it better to open an issue with the parsing?

@jw3
Copy link
Member

jw3 commented May 3, 2023
edited
Loading

Maybe the analyzer should warn the user if entries come back without a when value.

You could detect that from the returned results and display a dialog that mentions the config items to check.

@egbicker egbicker marked this pull request as ready for review May 4, 2023 16:48
@egbicker egbicker requested a review from dorschs57 May 4, 2023 16:48
@egbicker egbicker linked an issue May 4, 2023 that may be closed by this pull request
Analyzer Time Selection button not working #832
Closed
dorschs57
dorschs57 requested changes May 5, 2023
View reviewed changes
Copy link
Collaborator

@dorschs57 dorschs57 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor suggested change. Otherwise the code looks good.

fapolicy_analyzer/ui/policy_rules_admin_page.py Outdated Show resolved Hide resolved
dorschs57
dorschs57 approved these changes May 5, 2023
View reviewed changes
Copy link
Collaborator

@dorschs57 dorschs57 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks good 👍

@jw3 jw3 merged commit bb87d7c into ctc-oss:master May 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dorschs57 dorschs57 dorschs57 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Analyzer Time Selection button not working
3 participants
@egbicker @jw3 @dorschs57