Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with source value "-" for IPv4 strategy? #3

Open
knalli opened this issue Apr 23, 2015 · 3 comments
Open

Issue with source value "-" for IPv4 strategy? #3

knalli opened this issue Apr 23, 2015 · 3 comments

Comments

@knalli
Copy link

knalli commented Apr 23, 2015

Hi,

I've found an issue the filter looks to "crash" internally when a field value has an "invalid" value. I'm new in Logstash (config setup) and not yet Ruby aware -- so perhaps I've missed something.

Given a sample config

filter {
      anonymize {
        algorithm => "IPV4_NETWORK"
        fields => ["proxyip"]
        key => "16"
      }
}

my LS daemon (1.5 RC2) was "hanging" after some time. No more logs, no output, no new messages in process. And forwarders (i.e. logstash-forwarder) are noticed this as well and were stucked.

I had spend some time to figure out in some circumstances some of my nginx access logs will produce - as a proxyip value (a local request w/o a proxy). I can fix this with either an additional condition ([proxy] != "-") or even better removing the field matching this condition.

But the question is: Is this behavior as expected? If I'm not missing something, the current specs do not cover any negative tests?
@knalli knalli mentioned this issue Apr 28, 2015
Closed
@driskell
Copy link

irb reports:

2.0.0-p576 :003 > ip = IPAddr.new("")
IPAddr::InvalidAddressError: invalid address
    from /Users/Jason/.rvm/rubies/ruby-2.0.0-p576/lib/ruby/2.0.0/ipaddr.rb:559:in `in6_addr'
    from /Users/Jason/.rvm/rubies/ruby-2.0.0-p576/lib/ruby/2.0.0/ipaddr.rb:496:in `initialize'
    from (irb):3:in `new'
    from (irb):3
    from /Users/Jason/.rvm/rubies/ruby-2.0.0-p576/bin/irb:12:in `<main>'

So if the field is empty or not a valid address this exception raises.

@driskell
Copy link

jirb reports:

2.0.0-p576 :002 > ip = IPAddr.new("")
ArgumentError: invalid address
    from /usr/local/Cellar/jruby/1.7.19/libexec/lib/ruby/1.9/ipaddr.rb:544:in `in6_addr'
    from /usr/local/Cellar/jruby/1.7.19/libexec/lib/ruby/1.9/ipaddr.rb:481:in `initialize'
    from (irb):2:in `evaluate'
    from org/jruby/RubyKernel.java:1107:in `eval'
    from org/jruby/RubyKernel.java:1507:in `loop'
    from org/jruby/RubyKernel.java:1270:in `catch'
    from org/jruby/RubyKernel.java:1270:in `catch'
    from /usr/local/bin/jirb:13:in `(root)'

Both inherit from StandardError so no idea why the filter worker wasn't logging it as it died (it has a rescue => e - I can only think buffering.

But either way it really needs handling in the filter.

eht16 pushed a commit to eht16/logstash-filter-anonymize that referenced this issue Sep 6, 2016
@plusserver-admin
Handle and log invalid IP address errors
d74724c 
If the filter get any invalid input for the anonymize_ipv4_network
mode, it will crash the whole Logstash pipeline because of an
unhandled ArgumentError thrown by the IPAddr class.
Furthermore, the causing event got lost during the crash, so
post-mortem analysis were not possible.

Now, ArgumentError is catched and an error message is logged.
The value to be anonymized is kept in the event in the identified form
and the event gets processed further as usual.

Fixes logstash-plugins#3.
@eht16 eht16 mentioned this issue Sep 6, 2016
Open
@eht16
Copy link

eht16 commented Sep 6, 2016

In #8 there is a possible solution by catching the ArgumentError exception, create a log message and tag the event for later reference.

I'm not completely sure if this is the best solution, but we need exactly this now as our Logstash instances crash often because of this error and we are not even able to find the causing log events because they are eaten by the crash.

eht16 added a commit to eht16/logstash-filter-anonymize that referenced this issue Dec 4, 2016
@eht16
Handle and log invalid IP address errors
3217495 
If the filter get any invalid input for the anonymize_ipv4_network
mode, it will crash the whole Logstash pipeline because of an
unhandled ArgumentError thrown by the IPAddr class.
Furthermore, the causing event got lost during the crash, so
post-mortem analysis were not possible.

Now, ArgumentError is catched and an error message is logged.
The value to be anonymized is kept in the event in the identified form
and the event gets processed further as usual.

Fixes logstash-plugins#3.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@knalli @eht16 @driskell