From 49123d3a9405f4b64e515f57479236c45a56ff08 Mon Sep 17 00:00:00 2001 From: Peter Cullen Date: Thu, 18 Apr 2024 18:39:41 +0000 Subject: [PATCH] Gracefully handle empty/missing shadow file When a shadow file is empty/missing during rotation, Zeek aborts with an error message, but if the shadow file was empty, it'll still be there after the restart, causing an endless restart loop. This solution gracefully handles the rotation in such cases using the default file extension and post processing function. --- src/logging/writers/ascii/Ascii.cc | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/src/logging/writers/ascii/Ascii.cc b/src/logging/writers/ascii/Ascii.cc index 00a490fb2b..60140c41b2 100644 --- a/src/logging/writers/ascii/Ascii.cc +++ b/src/logging/writers/ascii/Ascii.cc @@ -116,10 +116,14 @@ TEST_CASE("writers.ascii prefix_basename_with") { static std::optional parse_shadow_log(const std::string& fname) { auto sfname = prefix_basename_with(fname, shadow_file_prefix); + string default_ext = "." + Ascii::LogExt(); + if ( BifConst::LogAscii::gzip_level > 0 ) + default_ext += ".gz"; LeftoverLog rval = {}; rval.filename = fname; rval.shadow_filename = std::move(sfname); + rval.extension = default_ext; auto sf_stream = fopen(rval.shadow_filename.data(), "r"); @@ -165,15 +169,16 @@ static std::optional parse_shadow_log(const std::string& fname) { auto sf_lines = util::tokenize_string(sf_view, '\n'); if ( sf_lines.size() < 2 ) { - rval.error = util:: - fmt("Found leftover log, '%s', but the associated shadow " - " file, '%s', required to process it is invalid", - rval.filename.data(), rval.shadow_filename.data()); - return rval; + reporter->Warning("Found leftover log, '%s', but the associated shadow " + " file, '%s', required to process it is invalid: using default " + " for extension (%s) and post_proc_func", + rval.filename.data(), rval.shadow_filename.data(), + default_ext.data()); + } + else { + rval.extension = sf_lines[0]; + rval.post_proc_func = sf_lines[1]; } - - rval.extension = sf_lines[0]; - rval.post_proc_func = sf_lines[1]; struct stat st;