Merge remote-tracking branch 'pbcullen/topic/pbcullen/shadow-file-handling'

* pbcullen/topic/pbcullen/shadow-file-handling: reformat changes Gracefully handle empty/missing shadow file
2025-10-15 21:18:20 +00:00 · 2024-04-26 12:29:18 -07:00 · 2024-04-26 12:29:18 -07:00 · ad6d70d4e6
commit ad6d70d4e6
parent 7fdbb73511 dc54b14ae9
3 changed files with 24 additions and 9 deletions
--- a/10
+++ b/10
@ -1,3 +1,13 @@
+7.0.0-dev.187 | 2024-04-26 12:29:18 -0700
+
+  * Gracefully handle empty/missing shadow file (Peter Cullen, Corelight)
+
+    When a shadow file is empty/missing during rotation, Zeek aborts
+    with an error message, but if the shadow file was empty, it'll still
+    be there after the restart, causing an endless restart loop. This
+    solution gracefully handles the rotation in such cases using the
+    default file extension and post processing function.
+
 7.0.0-dev.184 | 2024-04-26 11:17:52 -0700

  * GH-3671: Factor in caplens in ICMPAnalyzer::DeliverPacket length calculations (Christian Kreibich, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-7.0.0-dev.184
+7.0.0-dev.187
--- a/src/logging/writers/ascii/Ascii.cc
+++ b/src/logging/writers/ascii/Ascii.cc
@ -116,10 +116,14 @@ TEST_CASE("writers.ascii prefix_basename_with") {

 static std::optional<LeftoverLog> parse_shadow_log(const std::string& fname) {
    auto sfname = prefix_basename_with(fname, shadow_file_prefix);
+    string default_ext = "." + Ascii::LogExt();
+    if ( BifConst::LogAscii::gzip_level > 0 )
+        default_ext += ".gz";

    LeftoverLog rval = {};
    rval.filename = fname;
    rval.shadow_filename = std::move(sfname);
+    rval.extension = default_ext;

    auto sf_stream = fopen(rval.shadow_filename.data(), "r");

@ -165,15 +169,16 @@ static std::optional<LeftoverLog> parse_shadow_log(const std::string& fname) {
    auto sf_lines = util::tokenize_string(sf_view, '\n');

    if ( sf_lines.size() < 2 ) {
-        rval.error = util::
-            fmt("Found leftover log, '%s', but the associated shadow "
-                " file, '%s', required to process it is invalid",
-                rval.filename.data(), rval.shadow_filename.data());
-        return rval;
+        reporter->Warning(
+            "Found leftover log, '%s', but the associated shadow "
+            " file, '%s', required to process it is invalid: using default "
+            " for extension (%s) and post_proc_func",
+            rval.filename.data(), rval.shadow_filename.data(), default_ext.data());
+    }
+    else {
+        rval.extension = sf_lines[0];
+        rval.post_proc_func = sf_lines[1];
    }
-
-    rval.extension = sf_lines[0];
-    rval.post_proc_func = sf_lines[1];

    struct stat st;