diff --git a/CHANGES b/CHANGES index dd90c72bc8..ee8c8cafdf 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,13 @@ +7.0.0-dev.187 | 2024-04-26 12:29:18 -0700 + + * Gracefully handle empty/missing shadow file (Peter Cullen, Corelight) + + When a shadow file is empty/missing during rotation, Zeek aborts + with an error message, but if the shadow file was empty, it'll still + be there after the restart, causing an endless restart loop. This + solution gracefully handles the rotation in such cases using the + default file extension and post processing function. + 7.0.0-dev.184 | 2024-04-26 11:17:52 -0700 * GH-3671: Factor in caplens in ICMPAnalyzer::DeliverPacket length calculations (Christian Kreibich, Corelight) diff --git a/VERSION b/VERSION index 738fba12bc..88b3aab393 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -7.0.0-dev.184 +7.0.0-dev.187 diff --git a/src/logging/writers/ascii/Ascii.cc b/src/logging/writers/ascii/Ascii.cc index 00a490fb2b..bcb4cfeffc 100644 --- a/src/logging/writers/ascii/Ascii.cc +++ b/src/logging/writers/ascii/Ascii.cc @@ -116,10 +116,14 @@ TEST_CASE("writers.ascii prefix_basename_with") { static std::optional parse_shadow_log(const std::string& fname) { auto sfname = prefix_basename_with(fname, shadow_file_prefix); + string default_ext = "." + Ascii::LogExt(); + if ( BifConst::LogAscii::gzip_level > 0 ) + default_ext += ".gz"; LeftoverLog rval = {}; rval.filename = fname; rval.shadow_filename = std::move(sfname); + rval.extension = default_ext; auto sf_stream = fopen(rval.shadow_filename.data(), "r"); @@ -165,15 +169,16 @@ static std::optional parse_shadow_log(const std::string& fname) { auto sf_lines = util::tokenize_string(sf_view, '\n'); if ( sf_lines.size() < 2 ) { - rval.error = util:: - fmt("Found leftover log, '%s', but the associated shadow " - " file, '%s', required to process it is invalid", - rval.filename.data(), rval.shadow_filename.data()); - return rval; + reporter->Warning( + "Found leftover log, '%s', but the associated shadow " + " file, '%s', required to process it is invalid: using default " + " for extension (%s) and post_proc_func", + rval.filename.data(), rval.shadow_filename.data(), default_ext.data()); + } + else { + rval.extension = sf_lines[0]; + rval.post_proc_func = sf_lines[1]; } - - rval.extension = sf_lines[0]; - rval.post_proc_func = sf_lines[1]; struct stat st;