Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Attempted Zeek ingest of good+bad files halts and shows confusing error #687

Closed
philrz opened this issue Apr 25, 2020 · 1 comment · Fixed by #716
Closed

Attempted Zeek ingest of good+bad files halts and shows confusing error #687

philrz opened this issue Apr 25, 2020 · 1 comment · Fixed by #716
Assignees
@jameskerr
Labels
bug Something isn't working

Comments

@philrz
Copy link
Contributor

philrz commented Apr 25, 2020
edited
Loading

Found in Brim commit 1fae48f talking to zqd commit a2de891.

In this case I'm adopting the persona of a Zeek user that's trying to drag the contents of a Zeek log directory into the app. Zeek is known to generate a handful of not-Zeek-format-logs in such a directory (e.g. the conn-summary log and the stderr/stdout logs). As there's so many logs in the directory, it would be an excessive burden on the user for them to delete/unclick each of the "bad" ones before dragging the contents into Brim. Therefore it's important that Brim ingest what's good, be tolerant of the "bad" ones, and present some helpful warnings so the user can at least review what was not ingested and confirm that they're ok with that.

I've simplified things here. Per the attached video, I have two files I'm attempting to ingest. One contains a single valid Zeek NDJSON event:

# cat bar.ndjson
{"_path":"pe","_write_ts":"2015-03-06T13:38:28.016893Z","ts":"2015-03-06T13:38:20.736865Z","id":"FxADxanpFc2GG166e","machine":"I386","compile_ts":"2012-02-17T14:55:26.000000Z","os":"Windows 2000","subsystem":"WINDOWS_GUI","is_exe":true,"is_64bit":false,"uses_aslr":false,"uses_dep":true,"uses_code_integrity":false,"uses_seh":false,"has_import_table":true,"has_export_table":true,"has_cert_table":true,"has_debug_data":true,"section_names":[".text",".rdata",".data",".CRT",".rsrc"]}

The other contains text that's neither pcap nor ingestible Zeek.

# cat not.ndjson 
not even json!

When each is ingested separately, the valid one loads in fine, and for the bad one an error message is popped up that says "Unknown file types" (side note: this should probably be singular "type", but that's not the primary issue here). Both of those are expected behaviors. However, if I try to drag both files into Brim as part of the same ingest attempt, now I get an error message "Only files of a single type (zeek or pcap) can be opened", which is confusing.

What I'd have expected is ingest of the "good" log and information about the "bad" one among the messages as shown in #577.

Repro.zip
@philrz philrz added the bug Something isn't working label Apr 25, 2020
@jameskerr jameskerr assigned jameskerr and unassigned jameskerr Apr 29, 2020
@jameskerr jameskerr mentioned this issue Apr 29, 2020
Merged
@philrz
Copy link
Contributor Author

philrz commented Apr 30, 2020

Verified in Brim commit 6dac8af talking to zqd commit 233e930.

Using the original repro steps, now we see the expected behavior where the "good" event makes it in and the "bad" event is identified via warning. See the attached video:

Verify-simple.zip

Even more importantly, now the true original use case can be shown to work: A directory full of logs generated by Zeek can be dragged in full, with the non-ingestible ones similarly flagged, but all the "good" data making it in.

Verify-Zeek.zip

image

Thanks @jameskerr!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jameskerr jameskerr

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

If its not a pcap, its a log brimdata/zui
2 participants
@jameskerr @philrz