Merge tag '2.1.2'

2.1.2

 ### Core
- `__init__`: Resolve absolute path for `STATE_FILE_PATH` variable (resolves `..`).
- `intelmq.lib.utils`:
  - log: Do not raise an exception if logging to neither file nor syslog is requested.
  - logging StreamHandler: Colorize all warning and error messages red.
  - logging FileHandler: Strip all shell colorizations from the messages (#1436).
- `intelmq.lib.message`:
  - `Message.to_json`: Set `sort_keys=True` to get reproducible results.
  - `drop_privileges`: Handle situations where the user or group `intelmq` does not exist.
- `intelmq.lib.pipeline`:
  - `Amqp._send` and `Amqp._acknowledge`: Log traceback in debug mode in case of errors and necessary re-connections.
  - `Amqp._acknowledge`: Reset delivery tag if acknowledge was successful.

 ### Bots
 #### Collectors
- `intelmq.bots.collectors.misp.collector`:
  - Add compatibility with current pymisp versions and versions released after January 2020 (PR #1468).

 #### Parsers
- `intelmq.bots.parsers.shadowserver.config`: Add some missing fields for the feed `accessible-rdp` (#1463).
- `intelmq.bots.parsers.shadowserver.parser`:
  - Feed-detection based on file names: The prefixed date is optional now.
  - Feed-detection based on file names: Re-detect feed for every report received (#1493).

 #### Experts
- `intelmq.bots.experts.national_cert_contact_certat`: Handle empty responses by server (#1467).
- `intelmq.bots.experts.maxmind_geoip`: The script `update-geoip-data` now requires a license key as second parameter because of upstream changes (#1484)).

 #### Outputs
- `intelmq.bots.outputs.restapi.output`: Fix logging of response body if response status code was not ok.

 ### Documentation
- Remove some hardcoded `/opt/intelmq/` paths from code comments and program outputs.

 ### Packaging
- debian/rules: Only replace `/opt/intelmq/` with LSB-paths in some certain files, not the whole tree, avoiding wrong replacements.
- debian/rules and debian/intelmq.install: Do install the examples configuration directly instead of working around the abandoned examples directory.

 ### Tests
- `lib/test_utils`: Skip some tests on Python 3.4 because `contextlib.redirect_stdout` and `contextlib.redirect_sterr` are not supported on this version.
- Travis: Stop running tests with all optional dependencies on Python 3.4, as more and more libraries are dropping support for it. Tests on the core and code without non-optional requirements are not affected.
- `tests.bots.parsers.html_table`: Make tests independent of current year.

 ### Tools
- `intelmqctl upgrade-config`: Fix missing substitution in error message "State file %r is not writable.".

 ### Known issues
- bots trapped in endless loop if decoding of raw message fails (#1494)
- intelmqctl status of processes: need to check bot id too (#1492)
- MongoDB authentication: compatibility on different MongoDB and pymongo versions (#1439)
- ctl: shell colorizations are logged (#1436)
- http stream collector: retry on regular connection problems? (#1435)
- tests: capture logging with context manager (#1342)
- Bots started with IntelMQ-Manager stop when the webserver is restarted. (#952)
- n6 parser: mapping is modified within each run (#905)
- reverse DNS: Only first record is used (#877)
- Corrupt dump files when interrupted during writing (#870)
2.1.2

 ### Core
- `__init__`: Resolve absolute path for `STATE_FILE_PATH` variable
(resolves `..`).
- `intelmq.lib.utils`:
  - log: Do not raise an exception if logging to neither file nor syslog
is requested.
  - logging StreamHandler: Colorize all warning and error messages red.
  - logging FileHandler: Strip all shell colorizations from the messages
(#1436).
- `intelmq.lib.message`:
  - `Message.to_json`: Set `sort_keys=True` to get reproducible results.
  - `drop_privileges`: Handle situations where the user or group
`intelmq` does not exist.
- `intelmq.lib.pipeline`:
  - `Amqp._send` and `Amqp._acknowledge`: Log traceback in debug mode in
case of errors and necessary re-connections.
  - `Amqp._acknowledge`: Reset delivery tag if acknowledge was
successful.

 ### Bots
 #### Collectors
- `intelmq.bots.collectors.misp.collector`:
  - Add compatibility with current pymisp versions and versions released
after January 2020 (PR #1468).

 #### Parsers
- `intelmq.bots.parsers.shadowserver.config`: Add some missing fields
for the feed `accessible-rdp` (#1463).
- `intelmq.bots.parsers.shadowserver.parser`:
  - Feed-detection based on file names: The prefixed date is optional
now.
  - Feed-detection based on file names: Re-detect feed for every report
received (#1493).

 #### Experts
- `intelmq.bots.experts.national_cert_contact_certat`: Handle empty
responses by server (#1467).
- `intelmq.bots.experts.maxmind_geoip`: The script `update-geoip-data`
now requires a license key as second parameter because of upstream
changes (#1484)).

 #### Outputs
- `intelmq.bots.outputs.restapi.output`: Fix logging of response body if
response status code was not ok.

 ### Documentation
- Remove some hardcoded `/opt/intelmq/` paths from code comments and
program outputs.

 ### Packaging
- debian/rules: Only replace `/opt/intelmq/` with LSB-paths in some
certain files, not the whole tree, avoiding wrong replacements.
- debian/rules and debian/intelmq.install: Do install the examples
configuration directly instead of working around the abandoned examples
directory.

 ### Tests
- `lib/test_utils`: Skip some tests on Python 3.4 because
`contextlib.redirect_stdout` and `contextlib.redirect_sterr` are not
supported on this version.
- Travis: Stop running tests with all optional dependencies on Python
3.4, as more and more libraries are dropping support for it. Tests on
the core and code without non-optional requirements are not affected.
- `tests.bots.parsers.html_table`: Make tests independent of current
year.

 ### Tools
- `intelmqctl upgrade-config`: Fix missing substitution in error message
"State file %r is not writable.".

 ### Known issues
- bots trapped in endless loop if decoding of raw message fails (#1494)
- intelmqctl status of processes: need to check bot id too (#1492)
- MongoDB authentication: compatibility on different MongoDB and pymongo
versions (#1439)
- ctl: shell colorizations are logged (#1436)
- http stream collector: retry on regular connection problems? (#1435)
- tests: capture logging with context manager (#1342)
- Bots started with IntelMQ-Manager stop when the webserver is
restarted. (#952)
- n6 parser: mapping is modified within each run (#905)
- reverse DNS: Only first record is used (#877)
- Corrupt dump files when interrupted during writing (#870)

.travis.yml

@@ -5,14 +5,15 @@ env:
   - requirements=true
   - requirements=false
 python:
-  - 3.4
   - 3.5
   - 3.6
   - 3.7
 matrix:
   include:
   - python: 3.4
     env: mode=debian
+  - python: 3.4
+    env: requirements=false
   - python: 3.6
     env: mode=codestyle
 install:

NEWS.md

@@ -3,6 +3,18 @@ NEWS
 
 See the changelog for a full list of changes.
 
+
+2.1.2 Bugfix release (2020-01-28)
+---------------------------------
+
+#### MaxMind GeoIP
+MaxMind requires a registration before being able to download the GeoLite2 database starting with 2019-12-30: https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/
+If the provided `update-geoip-data` script is used, the license key can now be set second parameter.
+
+### Libraries
+When using MISP integrations, make sure your currently installed PyMISP version supports the installed Python version. Any PyMISP version newer than 2.4.119.1 requires Python 3.6 or newer.
+
+
 2.1.1 Bugfix release (2019-11-11)
 ---------------------------------
 

debian/changelog

@@ -1,3 +1,15 @@
+intelmq (2.1.2-1) stable; urgency=medium
+
+  * Update to 2.1.2.
+
+ -- Wagner Sebastian <wagner@cert.at>  Tue, 28 Jan 2020 16:43:16 +0100
+
+intelmq (2.1.2~alpha1-1) stable; urgency=medium
+
+  * Update to 2.1.2~alpha1
+
+ -- Sebastian Wagner <wagner@cert.at>  Tue, 26 Nov 2019 12:06:55 +0100
+
 intelmq (2.1.1-1) stable; urgency=medium
 
   * Update to 2.1.1.

debian/intelmq.install

@@ -3,3 +3,5 @@ contrib/logrotate/intelmq etc/logrotate.d/
 contrib/bash-completion/intelmqctl usr/share/bash-completion/completions/
 contrib/bash-completion/intelmqdump usr/share/bash-completion/completions/
 intelmq/bots/experts/modify/examples/* usr/share/doc/intelmq/bots/experts/modify/examples/
+intelmq/etc/* etc/intelmq/
+intelmq/bots/BOTS etc/intelmq/

debian/rules

@@ -34,10 +34,8 @@ override_dh_auto_install: $(BOTDOCS)
 	rm intelmq/bin/rewrite_config_files.py
 	rm intelmq/bin/intelmq_gen_docs.py intelmq/tests/bin/test_gen_docs.py
 	sed -i -e '/#!\/usr\/bin\//d' intelmq/bin/*.py
-	find . -type f -exec sed -i -f debian/sedfile {} \;
+	sed -i -f debian/sedfile intelmq/bots/BOTS intelmq/etc/* docs/intelmqctl.md docs/Bots.md
 	python3 setup.py install --root=debian/intelmq --prefix=/usr
-	mv debian/intelmq/etc/intelmq/examples/* debian/intelmq/etc/intelmq/
-	rmdir debian/intelmq/etc/intelmq/examples
 	# these are already in /usr/bin/
 	#rm %{buildroot}/%{python3_sitelib}/intelmq/bots/experts/maxmind_geoip/update-geoip-data
 	#rm %{buildroot}/%{python3_sitelib}/intelmq/bots/experts/asn_lookup/update-asn-data

docs/Developers-Guide.md

@@ -106,18 +106,10 @@ pip3 install -e .
 
 useradd -d /opt/intelmq -U -s /bin/bash intelmq
 
-mkdir /opt/intelmq
-mkdir -p /opt/intelmq/var/lib/bots/file-output/
-mkdir -p /opt/intelmq/var/log/
-
-cp -R /opt/dev_intelmq/intelmq/etc /opt/intelmq/
-cp -R /opt/dev_intelmq/intelmq/bots/BOTS /opt/intelmq/etc/
-
-chmod -R 0770 /opt/intelmq
-chown -R intelmq.intelmq /opt/intelmq
+intelmqsetup
 ```
 
-**Note:** please do not forget that configuration files, log files will be available on `/opt/intelmq`. However, if your development is somehow related to any configuration file, keep using `/opt/intelmq` and then, before commit, change the configurations files on `/opt/dev_intelmq/intelmq/etc/` with your changes on `/opt/intelmq/etc/`.
+**Note:** please do not forget that configuration files, log files will be available on `/opt/intelmq`. However, if your development is somehow related to any shipped configuration file, you need to apply the changes in your repository `/opt/dev_intelmq/intelmq/etc/`.
 
 
 ## How to develop

docs/Ecosystem.md

@@ -22,6 +22,8 @@ This is not a software itself but listed here because the term it is often menti
 
 The EventDB is a (usually PostgreSQL) database with data from intelmq.
 
+For some related scripts see the [contrib/eventdb](../contrib/eventdb) directory and the [eventdb-stats](https://github.com/wagner-certat/eventdb-stats) repository for simple statistics generation.
+
 ## intelmq-webinput-csv
 
 A web-based interface to inject CSV data into IntelMQ with on-line validation and live feedback.
@@ -55,3 +57,9 @@ https://github.com/certat/do-portal/
 A Grafana-based statistics portal for the EventDB. Integrated in do-portal.
 
 https://github.com/certtools/stats-portal/
+
+## Malware Name Mapping
+
+A mapping for malware names of different feeds with different namings to a common family name.
+
+https://github.com/certtools/malware_name_mapping

docs/FAQ.md

@@ -3,7 +3,6 @@
 **Table of Contents:**
 
 - [Send IntelMQ events to Splunk](#send-intelmq-events-to-splunk)
-- [Git information](#git-information)
 - [Permission denied when using redis unix socket](#permission-denied-when-using-redis-unix-socket)
 - [Why is the time invalid?](#why-is-the-time-invalid)
 - [How can I improve the speed?](#how-can-i-improve-the-speed)

docs/Feeds.md

@@ -666,6 +666,7 @@ To add feeds to this file add them to `intelmq/etc/feeds.yaml` and then run
 * **Status:** on
 * **Revision:** 15-06-2018
 * **Description:** HTTP Websocket Stream from certstream.calidog.io providing data from Certificate Transparency Logs.
+* **Additional Information:** Be aware that this feed provides a lot of data and may overload your system quickly.
 
 ### Collector
 

docs/Release.md

@@ -17,6 +17,7 @@ General assumption: You are working on branch maintenance, the next version is a
  * Make sure the current state is really final ;)
    You can test most of the steps described here locally before doing it real.
  * Check the upgrade functions in `intelmq/lib/upgrades.py`.
+ * Close the milestone on github and move any open issues to the next one.
 
 ## Documentation
 

docs/User-Guide.md

@@ -12,6 +12,7 @@ For upgrade instructions, see [UPGRADING.md](UPGRADING.md).
     - [Miscellaneous](#miscellaneous)
 - [Pipeline Configuration](#pipeline-configuration)
 - [Runtime Configuration](#runtime-configuration)
+  - [Multithreading (Beta)](#multithreading-beta)
 - [Harmonization Configuration](#harmonization-configuration)
 - [Utilities](#utilities)
 - [Management](#management)
@@ -49,7 +50,7 @@ systemctl start redis.service
 
 ## /opt and LSB paths
 
-If you installed the packages, LSB paths are used instead of `/opt/intelmq`.
+If you installed the packages, standard Linux paths (LSB paths) are used: `/var/log/intelmq/`, `/etc/intelmq/`, `/var/lib/intelmq/`, `/var/run/intelmq/`.
 Otherwise, the configuration directory is `/opt/intelmq/etc/`.
 
 You can switch this by setting the environment variables `INTELMQ_PATHS_NO_OPT` and `INTELMQ_PATHS_OPT`, respectively.
@@ -58,15 +59,9 @@ You can switch this by setting the environment variables `INTELMQ_PATHS_NO_OPT`
 
 ## Overview
 
-All files are JSON. By
-default, the installation method puts its distributed configuration files into
-`etc/examples`, so it does not overwrite your local configuration. Prior to the
-first run, copy them to `etc`:
+All configuration files are in the JSON format.
+For new installations a default setup with some examples is provided by the `intelmqsetup` tool. If this is not the case, make sure the program was run (see installation instructions).
 
-```bash
-cd /opt/intelmq/etc
-cp -a examples/* .
-```
 
 * `defaults.conf`: default values for all bots and their behavior, e.g.
 error handling, log options and pipeline configuration. Will be removed in the [future](https://github.com/certtools/intelmq/issues/267).
@@ -79,7 +74,7 @@ To configure a new bot, you need to define and configure it in `runtime.conf` us
 Configure source and destination queues in `pipeline.conf`.
 Use the IntelMQ Manager mentioned above to generate the configuration files if unsure.
 
-In the shipped examples 4 collectors and parsers, 6 common experts and one output are configured. The default collector and the parser handle data from malware domain list, the file output bot writes all data to `/opt/intelmq/var/lib/bots/file-output/events.txt`.
+In the shipped examples 4 collectors and parsers, 6 common experts and one output are configured. The default collector and the parser handle data from malware domain list, the file output bot writes all data to `/opt/intelmq/var/lib/bots/file-output/events.txt`/`/var/lib/intelmq/bots/file-output/events.txt`.
 
 ## System Configuration (defaults)
 
@@ -89,7 +84,7 @@ Example:
 
 * `logging_handler`: Can be one of `"file"` or `"syslog"`.
 * `logging_level`: Defines the system-wide log level that will be use by all bots and the intelmqctl tool. Possible values are: `"CRITICAL"`, `"ERROR"`, `"WARNING"`, `"INFO"` and `"DEBUG"`.
-* `logging_path`: If `logging_handler` is `file`. Defines the system-wide log-folder that will be use by all bots and the intelmqctl tool. Default value: `/opt/intelmq/var/log/`
+* `logging_path`: If `logging_handler` is `file`. Defines the system-wide log-folder that will be use by all bots and the intelmqctl tool. Default value: `/opt/intelmq/var/log/`/`/opt/var/log/intelmq/`.
 * `logging_syslog`: If `logging_handler` is `syslog`. Either a list with hostname and UDP port of syslog service, e.g. `["localhost", 514]` or a device name/path, e.g. the default `"/var/log"`.
 
 We recommend `logging_level` `WARNING` for production environments and `INFO` if you want more details. In any case, watch your free disk space.
@@ -124,6 +119,7 @@ If the path `_on_error` exists for a bot, the message is also sent to this queue
 * **`load_balance`** - this option allows you to choose the behavior of the queue. Use the following values:
     * **`true`** - splits the messages into several queues without duplication
     * **`false`** - duplicates the messages into each queue
+    * When using AMQP as message broker, take a look at the [Multithreading](#multithreading-beta) section and the `instances_threads` parameter.
 
 * **`broker`** - select which broker intelmq can use. Use the following values:
     * **`redis`** - Redis allows some persistence but is not so fast as ZeroMQ (in development). But note that persistence has to be manually activated. See http://redis.io/topics/persistence
@@ -182,7 +178,7 @@ supervisor.rpcinterface_factory=supervisor_twiddler.rpcinterface:make_twiddler_r
 [group:intelmq]
 ```
 
-Change IntelMQ process manager in `/opt/intelmq/etc/defaults.conf`:
+Change IntelMQ process manager in the *defaults* configuration:
 
 ```
 "process_manager": "supervisor",
@@ -435,106 +431,37 @@ See the [IntelMQ Manager repository](https://github.com/certtools/intelmq-manage
 
 ### Command-line interface: intelmqctl
 
-**Syntax:**
+**Syntax** see `intelmqctl -h`
 
-```bash
-# su - intelmq
-$ intelmqctl -h
-usage: intelmqctl [-h] [-v] [--type {text,json}] [--quiet]
-                  {list,check,clear,log,run,help,start,stop,restart,reload,status,enable,disable}
-                  ...
+* Starting a bot: `intelmqctl start bot-id`
+* Stopping a bot: `intelmqctl stop bot-id`
+* Reloading a bot: `intelmqctl reload bot-id`
+* Restarting a bot: `intelmqctl restart bot-id`
+* Get status of a bot: `intelmqctl status bot-id`
 
-        description: intelmqctl is the tool to control intelmq system.
+* Run a bot directly for debugging purpose and temporarily leverage the logging level to DEBUG: `intelmqctl run bot-id`
+* Get a pdb (or ipdb if installed) live console. `intelmqctl run bot-id console`
+* See the message that waits in the input queue. `intelmqctl run bot-id message get`
+* See additional help for further explanation. `intelmqctl run bot-id --help`
 
-        Outputs are logged to /opt/intelmq/var/log/intelmqctl
+* Starting the botnet (all bots): `intelmqctl start`
+* Starting a group of bots: `intelmqctl start --group experts`
+
+* Get a list of all configured bots: `intelmqctl list bots`
+* Get a list of all queues: `intelmqctl list queues`
+  If -q is given, only queues with more than one item are listed.
+* Get a list of all queues and status of the bots: `intelmqctl list queues-and-status`
+
+* Clear a queue: `intelmqctl clear queue-id`
+* Get logs of a bot: `intelmqctl log bot-id number-of-lines log-level`
+  Reads the last lines from bot log.
+  Log level should be one of DEBUG, INFO, ERROR or CRITICAL.
+  Default is INFO. Number of lines defaults to 10, -1 gives all. Result
+  can be longer due to our logging format!
+
+* Upgrade from a previous version: `intelmqctl upgrade-config`
+  Make a backup of your configuration first, also including bot's configuration files.
 
-optional arguments:
-  -h, --help            show this help message and exit
-  -v, --version         show program's version number and exit
-  --type {text,json}, -t {text,json}
-                        choose if it should return regular text or other
-                        machine-readable
-  --quiet, -q           Quiet mode, useful for reloads initiated scripts like
-                        logrotate
-
-subcommands:
-  {list,check,clear,log,run,help,start,stop,restart,reload,status,enable,disable}
-    list                Listing bots or queues
-    check               Check installation and configuration
-    clear               Clear a queue
-    log                 Get last log lines of a bot
-    run                 Run a bot interactively
-    check               Check installation and configuration
-    help                Show the help
-    start               Start a bot or botnet
-    stop                Stop a bot or botnet
-    restart             Restart a bot or botnet
-    reload              Reload a bot or botnet
-    status              Status of a bot or botnet
-    enable              Enable a bot
-    disable             Disable a bot
-
-        intelmqctl [start|stop|restart|status|reload] --group [collectors|parsers|experts|outputs]
-        intelmqctl [start|stop|restart|status|reload] bot-id
-        intelmqctl [start|stop|restart|status|reload]
-        intelmqctl list [bots|queues|queues-and-status]
-        intelmqctl log bot-id [number-of-lines [log-level]]
-        intelmqctl run bot-id message [get|pop|send]
-        intelmqctl run bot-id process [--msg|--dryrun]
-        intelmqctl run bot-id console
-        intelmqctl clear queue-id
-        intelmqctl check
-
-Starting a bot:
-    intelmqctl start bot-id
-Stopping a bot:
-    intelmqctl stop bot-id
-Reloading a bot:
-    intelmqctl reload bot-id
-Restarting a bot:
-    intelmqctl restart bot-id
-Get status of a bot:
-    intelmqctl status bot-id
-
-Run a bot directly for debugging purpose and temporarily leverage the logging level to DEBUG:
-    intelmqctl run bot-id
-Get a pdb (or ipdb if installed) live console.
-    intelmqctl run bot-id console
-See the message that waits in the input queue.
-    intelmqctl run bot-id message get
-See additional help for further explanation.
-    intelmqctl run bot-id --help
-
-Starting the botnet (all bots):
-    intelmqctl start
-    etc.
-
-Starting a group of bots:
-    intelmqctl start --group experts
-    etc.
-
-Get a list of all configured bots:
-    intelmqctl list bots
-
-Get a list of all queues:
-    intelmqctl list queues
-If -q is given, only queues with more than one item are listed.
-
-Get a list of all queues and status of the bots:
-    intelmqctl list queues-and-status
-
-Clear a queue:
-    intelmqctl clear queue-id
-
-Get logs of a bot:
-    intelmqctl log bot-id number-of-lines log-level
-Reads the last lines from bot log.
-Log level should be one of DEBUG, INFO, ERROR or CRITICAL.
-Default is INFO. Number of lines defaults to 10, -1 gives all. Result
-can be longer due to our logging format!
-
-Outputs are additionally logged to /opt/intelmq/var/log/intelmqctl
-```
 
 #### Botnet Concept
 
@@ -617,7 +544,7 @@ redis-cli FLUSHALL
 
 ### Tool: intelmqdump
 
-When bots are failing due to bad input data or programming errors, they can dump the problematic message to a file along with a traceback, if configured accordingly. These dumps are saved at `/opt/intelmq/var/log/[botid].dump` as JSON files. IntelMQ comes with an inspection and reinjection tool, called `intelmqdump`. It is an interactive tool to show all dumped files and the number of dumps per file. Choose a file by bot-id or listed numeric id. You can then choose to delete single entries from the file with `e 1,3,4`, show a message in more readable format with `s 1` (prints the raw-message, can be long!), recover some messages and put them back in the pipeline for the bot by `a` or `r 0,4,5`. Or delete the file with all dumped messages using `d`.
+When bots are failing due to bad input data or programming errors, they can dump the problematic message to a file along with a traceback, if configured accordingly. These dumps are saved at in the logging directory as `[botid].dump` as JSON files. IntelMQ comes with an inspection and reinjection tool, called `intelmqdump`. It is an interactive tool to show all dumped files and the number of dumps per file. Choose a file by bot-id or listed numeric id. You can then choose to delete single entries from the file with `e 1,3,4`, show a message in more readable format with `s 1` (prints the raw-message, can be long!), recover some messages and put them back in the pipeline for the bot by `a` or `r 0,4,5`. Or delete the file with all dumped messages using `d`.
 
 ```bash
  $ intelmqdump -h
@@ -690,10 +617,11 @@ Bots and the intelmqdump tool use file locks to prevent writing to already opene
 
 ## Monitoring Logs
 
-All bots and `intelmqctl` log to `/opt/intelmq/var/log/`. In case of failures, messages are dumped to the same directory with the file ending `.dump`.
+All bots and `intelmqctl` log to `/opt/intelmq/var/log/`/`var/log/intelmq/` (depending on your installation). In case of failures, messages are dumped to the same directory with the file ending `.dump`.
 
 ```bash
 tail -f /opt/intelmq/var/log/*.log
+tail -f /var/log/intelmq/*.log
 ```
 
 # Uninstall

intelmq/__init__.py

@@ -26,4 +26,5 @@
     VAR_RUN_PATH = os.path.join(ROOT_DIR, "var/run/")
     VAR_STATE_PATH = os.path.join(ROOT_DIR, "var/lib/bots/")
 
-STATE_FILE_PATH = os.path.join(VAR_STATE_PATH, '../state.json')
+STATE_FILE_PATH = path = os.path.abspath(os.path.join(VAR_STATE_PATH,
+                                                      '../state.json'))