sysflow icon indicating copy to clipboard operation
sysflow copied to clipboard
verified publisher icon sysflow-telemetry

Missing user and group information

Open dcarolloz opened this issue 2 years ago • 1 comments

Indicate project libsysflow

Describe the bug User and group information are sometimes missing

To reproduce Steps to reproduce the behavior:

  1. Build and run sf-collector example
  2. Add a user using adduser <newuser>
  3. Login with new the newly created user using login <newuser>

Expected behavior User and group information should be reported

Environment:

  • OS: Ubuntu 20.04.4 LTS
  • kernel: 5.4.0-128-generic
  • SysFlow version: v0.5.1 (from master branch)
  • Configurations: eBPF driver

sf-collector example log

****************************************************************
Header: Exporter , IP , File name 
Process: PID 20167 Creation Time, 1688468012688656227, Exe /usr/bin/login, Exe Args testuser, User Name root, Group Name root, TTY 1
Proc Evt: TID 20167, OpFlags 1, Ret 20283
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 20283 Creation Time, 1688468015747803925, Exe /usr/bin/login, Exe Args         , User Name root, Group Name <NA>, TTY 1
Proc Evt: TID 20283, OpFlags 1, Ret 0
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 20283 Creation Time, 1688468015747803925, Exe /usr/bin/login, Exe Args         , User Name root, Group Name <NA>, TTY 1
File: Type 102, Path /var/run/utmp
File Flow: TID 20283, OpFlags: 1152, OpenFlags 4099, FD 5
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 20283 Creation Time, 1688468015747803925, Exe /usr/bin/login, Exe Args         , User Name root, Group Name <NA>, TTY 1
File: Type 102, Path /var/run/utmp
File Flow: TID 20283, OpFlags: 1920, OpenFlags 4097, FD 4
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 20283 Creation Time, 1688468015747803925, Exe /usr/bin/login, Exe Args         , User Name <NA>, Group Name <NA>, TTY 1
Proc Evt: TID 20283, OpFlags 8, Ret 0
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 745 Creation Time, 1688467999761823267, Exe /usr/lib/systemd/systemd-logind, Exe Args , User Name root, Group Name root, TTY 0
File: Type 102, Path /var/run/utmp
File Flow: TID 745, OpFlags: 1408, OpenFlags 4097, FD 22
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 20283 Creation Time, 1688468015747803925, Exe /usr/bin/login, Exe Args         , User Name <NA>, Group Name <NA>, TTY 1
File: Type 102, Path /etc/passwd
File Flow: TID 20283, OpFlags: 1408, OpenFlags 4097, FD 4
****************************************************************
****************************************************************
Header: Exporter , IP , File name 
Process: PID 20283 Creation Time, 1688468015747803925, Exe /bin/bash, Exe Args , User Name <NA>, Group Name <NA>, TTY 1
Proc Evt: TID 20283, OpFlags 2, Ret 0
****************************************************************

dcarolloz avatar Jul 04 '23 13:07 dcarolloz

This still happens with libsysflow 0.6.3. It happens only when a new user is created after sf-collector example is already running. If collector is restarted the new user is reported correctly.

gentooise avatar Apr 24 '24 08:04 gentooise