Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
d
defensivedepth
08/06/2020, 4:30 PMFleet 2.6.0 / Osquery 4.4.0 on W10 with Launcher v0.11.11
I have a scheduled query for
windows_eventscaller=level.go:63 level=info caller=extension.go:494 err="sending string logs: writing logs: transport error sending logs: rpc error: code = Internal desc = grpc: error while marshaling: proto: field \"kolide.agent.LogCollection.Log.Data\" contains invalid UTF-8"z
zwass
08/06/2020, 4:32 PM@seph is this the same UTF8 bug we've seen occasionally over quite some time?
IIRC it seemed to be that osquery outputs invalid UTF8
d
defensivedepth
08/06/2020, 4:33 PMI wasnt sure if this error was related to not getting windows_events logs or something else...
z
zwass
08/06/2020, 4:36 PMI think it could definitely be related to that
s
seph
08/06/2020, 5:17 PMThere are handful of utf8 issues in this ecosystem. Osquery sometimes screws up the encoding. This may be a rocksdb issue. There is some info about it at https://github.com/kolide/launcher/pull/481 some more at https://github.com/osquery/osquery/issues/5288
There is also another chunk of windows string encoding issues. The windows sstring functions have been slowly getting reworked.
I haven’t looked at this in awhile though
d
defensivedepth
08/06/2020, 5:23 PMLooks like a major pr related to this was merged a couple weeks ago: https://github.com/osquery/osquery/pull/6338
And this issue looks like what I am running into: https://github.com/kolide/launcher/issues/445
s
seph
08/06/2020, 5:25 PMYeah, that’s the windows rework I alluded to. (thanks for finding the PR)
👍 1
We never really came to a good solution for how to handle bad utf8 that osquery emits
d
defensivedepth
08/06/2020, 5:28 PMSo that windows rework should make it more unlikely that osquery would emit bad utf8, but not impossible. And when it does, errors like this will show up and the scheduled query will be blocked until the offending log is removed from rocks... Is that accurate?
s
seph
08/06/2020, 5:30 PMProbably. I haven’t thought about this in awhile, but that sounds right.
I think either:
* status quo
* launcher reworks the logs
* launcher drops the logs
* server (fleet in this case) accepts them
* server drops them
Pretty sure the SaaS side accepts them.
Less sure what the right approach here is. I’d review/accept a PR to launcher to drop a log on marshalling error. Or attempt to repair it.
Not sure how trivial that logic would be. Repair is easy, but the conditional on potential failure seems harder.
d
defensivedepth
08/06/2020, 5:33 PMFrom an ops side, I would rather see the server (fleet) accept it, and then let me fix it within the parsing pipeline
s
seph
08/06/2020, 5:34 PMFeel free to comment in any of the linked kolide github issues. this is unlikely to bubble up my list, but the comments would be noted
d
defensivedepth
08/06/2020, 5:34 PMWill do
s
seph
08/06/2020, 5:34 PMmy guess is having fleet pass it along unmodified is relatively hard. (a bunch of the plumbing there is typed)_
d
defensivedepth
08/06/2020, 5:35 PMhmmmmm
s
seph
08/06/2020, 5:35 PMNot sure though. I don’t work much on fleet
d
defensivedepth
08/06/2020, 5:36 PM@zwass thoughts?
z
zwass
08/06/2020, 7:18 PMI don't think the logs ever hit Fleet. It's an issue with gRPC encoding on the client side. See my comment https://github.com/kolide/launcher/issues/445#issuecomment-601867302
s
seph
08/06/2020, 7:19 PMQuestion is what we should do. Launcher could attempt to repair, but we were dicy about that too
z
zwass
08/06/2020, 7:19 PMOh
Drop the offending character IMO
Unless someone has a strategy for repairing it.
s
seph
08/06/2020, 7:20 PMz
zwass
08/06/2020, 7:21 PMHeh I voted against it
s
seph
08/06/2020, 7:22 PMI know 😛
z
zwass
08/06/2020, 7:22 PMI don't think I realized in that context that it prevents logs from sending entirely via Launcher
s
seph
08/06/2020, 7:22 PMWe might not have realized it at the time.
Anyhow, tht’s the code Nick wrote for herd. (extracted and dropped into launcher)
z
zwass
08/06/2020, 7:22 PMGiven that information, I'd say go with this strategy but only for logs that fail send the first time with this error.
s
seph
08/06/2020, 7:23 PMWant to comment? Using that error handling seems possible, but I’m not sure how yet, Haven’t read the code with that in mind
(comment and re-opened)
z
zwass
08/06/2020, 7:26 PMDo you prefer my comment on this issue or PR?
s
seph
08/06/2020, 7:26 PMProbably not needed. I think I captured this sentiment in the PR commnt. If you have anything additional feel free to add it
z
zwass
08/06/2020, 7:27 PMLooks good. Thank you
Sounds like https://github.com/kolide/launcher/issues/445#issuecomment-619912206 is not actually the case then?
s
seph
08/06/2020, 7:28 PMUnclear. There are probably multiple places that cause this
d
defensivedepth
08/06/2020, 8:26 PMSo a temp fix is to clear rocks and restart launcher?