Merge pull request #373 from Security-Onion-Solutions/jertel/det

error logging improvements
Security-Onion-Solutions · Mar 8, 2024 · 5fcb1c1 · 5fcb1c1
2 parents f438394 + 869486d
commit 5fcb1c1
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 0 deletions.
diff --git a/agent/modules/stenoquery/stenoquery.go b/agent/modules/stenoquery/stenoquery.go
@@ -102,6 +102,12 @@ func (steno *StenoQuery) ProcessJob(job *model.Job, reader io.ReadCloser) (io.Re
 			"importId": job.Filter.ImportId,
 		}).Debug("Skipping steno processor due to presence of importId")
 		return reader, nil
+	} else if reader != nil {
+		log.WithFields(log.Fields{
+			"jobId": job.Id,
+			"kind":  job.GetKind(),
+		}).Debug("Skipping steno processor due to another processor already provided PCAP data")
+		return reader, nil
 	} else if job.Filter == nil || job.Filter.EndTime.Before(steno.GetDataEpoch()) || job.Filter.BeginTime.After(steno.getDataLagDate()) {
 		log.WithFields(log.Fields{
 			"jobId":                  job.Id,
@@ -136,6 +142,17 @@ func (steno *StenoQuery) ProcessJob(job *model.Job, reader io.ReadCloser) (io.Re
 			var file *os.File
 			file, err = os.Open(pcapFilepath)
 			if err == nil {
+				info, err := os.Stat(pcapFilepath)
+				if err != nil {
+					log.WithError(err).WithFields(log.Fields {
+						"pcapPath": pcapFilepath,
+					}).Error("Failed to collect output file stats")
+				} else {
+					log.WithFields(log.Fields {
+						"pcapPath": pcapFilepath,
+						"pcapBytes": info.Size(),
+					}).Debug("Found matching packets")	
+				}
 				reader = file
 			}
 		}

diff --git a/agent/modules/suriquery/suriquery.go b/agent/modules/suriquery/suriquery.go
@@ -103,6 +103,12 @@ func (suri *SuriQuery) ProcessJob(job *model.Job, reader io.ReadCloser) (io.Read
 			"importId": job.Filter.ImportId,
 		}).Debug("Skipping suri processor due to presence of importId")
 		return reader, nil
+	} else if reader != nil {
+		log.WithFields(log.Fields{
+			"jobId": job.Id,
+			"kind":  job.GetKind(),
+		}).Debug("Skipping suricata processor due to another processor already provided PCAP data")
+		return reader, nil
 	} else if job.Filter == nil || job.Filter.EndTime.Before(suri.GetDataEpoch()) || job.Filter.BeginTime.After(suri.getDataLagDate()) {
 		log.WithFields(log.Fields{
 			"jobId":                  job.Id,
@@ -179,6 +185,10 @@ func (suri *SuriQuery) streamPacketsInPcaps(paths []string, filter *model.Filter
 			log.WithError(perr).WithField("pcapPath", decompressedPath).Error("Failed to parse PCAP file")
 		}
 		if packets != nil && len(packets) > 0 {
+			log.WithFields(log.Fields {
+				"pcapPath": decompressedPath,
+				"packetCount": len(packets),
+			}).Debug("found matching packets")
 			allPackets = append(allPackets, packets...)
 		}
 
@@ -220,6 +230,10 @@ func (suri *SuriQuery) getPcapCreateTime(filepath string) (time.Time, error) {
 func (suri *SuriQuery) findFilesInTimeRange(start time.Time, stop time.Time) []string {
 	eligibleFiles := make([]string, 0, 0)
 	err := filepath.Walk(suri.pcapInputPath, func(filepath string, fileinfo os.FileInfo, err error) error {
+		if err != nil {
+			return nil
+		}
+
 		if fileinfo.IsDir() {
 			return nil
 		}