osquery
syslog.cpp:251 (Received fewer fields than expected in line)
Bug report
What operating system and version are you using?
Different Linux OS platforms and versions ubuntu (22.04.3 LTS, 22.04.04 LTS, 20.04.4 LSTS) rhel (Red Hat Enterprise Linux release 8.6, 8.8, 8.9, 8.10)
What version of osquery are you using?
5.12.1
What steps did you take to reproduce the issue?
Have configured syslog event forwarding to osquery syslog_pipe using rsyslog. One of the main log sources of syslog is Sysmon for Linux.
What did you expect to see?
No errors with syslog event collection
What did you see instead?
Errors indicating that some of events where not processed correctly from syslog_pipe by osquery: E0725 10:40:16.960112 1217948 syslog.cpp:251] Received fewer fields than expected in line: d"">{00000000-0000-0000-0000-000000000000}</Data><Data Name=""ParentProcessId"">137095</Data><Data Name=""ParentImage"">-</Data><Data Name=""ParentCommandLine"">-</Data><Data Name=""ParentUser"">-</Data></EventData></Event>" E0725 10:40:23.173416 1217948 syslog.cpp:251] Received fewer fields than expected in line: d"">{00000000-0000-0000-0000-000000000000}</Data><Data Name=""ParentProcessId"">3630</Data><Data Name=""ParentImage"">-</Data><Data Name=""ParentCommandLine"">-</Data><Data Name=""ParentUser"">-</Data></EventData></Event>"
At the same time most of sysmon events are processed correctly. We could not find difference in syslog_pipe between events that processed correctly and not.
An example of sysmon event causing the error from syslog_pipe:
"2024-07-25T11:03:53.915671-04:00","kube13","6","user","sysmon:"," <Event><System><Provider Name=""Linux-Sysmon"" Guid=""{ff032593-a8d3-4f13-b0d6-01fc615a0f97}""/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime=""2024-07-25T15:03:53.915449000Z""/><EventRecordID>696976</EventRecordID><Correlation/><Execution ProcessID=""3956356"" ThreadID=""3956356""/><Channel>Linux-Sysmon/Operational</Channel><Computer>kube13</Computer><Security UserId=""0""/></System><EventData><Data Name=""RuleName"">-</Data><Data Name=""UtcTime"">2024-07-25 15:03:47.971</Data><Data Name=""ProcessGuid"">{f4ec185a-6953-66a2-a57f-7f0000000000}</Data><Data Name=""ProcessId"">1236091</Data><Data Name=""Image"">/usr/sbin/runc</Data><Data Name=""FileVersion"">-</Data><Data Name=""Description"">-</Data><Data Name=""Product"">-</Data><Data Name=""Company"">-</Data><Data Name=""OriginalFileName"">-</Data><Data Name=""CommandLine"">runc --root /run/containerd/runc/k8s.io --log /run/containerd/io.containerd.runtime.v2.task/k8s.io/0e5118708f10afe5830067bd7ac23726194d53583dd76058c63d34b99576f429/log.json --log-format json --systemd-cgroup exec --process /tmp/runc-process121168380 --detach --pid-file /run/containerd/io.containerd.runtime.v2.task/k8s.io/0e5118708f10afe5830067bd7ac23726194d53583dd76058c63d34b99576f429/341459b98e6f0fb6dedf855e9406883620462b5afe587723ba5e30cbf25dbc15.pid 0e5118708f10afe5830067bd7ac23726194d53583dd76058c63d34b99576f429</Data><Data Name=""CurrentDirectory"">/run/containerd/io.containerd.runtime.v2.task/k8s.io/409e248a1d42826571e5a4c7bb6fae69fb8a3ba70439d554f61417c3ead53ef4</Data><Data Name=""User"">root</Data><Data Name=""LogonGuid"">{f4ec185a-0000-0000-0000-000000000000}</Data><Data Name=""LogonId"">0</Data><Data Name=""TerminalSessionId"">4294967295</Data><Data Name=""IntegrityLevel"">no level</Data><Data Name=""Hashes"">SHA256=75411d68af7acf493163a6caab185fe41bf5bf927248c0f032a0627deadd2213</Data><Data Name=""ParentProcessGuid"">{00000000-0000-0000-0000-000000000000}</Data><Data Name=""ParentProcessId"">10410</Data><Data Name=""ParentImage"">-</Data><Data Name=""ParentCommandLine"">-</Data><Data Name=""ParentUser"">-</Data></EventData></Event>"
when we've filtered out events like I'd mentioned above at sysmon level, osquery stopped showing errors during syslog events processing