Possible bug? Using variables for UDP output host causes crash

srfoley · May 16, 2016, 5:27pm

Using ruby to set event fields in filter.conf:

ruby {
	code => "
		case Integer(event['buildingnumber']);
			when 1..50, 250..300, 500..550, 750..800;
				event['lcp1'] = '(FQDN removed)';
				event['lcp2'] = '(FQDN removed)';
			..." }

Then, attempting to forward the message to the correct monitoring server in output.conf:

if [lcp1] and [lcp2] {
	udp {
		host => "%{lcp1}"
		port => 514
		codec => plain { format => "%{message}" }
	}
	udp {
		host => "%{lcp2}"
		port => 514
		codec => plain { format => "%{message}" }
	}
}

The LCP message fields are set as expected. Logstash crashes immediately:

SocketError: send: name or service not known
                  send at org/jruby/ext/socket/RubyUDPSocket.java:315
              register at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-udp-2.0.4/lib/logstash/outputs/udp.rb:24
                  call at org/jruby/RubyProc.java:281
                encode at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-codec-plain-2.0.4/lib/logstash/codecs/plain.rb:41
               receive at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-udp-2.0.4/lib/logstash/outputs/udp.rb:31
         multi_receive at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/outputs/base.rb:83
                  each at org/jruby/RubyArray.java:1613
         multi_receive at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/outputs/base.rb:83
  worker_multi_receive at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/output_delegator.rb:130
         multi_receive at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/output_delegator.rb:114
          output_batch at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/pipeline.rb:301
                  each at org/jruby/RubyHash.java:1342
          output_batch at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/pipeline.rb:301
           worker_loop at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/pipeline.rb:232
         start_workers at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.2-java/lib/logstash/pipeline.rb:201

Relevant strace info (FQDN replaced with 'domain' and some duplicates removed due to post length limit):

22466 recvfrom(14, "<13> P0222738 05/16/2016 11:43:3"..., 8192, 0, {sa_family=AF_INET6, sin6_port=htons(46032), inet_pton(AF_INET6, "::ffff:10.16.214.10", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]$
22459 --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_ACCERR, si_addr=0x7f3187167780} ---
22470 socket(PF_NETLINK, SOCK_RAW, 0)   = 27
22470 bind(27, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
22470 getsockname(27, {sa_family=AF_NETLINK, pid=22432, groups=00000000}, [12]) = 0
22470 sendto(27, "\24\0\0\0\26\0\1\3\272\3709W\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
22470 recvmsg(27, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"0\0\0\0\24\0\2\0\272\3709W\240W\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_fl$
22470 recvmsg(27, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"@\0\0\0\24\0\2\0\272\3709W\240W\0\0\n\200\200\376\1\0\0\0\24\0\1\0\0\0\0\0"..., 4096}], msg_controllen=0, msg_fla$
22470 recvmsg(27, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0\272\3709W\240W\0\0\0\0\0\0", 4096}], msg_controllen=0, msg_flags=0}, 0) = 20
22470 socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 27
22470 connect(27, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
22470 socket(PF_INET, SOCK_DGRAM|SOCK_NONBLOCK, IPPROTO_IP) = 27
22470 connect(27, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("10.1.82.144")}, 16) = 0
22470 sendto(27, "\274w\1\0\0\1\0\0\0\0\0\0\7%{lcp1}\tdomain\3c"..., 39, MSG_NOSIGNAL, NULL, 0) = 39
22470 sendto(27, "@\361\1\0\0\1\0\0\0\0\0\0\7%{lcp1}\tdomain\3c"..., 39, MSG_NOSIGNAL, NULL, 0) = 39
22470 recvfrom(27, "\274w\205\203\0\1\0\0\0\1\0\0\7%{lcp1}\tdomain\3c"..., 2048, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("10.1.82.144")}, [16]) = 121
22470 recvfrom(27, "@\361\205\203\0\1\0\0\0\1\0\0\7%{lcp1}\tdomain\3c"..., 65536, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("10.1.82.144")}, [16]) = 121

The top part shows a number of received syslog messages. It then appears that the UDP output plugin is not evaluating the %{lcp1} variable, but trying to resolve '%{lcp1}.domain.net'.

Should I file this as a bug?

magnusbaeck · May 17, 2016, 6:54pm

Yeah, the udp output doesn't do sprintf interpolation of the contents of the host and port options (below). I think one can argue that it should. I see that you've already filed an issue: https://github.com/logstash-plugins/logstash-output-udp/issues/6

github.com

logstash-plugins/logstash-output-udp/blob/v3.0.1/lib/logstash/outputs/udp.rb#L21-L26


def register
  @socket = UDPSocket.new
  @codec.on_event do |event, payload|
    @socket.send(payload, 0, @host, @port)
  end
end