[Request] Add Verbose Dev-Logging #198
Comments
|
I can confirm I have been seeing similar issues but it happens randomly. I found that reducing the number of rules that are put into memory helps reduce this though particularly sliming down the sigma rules folder to just windows rules |
|
That is very reasonable i'll try an action that this weekend. I assume from the comments its hanging and not crashing? |
|
Yeah it gets to a certain point and just hangs. Sometimes rerunning it gets it to complete the second time no issues which makes it more annoying to troubleshoot. I will put this in here as well just in case. I have noticed that if you run an EDR product/ Antivirus sometimes it reads the rules in memory and likely treats the behaviour as malicious and that can cause a hang. When I whitelisted the binary it reduced it but not completely eliminated the problem so it seems multifaceted. |
|
Ta for the extra info, i'll wire chainsaw up with |
Chainsaw now supports the ability to handle `-v` and `-vv` where the former will print debug message where set and the latter will print trace messages where set. The current use of debug and trace is not exhaustive as its mainly geared to track down the linked issue, and I am being a bit lazy.
|
Finally got around to adding in logging where I hope will allow us to get to the bottom of the above. If you manage to replicate please try with |
I have a bug to report in Chainsaw, however it is transient and difficult to reproduce; often manifesting when parsing ~5GB+ event logs (which means testing data is also difficult to supply.)
I would appreciate a way to gain insight into where this may be hanging so I can raise a more comprehensive bug report, as at the moment I can simply state that large event logs cause Chainsaw to occasionally simply not continue parsing.
The text was updated successfully, but these errors were encountered: