We have updated our Terms of Service, Code of Conduct, and Addendum.

Every firewall event is being cloned

Bryan Rapp
Bryan Rapp Posts: 7

I'm trying to figure out why every event from my pfsense firewall is being cloned as it passes through the pipeline. When I look at Preview Full from the Pipeline, I see the first event in my sample data file being processed as desired through the pipeline, then the second event is an unprocessed clone of the first. The third event is processed correctly by the pipeline, and the fourth event is an unprocessed clone, etc. When enabling the Advanced Setting to Show Internal Fields, I see a field called "__cloneCount". The value of this field in the correctly processed events is, "__cloneCount: 0", and the value for the unprocessed, cloned events is, "__cloneCount: 1".

I've tried adding a Drop function to the end of the pipeline to drop events where, "__cloneCount == 1", but this has no effect. I've also tried to use Chain to call another pipeline to Drop the clone events, but this also has no effect. I though about adding a post-processing pipeline to the destination, but I'm sending to DevNull and it looks like you can't do post-processing pipelines here.

I'm pretty stuck and I can't find a lot of documentation on the __cloneCount internal field. Any pointers are appreciated.

Tagged:

Best Answer

  • Brendan Dalpe
    Brendan Dalpe Posts: 201 mod
    Answer ✓

    @Bryan Rapp thanks for sharing your routes and pipelines with me. Here's what's going on… Because your Pfsense route is configured as final=false, the matching events are send through the configured pipeline and to the destination, but they also continue down the route list looking for additional matches.

    Because there's no additional matches, what you're seeing is "cloned" events hitting the default route at the bottom of the route table.

    I'd recommend you enable the "final" flag on the Pfsense route so you don't see these duplicate events.

    Alternately, you could add an explicit "default" route with a devnull destination in your route table as the last entry if you wanted.

    Some recommended reading: https://docs.cribl.io/stream/routes#the-final-toggle

    This is what the Cribl default route entry looks like in my lab as an example. I also have an explicit "default" route added (entry #6).

Answers

  • Jon Rust
    Jon Rust Posts: 475 mod

    __cloneCount is the result of a Clone function. Does your pipeline use Clone? Is there a pre-processing Pipeline defined in your source that uses Clone?

  • Brendan Dalpe
    Brendan Dalpe Posts: 201 mod

    Double check you didn't accidentally click the "Add Clone" button on the route.

  • Bryan Rapp
    Bryan Rapp Posts: 7

    The pipeline doe not include a Clone function. There is also no pre-processing Pipeline attached to the syslog source.

  • Bryan Rapp
    Bryan Rapp Posts: 7

    Good thinking, but unfortunately this was not the case. I recreated the route too just for good measure, and I'm still seeing the same behavior.

  • Brendan Dalpe
    Brendan Dalpe Posts: 201 mod

    Would you be able to DM me your pipeline so I can review?

  • Bryan Rapp
    Bryan Rapp Posts: 7

    Sure thing

  • Brendan Dalpe
    Brendan Dalpe Posts: 201 mod
    Answer ✓

    @Bryan Rapp thanks for sharing your routes and pipelines with me. Here's what's going on… Because your Pfsense route is configured as final=false, the matching events are send through the configured pipeline and to the destination, but they also continue down the route list looking for additional matches.

    Because there's no additional matches, what you're seeing is "cloned" events hitting the default route at the bottom of the route table.

    I'd recommend you enable the "final" flag on the Pfsense route so you don't see these duplicate events.

    Alternately, you could add an explicit "default" route with a devnull destination in your route table as the last entry if you wanted.

    Some recommended reading: https://docs.cribl.io/stream/routes#the-final-toggle

    This is what the Cribl default route entry looks like in my lab as an example. I also have an explicit "default" route added (entry #6).

  • Bryan Rapp
    Bryan Rapp Posts: 7

    Thanks, Brendan! Setting the Final flag on the Pfsense route solved the problem. Everything looks as it should. Thanks again for your help.