Client output (syslog) too verbose

[Werkov]

Environment

rpm -q velociraptor-client
velociraptor-client-0.6.7.4~git63.4a1ed09d-lp153.16.1.x86_64
uname -r
5.14.21-150400.24.38-default

Steps to reproduce

• run make olddefconfig (in Linux kernel tree)
• observe output of journalctl -u velociraptor-client.service

Actual behavior

A single invocation of make olddefconfig produces ~800 log messages. Mainly pairs of:

Jun 20 13:41:46 host velociraptor[139992]: [INFO] 2023-06-20T13:41:46+02:00 File Ring Buffer: Enqueue {"header":"{\"ReadPointer\":50,\"WritePointer\":3200,\"MaxSize\":1073741874,\"AvailableBytes\":3030,\"LeasedBytes\":0}","leased_pointer":50}                              
Jun 20 13:41:46 host velociraptor[139992]: [INFO] 2023-06-20T13:41:46+02:00 read_file: /proc/76624/cmdline: lstat /proc/76624: no such file or directory

Expected behavior

Messages that may occur in great amount during short time ("amplifiers") backed by no malicious activity should not pollute the global syslog (e.g. log with lower level (or handle the underlying cause here)).

[djoreilly]

You are seeing INFO level logs because the client is started with verbose logging enabled -v
https://build.opensuse.org/package/view_file/security:sensor/velociraptor/sysconfig.velociraptor-client?expand=1

[Werkov]

Thanks for the pointer.

Shouldn't the increased verbosity an opt-in (for hosts where debugging is needed) instead of opt-out?

[djoreilly]

@jeffmahoney what do you think?

[jeffmahoney]

I think we need to adjust the priority of messages that indicate connection failure/disconnect/reconnect before we back off the verbosity. Otherwise it's unreported that the client isn't actually doing anything.