Process dies and go-audit stops logging

[thisisatest012]

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Description

After proper deployment of go-audit, the service functions as it should for some time and then it randomly stops logging to file (var/log/go-audit.log). Service shows as functioning and restarting the service does not fix the issue. Increasing the socket.buffer size in go-audit.yaml does not fix the issue.

This issue was reproducible in both Ubuntu and opensuse. Reverting to older VM snapshots resulted in logging restored, however, after some time or even a reboot the service still stop logging to file. I don't think this is a resource issue and both VM's have plenty of drive space.

Reproducible in:

go-audit version: 1.0.0
OS version(s): Ubuntu 20.04.1 LTS
OS version(s): opensuse 15.2

Expected result:

Process does not stop logging.

Actual result:

Process stops logging after working for some time.

Attachments:

root@ubuntu:/var/log# service go-audit status
● go-audit.service - go-audit
Loaded: loaded (/etc/systemd/system/go-audit.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-01-07 17:42:06 PST; 35min ago
Main PID: 13144 (go-audit)
Tasks: 7 (limit: 2281)
Memory: 6.3M
CGroup: /system.slice/go-audit.service
└─13144 /usr/local/bin/go-audit -config /etc/go-audit.yaml

Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #193
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #194
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #195
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #196
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #197
Jan 07 17:42:06 ubuntu go-audit[13144]: Added audit rule #198
Jan 07 17:42:06 ubuntu go-audit[13144]: Ignoring syscall 42 containing message type 1306 matching string saddr=(0200....7F|01> Jan 07 17:42:06 ubuntu go-audit[13144]: Ignoring syscall `` containing message type 1305matching string.*`
Jan 07 17:42:06 ubuntu go-audit[13144]: Socket receive buffer size: 212992
Jan 07 17:42:06 ubuntu go-audit[13144]: Started processing events in the range [1300, 1399]

I could not find any other systems logs that hint any related issues... Any help would be much appreciated!

[slw07g]

Out of curiosity, which version of golang did you use to build go-audit?
I noticed go-audit wouldn't capture events when built with go 1.13, but it worked fine on ubuntu 20.04 when built with go 1.17.

[slw07g]

If the process dies, I'm guessing there's some uncaught exception. May help to manually run it in stdout mode in a terminal, and see what traceback message appears when it crashes.