[Bro] bro master crashing

Matt Clemons matt.clemons at gmail.com
Thu Mar 9 15:29:47 PST 2017 

Lots of these.

0.000000        Reporter::ERROR no such index (Cluster::nodes[Intel::p$descr])
/opt/bro/share/bro/base/frameworks/intel/./cluster.bro, line 35
0.000000        Reporter::ERROR no such index (Cluster::nodes[Intel::p$descr])
/opt/bro/share/bro/base/frameworks/intel/./cluster.bro, line 35
0.000000        Reporter::ERROR no such index (Cluster::nodes[Intel::p$descr])
/opt/bro/share/bro/base/frameworks/intel/./cluster.bro, line 35
0.000000        Reporter::ERROR no such index (Cluster::nodes[Intel::p$descr])
/opt/bro/share/bro/base/frameworks/intel/./cluster.bro, line 35

So I commented out that section just for grins, and it still crashes.

[mclemons at bromaster-kcc:~/logs/current ] $ tail -f reporter.log
1489101446.599386       Reporter::INFO  processing continued    (empty)
1489101446.582511       Reporter::INFO  processing continued    (empty)
1489101446.565019       Reporter::INFO  processing suspended    (empty)
1489101446.565019       Reporter::INFO  processing continued    (empty)
1489101446.637924       Reporter::INFO  processing suspended    (empty)
1489101446.637924       Reporter::INFO  processing continued    (empty)
1489101446.728349       Reporter::INFO  processing continued    (empty)
1489101446.681030       Reporter::INFO  processing continued    (empty)
1489101446.751914       Reporter::INFO  processing continued    (empty)
1489101446.755815       Reporter::INFO  processing continued    (empty)
0.000000        Reporter::INFO  received termination signal     (empty)
#close  2017-03-09-23-19-16

Child died in the communication.log.

And a segfault:
2017-03-09T18:34:06.409225+00:00 HOSTNAME kernel: bro[60506]: segfault at 0
ip 00000000005fcf8d sp 00007fffaf9d2f40 error 6 in bro[400000+624000]

On Thu, Mar 9, 2017 at 5:06 PM, Azoff, Justin S <jazoff at illinois.edu> wrote:

>
> > On Mar 9, 2017, at 5:11 PM, Matt Clemons <matt.clemons at gmail.com> wrote:
> >
> > I've disabled cron.
> >
> > Still getting "received termination signal." and "child died" in the
> communications.log.
>
> Ah! "child died" makes things interesting.  That's literally the only
> thing that can cause bro to say 'received termination signal' for an
> internal reason.  I completely forgot about this case :-(
>
> When the child process that handles communication dies, the parent can't
> continue without it so it kills itself so the whole thing can be restarted
> in a known working state.
>
> Is there anything that shows up in your reporter.log or communication.log
> right before this happens?
>
> Is the kernel logging any segfaults to syslog?
>
> --
> - Justin Azoff
>
>


-- 
Regards,

Matt Clemons
(816) 200-0789
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170309/bd7e37c0/attachment.html

More information about the Bro mailing list