[Bro] Getting a Broctl Stack Trace

Mike M turbidtarantula at gmail.com
Tue Nov 13 08:22:10 PST 2018 

I gave this a shot but I'm still not seeing a core file. I tried both the
setting you recommended and setting an absolute path to /tmp. When I force
a core dump on another process the core file shows up as expected, but
broctl isn't producing one.

I'm open to suggestions on this one... not sure how to determine the root
cause.

thanks,
Mike

On Mon, Nov 5, 2018 at 5:01 PM Seth Hall <seth at corelight.com> wrote:

> Make sure you are setting the core pattern on your system so that the
> core dump will be written into the CWD.
>
> sudo sysctl -w kernel.core_pattern="core.%e-%t-%p"
>
>    .Seth
>
> On 2 Nov 2018, at 12:51, Mike M wrote:
>
> > I'm having an issue with broctl crashing when I try to run it on
> > Alpine
> > Linux. I mentioned it previously [1] but I'm circling back around to
> > try to
> > get it resolved. I've built it with the appropriate patches [2] but
> > broctl
> > is still reporting "crashed" state when I checks the status after
> > starting
> > it. The bro binary itself runs fine.
> >
> > What do I need to do to collect a stack trace from broctl to determine
> > the
> > root cause?
> >
> > Bro is built in debug mode and I set "ulimit -c unlimited" per the
> > instructions on reporting problems. I see a
> >
> /usr/local/bro/spool/tmp/post-terminate-standalone-2018-11-02-02-56-06-13765-crash
> > directory but there's no core dump anywhere obvious. The
> > .crash-diag.out
> > file says "No core file found" and doesn't provide any useful
> > information
> > about the cause of the crash.
> >
> > Thanks,
> > Mike
> >
> > [1]
> >
> http://mailman.icsi.berkeley.edu/pipermail/bro/2018-September/013580.html
> > [2]
> >
> http://mailman.icsi.berkeley.edu/pipermail/bro/2018-September/013581.html
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> --
> Seth Hall * Corelight, Inc * www.corelight.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181113/6999b022/attachment-0001.html

More information about the Bro mailing list