[Zeek] Zeek crashed

Justin Azoff justin at corelight.com
Thu Aug 8 16:30:20 PDT 2019 

Hi,

The first thing I would do is use gdb to see what script is being executed
there.  Specifically if it is one of the stock scripts or perhaps a custom
one you have installed.  This is sort of described on
https://www.zeek.org/support/reporting-problems.html but from that gdb
session if you paste

up
print this->location->filename
print this->location->first_line

a few times it should start giving your filenames and line numbers.

Are you loading any scripts that call Log::add_filter or other Log::
functions?  A crash inside CheckFilterWriterConflict likely points to
something odd being done with log filters.

On Thu, Aug 8, 2019 at 5:47 PM Keith M <WPKM at msn.com> wrote:

> I'm new to Zeek. I noticed my Zeek is crashing every few days. I have the
> below bt
>
> Core was generated by `/opt/bro/bin/bro -U .status -p broctl -p
> broctl-live -p local -p logger local.b'.
> Program terminated with signal 11, Segmentation fault.
> #0  0x0000000000894795 in
> logging::Manager::CheckFilterWriterConflict(logging::Manager::WriterInfo
> const*, logging::Manager::Filter const*) ()
> (gdb) bt
> #0  0x0000000000894795 in
> logging::Manager::CheckFilterWriterConflict(logging::Manager::WriterInfo
> const*, logging::Manager::Filter const*) ()
> #1  0x000000000089999f in logging::Manager::Write(EnumVal*, RecordVal*) ()
> #2  0x00000000005d5436 in BifFunc::Log::bro___write(Frame*, ValPList*) ()
> #3  0x00000000005e502f in BuiltinFunc::Call(ValPList*, Frame*) const ()
> #4  0x00000000005c7f46 in CallExpr::Eval(Frame*) const ()
> #5  0x0000000000639351 in StmtList::Exec(Frame*, stmt_flow_type&) const ()
> #6  0x00000000005f1294 in BroFunc::Call(ValPList*, Frame*) const ()
> #7  0x00000000005c7f46 in CallExpr::Eval(Frame*) const ()
> #8  0x000000000063aee4 in ExprStmt::Exec(Frame*, stmt_flow_type&) const ()
> #9  0x0000000000639351 in StmtList::Exec(Frame*, stmt_flow_type&) const ()
> #10 0x00000000005f1294 in BroFunc::Call(ValPList*, Frame*) const ()
> #11 0x00000000005ade1a in EventHandler::Call(ValPList*, bool) ()
> #12 0x00000000005ad106 in EventMgr::Drain() ()
> #13 0x0000000000601b49 in net_run() ()
> #14 0x000000000055e4a3 in main ()
>
> I'm not sure what do make out of it. Everything was stable until two
> things changed. I went from stand alone to clustermode on the one server as
> I brought in another interface for a different set of networks. So now
> there are two network interfaces receiving packets in a cluster on one
> physical server. Any troubleshooting steps appreciated.
>
> thanks
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek



-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190808/66cf0926/attachment.html

More information about the Zeek mailing list