Zeek crashed

Keith_M · August 8, 2019, 9:29pm

I’m new to Zeek. I noticed my Zeek is crashing every few days. I have the below bt

Core was generated by `/opt/bro/bin/bro -U .status -p broctl -p broctl-live -p local -p logger local.b’.

Program terminated with signal 11, Segmentation fault.

#0 0x0000000000894795 in logging::Manager::CheckFilterWriterConflict(logging::Manager::WriterInfo const*, logging::Manager::Filter const*) ()

(gdb) bt

#0 0x0000000000894795 in logging::Manager::CheckFilterWriterConflict(logging::Manager::WriterInfo const*, logging::Manager::Filter const*) ()

#1 0x000000000089999f in logging::Manager::Write(EnumVal*, RecordVal*) ()

#2 0x00000000005d5436 in BifFunc::Log::bro___write(Frame*, ValPList*) ()

#3 0x00000000005e502f in BuiltinFunc::Call(ValPList*, Frame*) const ()

#4 0x00000000005c7f46 in CallExpr::Eval(Frame*) const ()

#5 0x0000000000639351 in StmtList::Exec(Frame*, stmt_flow_type&) const ()

#6 0x00000000005f1294 in BroFunc::Call(ValPList*, Frame*) const ()

#7 0x00000000005c7f46 in CallExpr::Eval(Frame*) const ()

#8 0x000000000063aee4 in ExprStmt::Exec(Frame*, stmt_flow_type&) const ()

#9 0x0000000000639351 in StmtList::Exec(Frame*, stmt_flow_type&) const ()

#10 0x00000000005f1294 in BroFunc::Call(ValPList*, Frame*) const ()

#11 0x00000000005ade1a in EventHandler::Call(ValPList*, bool) ()

#12 0x00000000005ad106 in EventMgr::Drain() ()

#13 0x0000000000601b49 in net_run() ()

#14 0x000000000055e4a3 in main ()

I’m not sure what do make out of it. Everything was stable until two things changed. I went from stand alone to clustermode on the one server as I brought in another interface for a different set of networks. So now there are two network interfaces receiving packets in a cluster on one physical server. Any troubleshooting steps appreciated.

thanks

JustinAzoff · August 8, 2019, 11:30pm

Hi,

The first thing I would do is use gdb to see what script is being executed there. Specifically if it is one of the stock scripts or perhaps a custom one you have installed. This is sort of described on https://www.zeek.org/support/reporting-problems.html but from that gdb session if you paste

up
print this->location->filename
print this->location->first_line

a few times it should start giving your filenames and line numbers.

Are you loading any scripts that call Log::add_filter or other Log:: functions? A crash inside CheckFilterWriterConflict likely points to something odd being done with log filters.

Keith_M · August 9, 2019, 12:35pm

Hi Justin ,

I only use zeek for parsing of the packets into logs. The logging directory is monitored by a Splunk UF that sends the logs to Splunk. Is there a way to disable any scripts and all IDS scripts and filters but still get the zeek logs to parse correctly. My configuration is all default. I never touched any scripts except to reduce timeouts on DNS waiting for a response.

Thanks
Keith

Topic		Replies	Views
Segmentation Fault on Zeek 3.0.0 Zeek	6	85	May 6, 2022
Zeekctl crashed after doing zeekctl "Install" command Development development	1	194	February 20, 2023
Unable to start Zeek-4.1.0 - type inconsistency in ZVal constructor Zeek	8	125	May 6, 2022
(no subject) Zeek	6	71	May 6, 2022
Segmentation fault (core dumped) Zeek	1	116	May 6, 2022

Zeek crashed

Related Topics