Hi all. Wondering if anyone has run into this issu...
# windowsm
Matt Ackard
09/13/2024, 7:23 PMHi all. Wondering if anyone has run into this issue or would have an idea what might be causing it? This is happening on windows servers (2019 in this case). The query referenced in the error isn't consistent.
Copy code
E0912 08:41:21.486761 7268 shutdown.cpp:79] Error adding new results to database for query pack_osquery-monitoring_schedule: Error serializing JSONs
Stefano Bonicatti
09/13/2024, 7:33 PMSeems the error is a misnomer, because it was deserializing JSON, not serializing it. Seems it was getting previous results from RocksDB to then do a differential, but failed parsing.
Stefano Bonicatti
09/13/2024, 7:33 PMLikely the DB has corrupted data
Stefano Bonicatti
09/13/2024, 7:33 PMis the machine particularly under stress?
m
Matt Ackard
09/13/2024, 7:48 PMtalking to the platform engineer for the server he said the server he is looking at now is barely used. Knowing that this is related to the db data is very useful though so thanks!
s
Stefano Bonicatti
09/13/2024, 7:54 PMI see; although you said that this doesn't happen always?
And/or that the pack/query there often has a different name?
I mean obviously there could also be some bug in osquery in how it saves the structure of the JSON.
That data can be seen by launching osquery with the process flag
--database_dumpStefano Bonicatti
09/13/2024, 7:56 PMAs far as I can see and if I'm not mistaken the error means the parsed JSON is invalid in its structure, so you should be able to see that in the data stored
Stefano Bonicatti
09/13/2024, 7:58 PM5 Views