Getting SIGSEGV  for osquery daemon (osqueryd). It cores even there is no execution of pack/query from fleet. I have downloaded the debug symbols  also , but still not getting the address mapping to symbol file . Any pointers how to debug this Osquery  daemon crash ? # gdb -iex "set auto-load safe-path /lib" /tmp/osqueryd-4.4.0-1.x86_64.debug -c /var/cores/core.osqueryd  GNU gdb (GDB) 7.10 Copyright (C) 2015 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-openwrt-linux". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /tmp/osqueryd-4.4.0-1.x86_64.debug...done. warning: core file may not match specified executable file. [New LWP 4862] [New LWP 4871] [New LWP 4870] [New LWP 4869] [New LWP 4868] [New LWP 4867] warning: Unexpected size of section `.reg-xstate/4862' in core file. warning: Could not load shared library symbols for linux-vdso.so.1. Do you need "set solib-search-path" or "set sysroot"? warning: Unable to find libthread_db matching inferior's thread library, thread debugging will not be available. warning: Unable to find libthread_db matching inferior's thread library, thread debugging will not be available. Core was generated by

osquery                         '.
Program terminated with signal SIGSEGV, Segmentation fault.

warning: Unexpected size of section

.reg-xstate/4862' in core file. #0 0x00007f43fac971db in ?? () [Current thread is 1 (LWP 4862)] (gdb) bt  #0 0x00007f43fac971db in ?? () #1 0x0e24f4832af29500 in ?? () #2 0x0e24f4832af29500 in ?? () #3 0x00007f43fd415a80 in ?? () #4 0x00007f43fd408318 in ?? () #5 0x00007f43fd43aa48 in ?? () #6 0x00007fff53d99700 in ?? () #7 0x00007fff53d997a0 in ?? () #8 0x00007f43fb44425a in ?? () #9 0x00007f4300000000 in ?? () #10 0x00007fff53d99730 in ?? () #11 0xffffffffffffffff in ?? () #12 0x00007f43fba1ff4d in ?? () #13 0x0000000000000000 in ?? () (gdb) info r rax      0xe24f4832af29500 1019208259891008768 rbx      0x7f43fd415a80 139929988455040 rcx      0x7f43f92c2b98 139929919957912 rdx      0x7f43fa28a7b7 139929936504759 rsi      0x0 0 rdi      0x7fff53d995a0 140734600156576 rbp      0x7fff53d99c90 0x7fff53d99c90 rsp      0x7fff53d99540 0x7fff53d99540 r8       0x7fff53d99560 140734600156512 r9       0x7f43f905dda0 139929917447584 r10      0x4e585f3531314758 5645366814972135256 r11      0x7f43f9097f40 139929917685568 r12      0x0 0 r13      0x7f43fd43aa48 139929988606536 r14      0x7f43fa28a7b7 139929936504759 r15      0x7fff53d995a0 140734600156576 rip      0x7f43fac971db 0x7f43fac971db eflags     0x10246 [ PF ZF IF RF ] cs       0x33 51 ss       0x2b 43 ds       0x0 0 es       0x0 0 fs       0x0 0 gs       0x0 0 (gdb) x/i 0x7f43fac971db => 0x7f43fac971db: Cannot access memory at address 0x7f43fac971db (gdb) x/i 0x7fff53d99540   0x7fff53d99540: add  %dl,-0xb7cd50e(%rbp) (gdb) x/i $rsp         0x7fff53d99540: add  %dl,-0xb7cd50e(%rbp) (gdb) x/10x $rsp 0x7fff53d99540: 0x2af29500 0x0e24f483 0x2af29500 0x0e24f483 0x7fff53d99550: 0xfd415a80 0x00007f43 0xfd408318 0x00007f43 0x7fff53d99560: 0xfd43aa48 0x00007f43 (gdb) x/10i $pc => 0x7f43fac971db: Cannot access memory at address 0x7f43fac971db (gdb) x/10x $bsp Value can't be converted to integer. (gdb) x/10x $rbp 0x7fff53d99c90: 0xfd43aa10 0x00007f43 0xfd43aa10 0x00007f43 0x7fff53d99ca0: 0x00000001 0x00000000 0x6261740a 0x0000656c 0x7fff53d99cb0: 0x00000000 0x00000000

A bit of a sidestep, but does osquery log anything? Running in verbose mode may get you an error. I’d also recommend trying the new 4.5.1, it added an exception catcher around all virtual table calls

Thanks Seph . Will enable verbose mode and check the log.

@theopolis thoughts?

@sanjaykcse is that with 4.5.1?

Hi @theopolis this crash is from 4.4.0 . Today , I have updated osquery to 4.5.1. will update if get see any crash . From the logs it appears the fleet was down. {"enroll_secret":"OXZMOA9Wr6AZy7N95UJBxxxxxds7Z2CN","host_identifier":"191534d5-a9d0-4c69-bk85-fb3557c5edba","platform_type":"9","host_details":{"os_version":{"arch":"x86_64","major":"0","minor":"0","name":"Unknown","patch":"0","pid_with_namespace":"0","platform":"posix"},"osquery_info":{"build_distro":"centos7","build_platform":"1","config_hash":"","config_valid":"0","extensions":"inactive","instance_id":"b9d0f315-be38-4f29-9ce6-d394e7813951","pid":"2546","platform_mask":"9","start_time":"1602223587","uuid":"191534d5-a9d0-4c69-bf85-fb3557c5edba","version":"4.4.0","watcher":"2518"},"platform_info":{"address":"0xf000","date":"10/08/2018","extra":"","revision":"5.12","size":"5242880","vendor":"American Megatrends Inc.","version":"5.12 (Z131E1009 113814.526799 2546 init.cpp:714] Cannot activate tls logger plugin: No node key, TLS logging disabled. I1009 113815.003304 2538 watcher.cpp:585] osqueryd watcher (2518) executing worker (5519) I1009 113815.024971 5519 init.cpp:340] osquery worker initialized [watcher=2518] I1009 113815.025318 5519 dispatcher.cpp:77] Adding new service: WatcherWatcherRunner (0x2cdcac8) to thread: 139827282855680 (0x2cdcb70) in process 5519 I1009 113815.025480 5519 rocksdb.cpp:131] Opening RocksDB handle: /tmp/osquery.db E1009 113815.028797 5519 init.cpp:568] An error occured during extension manager startup: Extension socket directory missing: /var/osquery/osquery.em I1009 113815.029001 5519 tls_enroll.cpp:69] TLSEnrollPlugin requesting a node enroll key from: https://ec2-52-25-115-238.us-west-2.compute.amazonaws.com:8080/api/v1/osquery/enroll I1009 113815.029183 5519 system.cpp:294] Using host identifier: 191534d5-a9d0-4c69-bk85-fb3557c5edba

Ok I’ll take a look later today or tomorrow

@theopolis osquery crashes almost after a day . Even the kolide fleet is down , osqueryd keeps on executing the packs and try to send logs/results without checking the connectivity with fleet.