I'm seeing osqueryd segfaulting on some of our ins...
# generalz
Zach Zeid
04/02/2020, 6:19 PMI'm seeing osqueryd segfaulting on some of our instances, what can I check here to see why?
l
Lawrence D'Anna
04/02/2020, 6:22 PMon mac os you could look for
/Library/Logs/DiagnosticReports/*osquery*.crashz
Zach Zeid
04/02/2020, 6:23 PMthis is on rhel itself
a
alessandrogario
04/02/2020, 6:46 PM
I’ve seen a bug report about the
magicalessandrogario
04/02/2020, 6:49 PM
I think we had support for debug symbol packages on *.rpm (cc @Stefano Bonicatti)
z
Zach Zeid
04/02/2020, 6:53 PMno, we're just getting a list of packages and processes
Zach Zeid
04/02/2020, 6:54 PMno
magics
Stefano Bonicatti
04/02/2020, 6:59 PMThere should be a
osquery-debuginfoz
Zach Zeid
04/02/2020, 7:00 PMhow do I use that?
Zach Zeid
04/02/2020, 7:01 PMjust run it?
s
Stefano Bonicatti
04/02/2020, 7:04 PMThat package exists only to install the debug symbols; to get a stack trace you either have to run osquery under a debugger (gdb), or have core dumps enabled and point gdb to it.
z
Zach Zeid
04/02/2020, 7:38 PMit's not clear how to enable core dumps for osquery
s
Stefano Bonicatti
04/03/2020, 10:23 AMYou might want to look at https://access.redhat.com/solutions/56021. There’s no specific way for osquery, it’s a system feature to enable system wide or temporarily in a shell where you would then launch osquery. The procedure differs slightly from distro to distro and versions; that link should help.
16 Views