https://github.com/osquery/osquery logo
Join Slack
Powered by
Hello Everyone! I am testing usage ebpf with osque...
# ebpf
l
Hello Everyone! I am testing usage ebpf with osquery, but sometimes get this errors: 1.
Copy code
orbit[24125]: I1125 11:47:48.859995 24164 rocksdb.cpp:67] RocksDB: [ERROR] [table/block_based/block_based_table_reader.cc:1090] Encountered error while reading data from properties block IO error: While pread offset 4655206 len 40: /opt/orbit/osquery.db/004706.sst: Is a directory

orbit[24125]: I1125 11:47:48.955194 24164 rocksdb.cpp:67] RocksDB: [ERROR] [db/db_impl/db_impl_compaction_flush.cc:2624] Waiting after background flush error: IO error: While pread offset 4655206 len 40: /opt/orbit/osquery.db/004706.sst: Is a directoryAccumulated background error counts: 1

orbit[24125]: E1125 11:49:16.361975 25035 shutdown.cpp:79] Error adding new results to database for query pack/Global/bpf_socket_events (test)-1: IOError: Is a directory
2.
Copy code
orbit[13777]: I1125 11:43:09.381443 13824 rocksdb.cpp:67] RocksDB: [WARN] [db/error_handler.cc:387] Background IO error IO error: While appending to file: /opt/orbit/osquery.db/005943.sst: Bad file descriptor

orbit[13777]: I1125 11:43:09.381582 13824 rocksdb.cpp:67] RocksDB: [ERROR] [db/db_impl/db_impl_compaction_flush.cc:2624] Waiting after background flush error: IO error: While appending to file: /opt/orbit/osquery.db/005943.sst: Bad file descriptorAccumulated background error counts: 1

orbit[13777]: E1125 11:44:52.375362 19350 shutdown.cpp:79] Error adding new results to database for query pack/Global/ebpf proccess events (test): IOError: Bad file descriptor
After that agent is restarted. Why this errors occurs? Maybe I can tune some flags for exclude this error? Query: 1.
Copy code
SELECT uid, gid, local_address, local_port, path, pid, remote_address, remote_port, ntime, duration, family, exit_code FROM bpf_socket_events WHERE path NOT IN ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000');
2.
Copy code
SELECT cmdline, ntime, cwd, gid, uid, parent, path, pid FROM bpf_process_events;
Flags used:
Copy code
table_delay: 200
  augeas_lenses: /usr/share/augeas/lenses/dist
  logger_plugin: tls
  disable_events: false
  watchdog_delay: 120
  buffered_log_max: 3000000
  disable_watchdog: false
  enable_bpf_events: true
  logger_min_stderr: 1
  logger_tls_period: 1
  logger_tls_max_lines: 8192
  watchdog_memory_limit: 2048
  bpf_buffer_storage_size: 4096
Fleet version: 4.23.0 Agent version: 1.3.0 Osquery version: 5.5.1 VM has 8 GB RAM, 4 CPU.
10 Views
Open in Slack
PreviousNext
Powered by