https://github.com/osquery/osquery logo
Join Slack
Powered by
All our osquery agents seem to have stopped sendin...
# kolide
s
All our osquery agents seem to have stopped sending results after updating to macOS v10.15.5. The only indication that something is wrong is that these errors are being spammed incessantly. Any ideas?
Copy code
default	16:55:42.162116-0400	osqueryd	CSSM Exception: -2147413759 CSSMERR_DL_DATABASE_CORRUPT
default	16:55:42.163414-0400	osqueryd	dbBlobVersion() failed for a CssmError: -2147413759 CSSMERR_DL_DATABASE_CORRUPT
default	16:55:42.163752-0400	osqueryd	CSSM Exception: -2147413759 CSSMERR_DL_DATABASE_CORRUPT
default	16:55:42.165359-0400	osqueryd	CSSM Exception: -2147413759 CSSMERR_DL_DATABASE_CORRUPT
default	16:55:42.166820-0400	osqueryd	CSSM Exception: -2147413759 CSSMERR_DL_DATABASE_CORRUPT
default	16:55:42.168652-0400	osqueryd	CSSM Exception: -2147413737 CSSMERR_DL_DATASTORE_DOESNOT_EXIST
t
Sean, this appears to be a non-osquery specific issue, but I've not seen it before and I have not witnessed it occuring on 10.15.5 devices in my purview. I found this stackoverflow thread that might be helpful https://apple.stackexchange.com/questions/280442/how-to-identify-a-missing-datastore-for-com-apple-securityd
t
I wonder if osquery is also consistently crashing after running a keychain-related query?
t
possibly, but in my testing I can repro a crash on either of the keychain tables on 10.15 via distributed queries over TLS
10.15.5 that is
t
You “can” reproduce?
t
can't...sorry
s
@terracatta @theopolis this is another error which gets thrown up as soon as osqueryd starts:
Any ideas for diagnosing this? My problem is that the agents are online and actually respond to ad-hoc queries, but they’re not posting the results of scheduled queries to the Fleet server. I can even see these results being written locally to 
/var/log/osquery/osqueryd.results.log
. So the above network error seems directly pertinent. It just doesn’t say what the invalid argument is, frustratingly
7 Views
Open in Slack
PreviousNext
Powered by