Re: [security-onion] Bro database is locked
734 views
Skip to first unread message
Doug Burks
Jan 21, 2017, 9:52:06 AM1/21/17
to securit...@googlegroups.com
Hi Gerardo,
What is the output of the following?
sudo broctl status
On Fri, Jan 20, 2017 at 2:30 PM, <gerardo....@gmail.com> wrote:
> Need help figuring out why I'm getting Status: Bro "Error: database is locked: /nsm/bro/spool.state.db" when running sostat. Thanks.
>
> Gerardo
>
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
What is the output of the following?
sudo broctl status
On Fri, Jan 20, 2017 at 2:30 PM, <gerardo....@gmail.com> wrote:
> Need help figuring out why I'm getting Status: Bro "Error: database is locked: /nsm/bro/spool.state.db" when running sostat. Thanks.
>
> Gerardo
>
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
gerardo....@gmail.com
Jan 21, 2017, 10:50:26 AM1/21/17
to security-onion
Error: database is locked: /nsm/bro/spool/state.db
Check if the user running BroControl has write access to the database file.
Otherwise, the database file is possibly corrupt.
Gerardo
Message has been deleted
Doug Burks
Jan 21, 2017, 2:24:09 PM1/21/17
to securit...@googlegroups.com
On Sat, Jan 21, 2017 at 10:50 AM, <gerardo....@gmail.com> wrote:
>> On Fri, Jan 20, 2017 at 2:30 PM, <gerardo....@gmail.com> wrote:
>> > Need help figuring out why I'm getting Status: Bro "Error: database is locked: /nsm/bro/spool.state.db" when running sostat. Thanks.
>
>> On Fri, Jan 20, 2017 at 2:30 PM, <gerardo....@gmail.com> wrote:
>> > Need help figuring out why I'm getting Status: Bro "Error: database is locked: /nsm/bro/spool.state.db" when running sostat. Thanks.
>
> Error: database is locked: /nsm/bro/spool/state.db
> Check if the user running BroControl has write access to the database file.
> Otherwise, the database file is possibly corrupt.
> Check if the user running BroControl has write access to the database file.
> Otherwise, the database file is possibly corrupt.
What is the output of the following?
ls -alh /nsm/bro/spool/state.db
--
Doug Burks
gerardo....@gmail.com
Jan 22, 2017, 11:41:29 AM1/22/17
to security-onion
-rw-r--r-- 1 sguil sguil 7.0K Jan 22 16:22 /nsm/bro/spool/state.db
I think it has something to do with the amount of traffic being fed into my monitoring interface causing the database to lock up.
Thanks,
Gerardo
Doug Burks
Jan 22, 2017, 11:46:43 AM1/22/17
to securit...@googlegroups.com
How much traffic is being fed into your monitoring interface?
Have you tried stopping Bro, removing the state.db file, and then
restarting Bro?
Have you tried stopping Bro, removing the state.db file, and then
restarting Bro?
gerardo....@gmail.com
Jan 22, 2017, 12:16:31 PM1/22/17
to security-onion
Doug,
Averaging about 500+ mb/s. I deleted state.db, restarted bro and cleared up. After a few seconds it locked back up.
Gerardo
Doug Burks
Jan 22, 2017, 12:29:52 PM1/22/17
to securit...@googlegroups.com
Replies inline.
On Sun, Jan 22, 2017 at 12:16 PM, <gerardo....@gmail.com> wrote:
> Averaging about 500+ mb/s.
We have folks averaging much more than 500 Mbps, so I don't think
that's the issue.
> I deleted state.db, restarted bro and cleared up. After a few seconds it locked back up.
Please include the full output of the following commands:
sudo nsm_sensor_ps-stop --only-bro
ls -alh /nsm/bro/spool/state.db
sudo rm /nsm/bro/spool/state.db
sudo nsm_sensor_ps-start --only-bro
ls -alh /nsm/bro/spool/state.db
Do you have any other processes which might be running broctl or other
bro commands periodically?
Also, have you installed all updates?
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade
--
Doug Burks
On Sun, Jan 22, 2017 at 12:16 PM, <gerardo....@gmail.com> wrote:
> Averaging about 500+ mb/s.
We have folks averaging much more than 500 Mbps, so I don't think
that's the issue.
> I deleted state.db, restarted bro and cleared up. After a few seconds it locked back up.
sudo nsm_sensor_ps-stop --only-bro
ls -alh /nsm/bro/spool/state.db
sudo rm /nsm/bro/spool/state.db
sudo nsm_sensor_ps-start --only-bro
ls -alh /nsm/bro/spool/state.db
Do you have any other processes which might be running broctl or other
bro commands periodically?
Also, have you installed all updates?
https://github.com/Security-Onion-Solutions/security-onion/wiki/Upgrade
--
Doug Burks
Reply all
Reply to author
Forward
0 new messages