[netsa-tools-discuss] rwflowpack won't start

Steven Duffield s.duffield at ed.ac.uk
Tue Dec 4 09:25:50 EST 2018 

Thanks Mark,

That did the trick. Recompiled and reinstalled to the latest SiLK and 
libfixbuf versions and it's all up and running again. Much appreciated.

Steven.

On 30/11/2018 15:39, Mark Thomas wrote:
> Steven-
> 
> Short answer:
> 
> There is a version mismatch between SiLK and libfixbuf.  Recompiling
> and reinstalling SiLK should fix the issue.
> 
> Long answer:
> 
> It appears that your SiLK installation is finding a different
> version of the libfixbuf library than the one it found when the
> source code was compiled.  When SiLK was compiled, it found a 1.x
> version of libfixbuf that includes the function named
> fbSessionAddTemplateCtxCallback2.  When you attempt to start
> rwflowpack now, it is finding a 2.x version of libfixbuf that does
> not have that function.
> 
> SiLK may be compiled against either version of libfixbuf, but the
> version of libfixbuf should not be changed once SiLK has been
> compiled.
> 
> If you have multiple versions of libfixbuf on your system, it could
> be that SiLK finds one the 1.x one when it is compiled and the 2.x
> one when it is invoked.
> 
> I hope that helps you resolve the issue.  Please followup if you
> have additional questions or problems.
> 
> -Mark
> 
> 
> -----Original Message-----
> From: Steven Duffield <s.duffield at ed.ac.uk>
> Date: Fri, 30 Nov 2018 09:16:49 +0000
> To: <netsa-tools-discuss at cert.org>
> Subject: [netsa-tools-discuss] rwflowpack won't start
> 
> Hi,
> 
> I had a server reboot on me unexpectedly and when it came back
> rwflowpack failed to start. I've tried "service rwflowpack start" a few
> times but it still fails to restart. It's a centos7 system but journald
> and syslog don't give much away (at least to my untrained eye) even with
> LOG_LEVEL=debug. Seems to fail at the same place each time...
> 
> Nov 29 19:02:27 flowm systemd: Starting LSB: start and stop SiLK
> rwflowpack daemon...
> Nov 29 19:02:27 flowm rwflowpack[16198]: Started logging at 2018-11-29
> 19:02:27Z
> Nov 29 19:02:27 flowm rwflowpack[16198]: '/usr/sbin/rwflowpack'
> '--sensor-configuration=/etc/silk/sensor.conf'
> '--compression-method=best' '--site-config-file=/etc/silk/silk.conf'
> '--output-mode=sending'
> '--sender-directory=/data/silk-processing/packer_dest'
> '--incremental-directory=/data/silk-processing/packer_work'
> '--pidfile=/var/lib/rwflowpack/log/rwflowpack.pid' '--log-level=debug'
> '--log-destination=syslog'
> Nov 29 19:02:27 flom rwflowpack[16198]: Forked child 16200.  Parent exiting
> Nov 29 19:02:27 flowm rwflowpack[16200]: Using packing logic from
> /usr/lib64/silk/packlogic-twoway.so
> Nov 29 19:02:27 flowm rwflowpack[16200]: Creating stream cache
> Nov 29 19:02:27 flowm rwflowpack[16200]: Checking incremental directory
> for old files...
> Nov 29 19:02:27 flowm rwflowpack[16200]: No incremental files to move.
> Nov 29 19:02:27 flowm rwflowpack[16200]: Creating NetFlowV9 Reader for
> probe 'sensor1' on 6000
> Nov 29 19:02:28 flowm rwflowpack: Starting rwflowpack:#011[Failed]
> Nov 29 19:02:28 flowm systemd: rwflowpack.service: control process
> exited, code=exited status=1
> Nov 29 19:02:28 flowm systemd: Failed to start LSB: start and stop SiLK
> rwflowpack daemon.
> Nov 29 19:02:28 flowm systemd: Unit rwflowpack.service entered failed state.
> Nov 29 19:02:28 flowm systemd: rwflowpack.service failed.
> 
> If I remove sensor1 from sensor.conf it fails at sensor2.
> 
> I tried starting it from the commandline as a quick check and got this...
> 
> /usr/sbin/rwflowpack --sensor-configuration=/etc/silk/sensor.conf
> --compression-method=zlib --site-config-file=/etc/silk/silk.conf
> --input-mode=stream --output-mode=incremental-files
> --root-directory=/data/FLOWS
> --pidfile=/var/lib/rwflowpack/log/rwflowpack.pid --log-level=debug
> --log-destination=syslog
> --incremental-directory=/data/silk-processing/packer_dest --no-daemon
> 
> 
> /usr/sbin/rwflowpack: symbol lookup error: /lib64/libflowsource.so.17:
> undefined symbol: fbSessionAddTemplateCtxCallback2
> 
> 
> Any pointers on where to look or what to try next would be most appreciated.
> 
> Thanks,
> 
> Steven.
> 
> 

-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

More information about the netsa-tools-discuss mailing list