Vemos que en los logs aparece el siguiente error:
** Alert 1540265306.563695: – osquery,
2018 Oct 23 05:28:26 redorbita01 ->(redorbita01) 192.168.1.28->osquery
Rule: 24001 (level 5) -> ‘osquery error message’
E1023 05:28:26.246608 10373 init.cpp:443] osqueryd initialize failed: osqueryd (810) is already running
Accedemos al servidor y al intentar reiniciar el servicio nos indican que esta bloqueada la base de datos
osqueryctl restart
I1023 08:33:28.031273 16416 rocksdb.cpp:151] Rocksdb open failed (5:0) IO error: While lock file: /var/osquery/osquery.db/LOCK: Resource temporarily unavailable
I1023 08:33:28.231804 16416 rocksdb.cpp:151] Rocksdb open failed (5:0) IO error: While lock file: /var/osquery/osquery.db/LOCK: Resource temporarily unavailable
I1023 08:33:28.432319 16416 rocksdb.cpp:151] Rocksdb open failed (5:0) IO error: While lock file: /var/osquery/osquery.db/LOCK: Resource temporarily unavailable
I1023 08:33:28.632807 16416 rocksdb.cpp:151] Rocksdb open failed (5:0) IO error: While lock file: /var/osquery/osquery.db/LOCK: Resource temporarily unavailable
I1023 08:33:28.833308 16416 rocksdb.cpp:151] Rocksdb open failed (5:0) IO error: While lock file: /var/osquery/osquery.db/LOCK: Resource temporarily unavailable
I1023 08:33:29.033756 16416 rocksdb.cpp:151] Rocksdb open failed (5:0) IO error: While lock file: /var/osquery/osquery.db/LOCK: Resource temporarily unavailable
I1023 08:33:29.234218 16416 rocksdb.cpp:151] Rocksdb open failed (5:0) IO error: While lock file: /var/osquery/osquery.db/LOCK: Resource temporarily unavailable
I1023 08:33:29.434729 16416 rocksdb.cpp:151] Rocksdb open failed (5:0) IO error: While lock file: /var/osquery/osquery.db/LOCK: Resource temporarily unavailable
I1023 08:33:29.635248 16416 rocksdb.cpp:151] Rocksdb open failed (5:0) IO error: While lock file: /var/osquery/osquery.db/LOCK: Resource temporarily unavailable
I1023 08:33:29.835764 16416 rocksdb.cpp:151] Rocksdb open failed (5:0) IO error: While lock file: /var/osquery/osquery.db/LOCK: Resource temporarily unavailable
I1023 08:33:30.036176 16416 rocksdb.cpp:151] Rocksdb open failed (5:0) IO error: While lock file: /var/osquery/osquery.db/LOCK: Resource temporarily unavailable
I1023 08:33:30.236639 16416 rocksdb.cpp:151] Rocksdb open failed (5:0) IO error: While lock file: /var/osquery/osquery.db/LOCK: Resource temporarily unavailable
I1023 08:33:30.437146 16416 rocksdb.cpp:151] Rocksdb open failed (5:0) IO error: While lock file: /var/osquery/osquery.db/LOCK: Resource temporarily unavailable
I1023 08:33:30.637635 16416 rocksdb.cpp:151] Rocksdb open failed (5:0) IO error: While lock file: /var/osquery/osquery.db/LOCK: Resource temporarily unavailable
I1023 08:33:30.838119 16416 rocksdb.cpp:151] Rocksdb open failed (5:0) IO error: While lock file: /var/osquery/osquery.db/LOCK: Resource temporarily unavailable
I1023 08:33:31.038674 16416 rocksdb.cpp:151] Rocksdb open failed (5:0) IO error: While lock file: /var/osquery/osquery.db/LOCK: Resource temporarily unavailable
I1023 08:33:31.239171 16416 rocksdb.cpp:151] Rocksdb open failed (5:0) IO error: While lock file: /var/osquery/osquery.db/LOCK: Resource temporarily unavailable
I1023 08:33:31.439617 16416 rocksdb.cpp:151] Rocksdb open failed (5:0) IO error: While lock file: /var/osquery/osquery.db/LOCK: Resource temporarily unavailable
I1023 08:33:31.649029 16416 database.cpp:564] Checking database version for migration
Eliminamos la base de datos el base de datos de osquery y el PID:
m -rf /var/osquery/osquery.db/
/var/run/osqueryd.pidfile
Iniciamos el servicio
osqueryctl start
I1023 08:41:50.862896 16996 database.cpp:564] Checking database version for migration
I1023 08:41:50.862993 16996 database.cpp:588] Performing migration: 0 -> 1
I1023 08:41:50.863467 16996 database.cpp:620] Migration 0 -> 1 successfully completed!
I1023 08:41:50.863505 16996 database.cpp:588] Performing migration: 1 -> 2
I1023 08:41:50.864008 16996 database.cpp:620] Migration 1 -> 2 successfully completed!
:wq!