CB Response: Yara Connector log error: "OperationalError: database is locked"
search cancel

CB Response: Yara Connector log error: "OperationalError: database is locked"

book

Article ID: 287701

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Slow processing from Yara Connector 
  • /var/log/cb/integrations/yara/yara.log shows:
OperationalError: database is locked

Environment

  • CB Response Server: All versions
  • Yara Connector:  All versions

Cause

  • Duplicate yara running
  • Yara database corruption

Resolution

Confirm you only have 1 running Yara Connector:
  1. execute: 
sudo ps -ef |grep yara​​​
  1. confirm only 1 process that shows "/usr/share/cb/integrations/yara/bin/cb-yara-connector start",  and if that is the case, proceed to Reset the Yara Connector DB steps.
  2. If duplicate entries are seen, stop the Yara Connector and use "kill" command to terminate any duplicates and then restart Yara Connector
sudo service cb-yara-connector stop
kill -9 <pid_of_yara_connector>
  1. Let Yara Connector process for several hours, if "OperationalError: database is locked" is still occurring proceed to DB reset steps.
Reset the Yara Connector DB:
  1.  Stop yara: 
sudo service cb-yara-connector stop
  1.  Preserve the existing db file(s):
sudo mkdir /usr/share/cb/integrations/yara/backup
sudo mv /usr/share/cb/integrations/yara/db/* /usr/share/cb/integrations/yara/backup
  1. Start yara: 
sudo service cb-yara-connector start

 
Powered by Wolken Software