We still see SQL injection all over the place. And we know that leads to so many credential dumps or credit card dumps and things like that, at some …
Tag: Core dump
External logging in SEPM with Failover configuration
I need a solution
My company has two SEPMs and we’re trying to configure External Logging. We have the primary SEPM configured to export logs to a dump file and our SIEM agent is ingesting the logs in the dump files. As long as the SEMP in datacenter a is active it writes logs to the *.tmp files in the dump directory. If the SEPM in datacenter b becomes active, it does not write logs to the *.tmp files in the dump directory. How do we make sure that whichever SEMP is active write *.tmp files in the dump directory(C:Program Files (x86)SymantecSymantec Endpoint Protection Managerdatadump)?
0
Related:
XenApp/XenDesktop 7.15 LTSR CU2 and CU3: VDA Intermittently Blue Screens With BugCheck Code 0x50
VDA intermittently blue Screens With BugCheck Code 0x50.
Memory Dump Analysis shows:
Process ID [0]
Thread ID [0]
IDENTITY: NonPrimaryClient/NoIdentity.
Executing Processor Architecture is x64.
Debuggee is in Kernel Mode.
Debuggee is a kernel mode dump file.
Event Type: Exception.
Exception Faulting Address: 0xffffe002fa182a3e.
BugCheck Code: 0x50.
Exception Code: 0xC0000005.
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005).
Exception Sub-Type: Write Access Violation.
Exception Hash (Major/Minor)
Hash Usage : Stack Trace:
Excluded : nt!KeBugCheckEx+0x0
Excluded : nt!MiSystemFault+0x10b2
Excluded : nt!MmAccessFault+0x219
Excluded : nt!KiPageFault+0x317
Major+Minor : wdica!MakeOnePacket+0x424
Major+Minor : wdica!SendSomeData+0xfe
Major+Minor : wdica!FlushManagement+0xf1
Major+Minor : wdica!TerminalChannelWrite+0xb2a
Major+Minor : wdica!WdChannelWrite+0xe
Minor : picadd!_IcaCallSd+0x2ba
Minor : picadd!IcaCallDriver+0x28b
Minor : picadd!IcaWriteChannel+0x724
Minor : PICAVC!PicaWriteVC+0x4a5
Minor : picadm!FileWriteStreamEx+0x43a
Minor : picadm!FileWriteStream+0x17f
Minor : picadm!FileWrite+0x3dc
Minor : picadm!PdmFsdWrite+0x3ce
Minor : picadm!OwWriteFsd+0x1c2
Minor : picadm!WriteMaximumIoSizeChunks+0x5b
Minor : picadm!NonCachedWrite+0x1ef
Minor : picadm!OwCommonWrite+0xada
Minor : picadm!OwFsdWrite+0x264
Minor : mup!MupiBypassMupAndCallUncProviderDirectly+0x36
Minor : mup!MupFsdIrpPassThrough+0xdb
Minor : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x25a
Minor : fltmgr!FltpDispatch+0xb2
Minor : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x25a
Minor : fltmgr!FltpDispatch+0xb2
Excluded : nt!IopSynchronousServiceTail+0x32b
Excluded : nt!NtWriteFile+0x694
Excluded : nt!KiSystemServiceCopyEnd+0x13
Unknown : 0x0000000077e22352
Related:
How to Download Core or Crash Files from a NetScaler Appliance
CTX133923 – How to Generate Core Dump on an Unresponsive NetScaler Appliance
CTX207598 – How to Generate NSPPE Core Dump on NetScaler for High Memory issues
Citrix Documentation – How to Download Core or Crash Files from a NetScaler Appliance
Related:
How to Use Windows Error Reporting (WER) to Capture Application Crash Dumps (User Dumps) On Windows Server 2008 And Windows Vista SP1 Onwards
Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.
This feature is not enabled by default. Enabling the feature requires administrator privileges.
To enable and configure WER to capture and store application crash dumps, add the values to the following registry key:
Key: HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsWindows Error ReportingLocalDumps
Name: DumpFolder
Type: REG_EXPAND_SZ
Value: %LOCALAPPDATA%CrashDumps
Name: DumpCount
Type: REG_DWORD
Value: 10 (decimal) This will collect 10 application crash dumps.
Name: DumpType
Type: REG_DWORD
Value: 0x2 (Value 2 is for Full dump)
Note: The preceding settings apply globally to all user-mode applications. Application crash dumps are saved to the DumpFolder location. Service crash dumps are written to service specific profile folders depending on the service account used. For example, the profile folder for Network and Local Services is %WINDIR%ServiceProfiles. For System services, the folder is %WINDIR%System32ConfigSystemProfile.
Related:
3374462: Configure crashkernel memory for kernel core dump analysis
This will make kdump act in a manner similar to the older netdump mechanism: the capture environment will go up to runlevel 3 (where network connectivity is enabled) and will use the secure copy command scp to transfer the kernel core dump to a separate system.
2. for SLES11
add the network device to be used to the variable: KDUMP_NETCONFIG in /etc/sysconfig/kdump.
In order to automatically set up a network device, pass the option “auto”. This is also the default.
For a custom setup, pass a string that contains the network device and the mode (dhcp,static), separated by
a colon, for example: “eth0:static” or “eth1:dhcp”.
If you use “static”, you have to set the IP address with ip=ipspec. ipspec is <client>:<server>:<gateway>:<netmask>:<hostname>:<device>:<proto>
as boot parameter. See mkinitrd(8) for details.
Pass the dumping method and the destination directory to the parameter: KDUMP_SAVEDIR in /etc/sysconfig/kdump
Supported methods are:
FTP, for example “ftp://user:password@host/var/log/dump”
SSH, for example “ssh://user:password@host/var/log/dump”
NFS, for example “nfs://server/export/var/log/dump”
CIFS (SMB) , for example “cifs://user:password@host/share/var/log/dump”
See also: kdump(5) which contains an exact specification for the URL format.
Related:
3374462: Configure kernel core dump capture
This will make kdump act in a manner similar to the older netdump mechanism: the capture environment will go up to runlevel 3 (where network connectivity is enabled) and will use the secure copy command scp to transfer the kernel core dump to a separate system.
2. for SLES11
add the network device to be used to the variable: KDUMP_NETCONFIG in /etc/sysconfig/kdump.
In order to automatically set up a network device, pass the option “auto”. This is also the default.
For a custom setup, pass a string that contains the network device and the mode (dhcp,static), separated by
a colon, for example: “eth0:static” or “eth1:dhcp”.
If you use “static”, you have to set the IP address with ip=ipspec. ipspec is <client>:<server>:<gateway>:<netmask>:<hostname>:<device>:<proto>
as boot parameter. See mkinitrd(8) for details.
Pass the dumping method and the destination directory to the parameter: KDUMP_SAVEDIR in /etc/sysconfig/kdump
Supported methods are:
FTP, for example “ftp://user:password@host/var/log/dump”
SSH, for example “ssh://user:password@host/var/log/dump”
NFS, for example “nfs://server/export/var/log/dump”
CIFS (SMB) , for example “cifs://user:password@host/share/var/log/dump”
See also: kdump(5) which contains an exact specification for the URL format.
Related:
How to Generate NSPPE Core Dump on NetScaler for High Memory issues
This article describes how to generate NSPPE core dump on NetScaler.
Background
When NetScaler, whether standalone or HA pair, runs into memory issues, you would generally generate NSPPE core dump. This triggers the device to restart while dumping the core which would help us with the RCA for high memory usage.
Related:
7004093: How to get a Windows memory dump
If the “Complete memory dump” option is not available:
If the “Complete memory dump” option is removed from the choice list in the later Windows versions, it is because Windows knows that a Complete memory dump isn’t possible. e.g. The amount of physical RAM is more than 2GB, or the page file size isn’t set to the size of physical memory or greater.
The “How to generate a kernel or a complete memory dump file in Windows Server 2008” KB article (http://support.microsoft.com/kb/969028) presents a good deal of information on what’s new and different regarding obtaining a crash dump on Vista/2008, and also covers the “how to manually force a dump” topic too. Although the document describes the possibility of enabling the “Complete” memory dump option even though the machine has over 4GB of memory, due to the issue described of dumps over 4GB potentially being corrupt and the general non-necessity of actually making and uploading a dump of that size, Novell recommends using the “truncatememory or removememory switches in the BCDEdit.exe” approach described in the document.
i.e. From an elevated command prompt (i.e. “Run as administrator”), execute this command:
BCDEDIT.EXE /set {current} truncatememory 0x80000000
to have Windows ignore all the memory above 2GB after the next reboot. Now (after reboot) the “Complete” memory dump option should become available, and the Complete dump generated won’t be larger than 2GB.
To return the machine to its original memory configuration, execute this command:
BCDEDIT.EXE /deletevalue {current} truncatememory
Windows 7 Specific
When attempting to collect a memory dump in connection with a Windows 7 kernel-mode crash, the MEMORY.DMP file may be unexpectedly missing. This may be due to the following Windows 7-specific default behavior:
If there are less than 25GB of disk space free and the machine is not joined to a domain, by default Windows will delete a generated MEMORY.DMP file rather than keeping it. (After Windows reboots and reports the crash to Microsoft via the online crash analysis / Windows Error Reporting.)
If there are more than 25GB, or the machine is joined to a domain (read “corporate environment”), or you’re actually on a Windows Server 2008 R2 (not Windows 7 Ultimate / Professional / Home), the MEMORY.DMP will be retained by default, as it always has in previous versions of Windows.
The Windows 7 default policy can be explicitly overridden by setting the following registry value:
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlCrashControl]
“AlwaysKeepMemoryDump”=dword:00000001
Formerly known as TID# 10084257
Related:
7022954: How to collect JAVA dumps for taskomatic debugging
This document (7022954) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Manager 3
Situation
When debugging taskomatic related issues, a JAVA dump may be useful for further debugging.
Resolution
Please run the command:
kill -3 `ps aux | grep Taskomatic | head -1 | awk ‘{print $2}’`
The core dump file will be saved to /var/crash/javacore.YYYYMMDD.*
Disclaimer
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.