search

log2timeline / plaso

Super timeline all the things
https://plaso.readthedocs.io
Apache License 2.0
1.73k stars 351 forks source link

sqlite: OperationalError: disk I/O error #1607

Closed joachimmetz closed 4 years ago

joachimmetz commented 6 years ago

Unclear why this issue is surfacing

Traceback (most recent call last):
  File "plaso/multi_processing/worker_process.py", line 176, in _Main
    self._ProcessTask(task)
  File "plaso/multi_processing/worker_process.py", line 274, in _ProcessTask
    storage_writer.Close()
  File "plaso/storage/interface.py", line 1205, in Close
    self._storage_file.Close()
  File "plaso/storage/sqlite_file.py", line 578, in Close
    self._connection.commit()
OperationalError: disk I/O error

No indication of disk IO error in system logs

joachimmetz commented 6 years ago

Some sources suggest making sure path to database is absolute added in: https://codereview.appspot.com/333380043/

hannipot commented 6 years ago

Got the same error today during processing an RAW image (25 GB).
I'm using plaso 2018-08-18 on SANS SIFT Workstation (Ubuntu16.04 LTS).

joachimmetz commented 6 years ago

@nifalle could you describe a bit your VM / system configuration up and what you were processing. What OS was on the image.

hannipot commented 6 years ago

Standard Ubuntu 16.04. There I installed SIFT from: https://github.com/sans-dfir/sift-cli#installation On that machine I also installed VBoxGuestAdditions to mount a share of the Windows host OS where the VM is running on.

I tried to process that image (Windows 7 OS) using: log2timeline.py --workers 6 --status_view window /media/sf_Share/test.plaso /media/sf_Share/test.raw

hannipot commented 6 years ago

I checked the plaso file with pinfo.py with the following result:

[ERROR] Unable to open storage file: test.plaso with error: Unable to open ZIP file: test.plaso with error: File is not a zip file

joachimmetz commented 6 years ago

We've removed support for ZIP storage files beginning of this year, which version of plaso are you running?

hannipot commented 6 years ago

The newest one plaso-20180818

joachimmetz commented 6 years ago

Are there maybe multiple plaso versions on your system? pinfo.py --version

Rasmus-Riis commented 6 years ago

I'm also having this issue. (Plus the issue with the elasticsearch version being too old/recent. But have tried to make a workaround by using --no-dependencies-check). I'm using the SIFT workstation VM. (Which i made an sudo apt-get update of before taking it offline). Im using log2timeline 20180624

Onager commented 6 years ago

Pinging this issue - is this still occurring?

joachimmetz commented 4 years ago

Closing issue OperationalError: disk I/O error has many different reasons would need specific details about the context in which this is happening.

Regarding SIFT on 16.04, it is currently unsupported because it is too far out of date.