Re: [sleuthkit-users] Autopsy 4.2.0 keywords ingest module crashes every time the first time

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Nanni, I have combed through the logs you sent. The local Solr server
process appears to be starting normally. However, when Autopsy sends a core
(index) creation request to the Solr process during case creation, Autopsy
is unable to connect. It is not clear whether this is because the process
has shut down shortly after starting, or is just refusing the connection
request. Then, when you try to run ingest, the keyword search module tries
to open the core (index) for the case and fails, because it does not exist.
The module does not start, and when a module does not start, ingest is
aborted and you get the message to disable the ingest module that would not
start, in this case the keyword search module.

It looks like you closed Autopsy altogether to get the case to open and the
ingest to run, which means that the misbehaving Solr process (if it was
still running) was terminated and a new process was started. Unfortunately,
this means that the solr.stdout.log file was deleted and recreated, so I
have no trace of any error messages that the Solr server may have written.
The interesting thing is that this new Solr process appears to experience
no unexpected errors, as evidenced by both your success and the
solr.stdout.log file you sent me.

Are you able to reproduce this problem? If so, here are a few things you
could do to help me to help you:

- When Autopsy is started, but before you try to open a case, open a
browser and got to the Solr Admin web page at:
 http://localhost:23232/solr/#. Look to see if there are any error messages
on the logging page (push the Logging button) and send me a screenshot if
there are.
- After you open the case, go back to the Solr Admin page and check to see
if you can use the Core Selector button to choose the core for the case,
which will be a core with a name that looks like your case name with a
time/data stamp suffix. Also, check the logging page again.
- After you shut down Autopsy, but before you restart, collect a copy
of ~/Users/[your
user name]/AppData/roaming/autopsy/var/log/solr.stdout.log for me. This
should actually agree with the logging page snapshots from the Solr Admin
page.

Thanks,
Richard

On Wed, Nov 23, 2016 at 12:39 PM, Nanni Bassetti <dig...@gm...> wrote:

> no problem....see the attachment.
>
> 2016-11-23 18:20 GMT+01:00 Richard Cordovano <rco...@ba...>:
>
>> Nanni, thank you for sending the autopsy logs from the case folder.
>> Autopsy was failing to connect to the Solr server that it starts up in
>> jetty on your machine. Will you kindly also send me the entire contents
>> (all log files) of the ~/Users/[your user name]/AppData/roaming/autopsy/var/log
>> folder?
>>
>> Thanks,
>>
>> Richard Cordovano
>> Autopsy Team Lead
>> Basis Technology
>>
>> On Wed, Nov 23, 2016 at 2:35 AM, Nanni Bassetti <dig...@gm...>
>> wrote:
>>
>>> I tried to run Autopsy 4.2.0 working 2 times directly with 2 pendrives
>>> and 1 time with an EWF disk image.
>>> Everytime, after to have create the case, Autopsy said that I must
>>> disable keyword ingest module, but if I close all and re-run it opening the
>>> same case, already created, the problem disappeared.
>>>
>>> I attach the log file of one test of mine.
>>>
>>> --
>>> Dott. Nanni Bassetti
>>> http://www.nannibassetti.com
>>> CAINE project manager - http://www.caine-live.net
>>>
>>> ------------------------------------------------------------
>>> ------------------
>>>
>>> _______________________________________________
>>> sleuthkit-users mailing list
>>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>>> http://www.sleuthkit.org
>>>
>>>
>>
>
>
> --
> Dott. Nanni Bassetti
> http://www.nannibassetti.com
> CAINE project manager - http://www.caine-live.net
>