1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/2801baffd4ff3522434d593e6b22ede24cc7f283|2801baff>

- Pin macos python versions in CI to fix mismatch between builder and test runner (#8559) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by directionless

<https://github.com/osquery/osquery/commit/1424defadf2bf65b5a6ff9bdde787820b5a1e1e2|1424defa>

- cve: Ignore util-linux CVE-2024-28085 (#8579) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by directionless

<https://github.com/osquery/osquery/commit/701b62fa7c6116cbe148e13766896b7f239d14ff|701b62fa>

- build(deps): bump jinja2 from 3.1.5 to 3.1.6 (#8563) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by directionless

<https://github.com/osquery/osquery/commit/26ed5139fb5ad8006db8a9f4b2c571d43cef6ee1|26ed5139>

- Fix SMC reading values (#8583) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/7bbe33d1e923bc794a60cbf0a6096c62d94358be|7bbe33d1>

- Fix network metrics in docker_container_stats (#8567) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/11dacee23afcabc93ce18f2591aeec89db8b2428|11dacee2>

- Implement yara_events table for Windows (#8580) osquery/osquery

Hi everyone, I need some clarification regarding osquery extensions. I recently custom-built an extension in Go. It works fine on Linux and macOS, but on Windows, I'm getting the following error:

I0404 11:53:12.662837 16328 init.cpp:413] osquery initialized [version=5.16.0]
I0404 11:53:12.766654 16328 extensions.cpp:438] Found autoloadable extension: C:\Program Files\custom\extensions\compliance.exe
O2025/04/04 11:53:14 Error creating extension: dialing pipe '\\.\pipe\osquery.em': open \\.\pipe\osquery.em: The system cannot find the file specified.
W0404 11:53:16.786880  3532 watcher.cpp:739] Extension respawning too quickly: C:\Program Files\custom\extensions\compliance.exe

Flags used:

--extensions_autoload="C:\Program Files\custom\extensions.load"
--extensions_timeout=5
--extensions_interval=5
--extensions_socket="\\.\pipe\osquery.em"

(I also tried using

--extensions_socket="\\.\pipe\shell.em"

but faced the same issue.) Has anyone faced a similar issue or can help me troubleshoot this? Any help would be appreciated! Looking forward to your suggestions.

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/1e5ed3750e8f73257819d75694cd1b9f82280918|1e5ed375>

- Fix flaky mdfind test in CI (#8589) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/6b87d0cb535af8ecd4d53af39e8921c9b65727bb|6b87d0cb>

- libs: openssl: 3.2.1 -> 3.4.1 (#8586) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/ddd83fab60350090c2aa78e84e890738bd317b79|ddd83fab>

- Add support for DEB822-style apt sources (#8556) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/7815b6bf71ae26de5233c695aa8aca0a653bfbb6|7815b6bf>

- Add support for msix packages (#8585) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/c18a20d7fc7be9b13503258bcba1445090591ffe|c18a20d7>

- Implement dns_lookup_events table on Windows (#8553) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/60ce8f30dc86892a2ff3b388c6612d39f223a5ef|60ce8f30>

- Added UpgradeCode to programs table (#8587) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/24416b16f9c406d3deb1f74d5dfcee924c732bcd|24416b16>

- libs: expat bump from 2.6.0 to 2.7.1 (#8595) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by Smjert

<https://github.com/osquery/osquery/commit/455cdd7715ec2f3850b9cccced47885ed43089a2|455cdd77>

- Update ubuntu runners to 22.04 (#8592) osquery/osquery

Hey folks! 👋 I wanted to share my thoughts about Linkedin and hear your opinions. LinkedIn is turning into a total swamp — just endless sales pitches, random people trying to sell you stuff in their very first message, and so much useless noise. This is exactly why I value our communities so much, where we can communicate peacefully and I can grow my network without constantly being bombarded. Although, to be fair, scammers with suspicious files occasionally appear here too, but fortunately, there aren't many of them. Do you still find Linkedin useful? What social networks/platforms do you use for professional communication besides Slack? Looking forward to discussing this with you all! 🙌

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by directionless

<https://github.com/osquery/osquery/commit/e0ce3da13ab62cc4c5e61751059e6d084ee1d864|e0ce3da1>

- Refactor ETW helpers for unicode support (#8596) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/73123f921402c933de9b2f84ebc5e28a148b91ff|73123f92>

- Fix/startup items parsing (#8536) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/1ab05a6e4a21b8a6b6531ed45ecc4a748b47f5d1|1ab05a6e>

- Filter the Win32_Processor query to only required fields (#8598) osquery/osquery

Release - 5.17.0 New release published by zwass ## 5.17.0 Git Commits ## What's Changed • Add

CHANGELOG.md

entry for 5.16.0 by @lucasmrod in #8548 • Add

symlink_target_path

to

files

tables by @DocEmmetBrown in #8502 • cve: Ignore libarchive CVE-2024-26256 by @Smjert in #8546 • Fixes in windows helpers by @zwass in #8549 • Align ES functions with documented macOS versions by @SilverPlate3 in #8338 • Fix include path in logger-plugins.md by @zwass in #8550 • Fix integration test name in Windows build instructions by @zwass in #8552 • Fix event expiration to prevent losing events by @zwass in #8535 • Update

shell_history

table to include ash by @jbeley in #8568 • Fix dicker container table disk/write metrics, compares "op" values with ignore case by @Kislaci90 in #8566 • Escape service binary path in manage-osqueryd.ps1 by @smithclay in #8569 • Update

docker_container_stats

table to include memory_inactive_file and memory_total_inactive_file by @kfnorbi in #8577 • Add

auto_update

and

app_name

column to

homebrew_packages

table by @DocEmmetBrown in #8520 • Add support for scheduled queries to run at startup by @Micah-Kolide in #8554 • Boost 1.87 compatibility by @carlsmedstad in #8533 • Pin macos python versions in CI to fix mismatch between builder and test runner by @scottvanta in #8559 • cve: Ignore util-linux CVE-2024-28085 by @Smjert in #8579 • build(deps): bump jinja2 from 3.1.5 to 3.1.6 by @dependabot in #8563 • Fix SMC reading values by @sgress454 in #8583 • Fixes network metrics by @Kislaci90 in #8567 • Implement yara_events table for Windows by @zwass in #8580 • Fix flaky mdfind test in CI by @zwass in #8589 • libs: openssl: 3.2.1 -> 3.4.1 by @LeSuisse in #8586 • Add support for DEB822-style apt sources by @dantecatalfamo in #8556 • Add support for msix packages by @ksykulev in #8585 • Implement dns_lookup_events table on Windows by @zwass in #8553 • Added UpgradeCode to programs table by @ksykulev in #8587 • libs: expat bump from 2.6.0 to 2.7.1 by @LeSuisse in #8595 • Update ubuntu runners to 22.04 by @zwass in #8592 • Refactor ETW helpers for unicode support by @zwass in #8596 • Fix/startup items parsing by @AndreaMarangoni in #8536 • Filter the Win32_Processor query to only required fields by @jaymzjulian in #8598 ## New Contributors • @DocEmmetBrown made their first contribution in #8502 • @jbeley made their first contribution in #8568 • @Kislaci90 made their first contribution in #8566 • @smithclay made their first contribution in #8569 • @kfnorbi made their first contribution in #8577 • @scottvanta made their first contribution in #8559 • @LeSuisse made their first contribution in #8586 • @dantecatalfamo made their first contribution in #8556 • @jaymzjulian made their first contribution in #8598 Full Changelog: 5.16.0...5.17.0 osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/182672a0728f26fd20424b69ecad8d4c453c9dd0|182672a0>

- [Performance Analysis] print stderr if exists (#8600) osquery/osquery

👋 One question about this doc: https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/

Do not use arbitrary category names under the

exclude_paths

node; only valid names are allowed.

• Valid categories - Categories referenced under the

file_paths

node. In the above example config,

homes

,

etc

and

tmp

are valid categories.

Other than

homes

,

etc

and

tmp

, are there any other valid categories? can I exclude a path like

/var/logs

and call the category

var

Thought I would ask. In the middle of porting my MacAgent off Python and into Swift. Is there a Swift Framework or Library already built to easy import OSQ?

Hi everyone, I'm working on integrating Sentry logging into the Kolide Launcher to capture runtime errors. I’ve added the Sentry logic and initialized the SDK in

main.go

. When I run

./launcher

directly, everything works fine and events show up in Sentry. However, when I install the launcher using the

.pkg

installer, the launcher runs successfully (I can see the computer appear in Fleet), but no logs are sent to Sentry. Has anyone here tried adding Sentry or another logging service to the launcher? Any idea ? Thanks in advance!

Hello, Are there query packs available for IT compliance? For example, ISO 27001, SOC 2, CMMC, NIST CSF etc.

Some advice for a noob please. Have been looking at Kolide (now 1password device trust) and Fleet DM which both built on osquery. Is it worth starting by learning osquery from scratch as both leverage it? There seems to be overlap in them I realise they were both once the same company.

Hello all, I'm currently configuring osquery with Fleet. I'm trying to use both BPF events and the Audit subsystem together to get complete coverage. Here's a snippet of my current flags configuration:

command_line_flags:
  disable_audit: false
  enable_bpf_events: true
  disable_events=false
  enable_file_events: true

When I check the osquery_events table, I can see that the audit publisher is now active, but I'm not seeing file events being generated when files in the monitored paths are modified, whereas I could see the bpf_process_events and bpf_socket_events. My questions: 1. Can BPF events and Audit subsystem be used together effectively, or do they conflict? 2. Is there a preferred approach for comprehensive monitoring that includes both FIM and process/socket monitoring? 3. Are there specific configurations needed to ensure FIM works properly with these settings? 4. Should I be using a specific publisher for FIM (inotify vs audit vs BPF)? Any guidance would be greatly appreciated!

Hi all, I have a question related to

process_events

and the osqueryd. We have configured:

"non_https_network_connection": {
      "query":
 "SELECT p.pid, p.path, pr.path AS parent_process, p.cmdline,
se.local_port, se.remote_port, se.local_address, se.remote_address FROM
socket_events AS se INNER JOIN process_events AS p ON p.pid = se.pid
LEFT JOIN process_events AS pr ON pr.pid = p.parent WHERE
.........<rest of query>';",
      "interval": "60",
      "description": "."
    },

Now this work locally

osqueryi

and presents all the events. The problem is when we run this pack with the deamon only one event is returned every 60s, while you would suspect all the events to be returned of the last 60s. Are we missing something here. Is this an optimisation issue? happy to hear? Best regards.

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by Smjert

<https://github.com/osquery/osquery/commit/e085e11838d4f921827cf4754184a05ef2c6f654|e085e118>

- libs: Update googletest (#8604) osquery/osquery

Hi everyone! I'm Irena, the new Apprentice at Fleet. Super excited to connect with you all ☺️