1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by directionless

<https://github.com/osquery/osquery/commit/2fea4e4d3fc9379fd3b0bcc647ae9baa8407696a|2fea4e4d>

- Fix dicker container table disk/write metrics, compares "op" values with ignore case (#8566) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by directionless

<https://github.com/osquery/osquery/commit/0c952af9d7a6b72e5771f0e0ae75f140f4fbdb95|0c952af9>

- Escape service binary path in

manage-osqueryd.ps1

(#8569) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by directionless

<https://github.com/osquery/osquery/commit/e5ef44e80271009a92f6d94060ffd561dc6fc481|e5ef44e8>

- Update

docker_container_stats

table to include memory_inactive_file and memory_total_inactive_file (#8577) osquery/osquery

Hi osquery team, I'm encountering an issue with osquery where it is not working as expected. Below are the details of the issue: Problem Description: if we run osquery with extension on windows socket it works for few minutes and then we get the error "Extension socket not available: \\.\pipe\osquery.em.7065" E0322 195053.988317 2444 scheduler.cpp:128] Error executing scheduled query foobar_win: vtable constructor failed: foobar What i did? • this is a fresh installation of osquery which i have downloaded from the offficial site https://pkg.osquery.io/windows/osquery-5.16.0.msi • after successfully installing the osquery i have created simple extension with foobar • created a new folder named "extention" inside c:\program files\osquery and moved the extension inside this folder then i have followed this document to change the permission https://osquery.readthedocs.io/en/stable/deployment/extensions/ • created a new file called extensions.load in c:\program files\osquery and added the extension path inside this • in osquery.conf file i have added schedule which will query and get the data for every 60 sec • then from windows service manager i have started the osqueryd service • in c:\program files\osquery\logs i was able to see the logs and also the result ("snapshots")

{
  "schedule": {
    "foobar_win": {
      "query": "SELECT * FROM foobar;",
      "interval": 10,
      "snapshot": true
    }
  }
}

Working smaple:

{
  "snapshot": [
    {
      "baz": "baz",
      "foo": "bar"
    },
    {
      "baz": "baz",
      "foo": "bar"
    }
  ],
  "action": "snapshot",
  "name": "foobar_win",
  "hostIdentifier": "DESKTOP-CLKS76M",
  "calendarTime": "Sat Mar 22 14:09:26 2025 UTC",
  "unixTime": 1742652566,
  "epoch": 0,
  "counter": 0,
  "numerics": false
}

What i have noticed? (in linux it works but in windows it's not) when i get the error E0322 195053.988317 2444 scheduler.cpp:128] Error executing scheduled query foobar_win: vtable constructor failed: foobar memory usage and disk usage goes to 100% and also cpu usage goes to 70% which is not consumed by osquery. this 100% usage issue comes right after i get the vtable constructor failed: foobar "also noticed 2 process running in the task manager not sure why" System Information: • OS: [windows 11 version: 24H2] • osquery Version: [5.16.0] Logs and Errors: I have attached a zip file containing logs, including both working and error states, to help debug the issue. Let me know if you need any additional details.

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/7e4c11a43b4f401e9eac7e07a2c23b2338d2ab88|7e4c11a4>

- Add

auto_update

and

app_name

column to

homebrew_packages

table (#8520) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/60342cacb0831e0102d61672579b1a78b96de163|60342cac>

- Add support for scheduled queries to run at startup (#8554) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/4ea10544a944715a1078065a5b82ffba36fc8c26|4ea10544>

- Boost 1.87 compatibility (#8533) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/2801baffd4ff3522434d593e6b22ede24cc7f283|2801baff>

- Pin macos python versions in CI to fix mismatch between builder and test runner (#8559) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by directionless

<https://github.com/osquery/osquery/commit/1424defadf2bf65b5a6ff9bdde787820b5a1e1e2|1424defa>

- cve: Ignore util-linux CVE-2024-28085 (#8579) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by directionless

<https://github.com/osquery/osquery/commit/701b62fa7c6116cbe148e13766896b7f239d14ff|701b62fa>

- build(deps): bump jinja2 from 3.1.5 to 3.1.6 (#8563) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by directionless

<https://github.com/osquery/osquery/commit/26ed5139fb5ad8006db8a9f4b2c571d43cef6ee1|26ed5139>

- Fix SMC reading values (#8583) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/7bbe33d1e923bc794a60cbf0a6096c62d94358be|7bbe33d1>

- Fix network metrics in docker_container_stats (#8567) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/11dacee23afcabc93ce18f2591aeec89db8b2428|11dacee2>

- Implement yara_events table for Windows (#8580) osquery/osquery

Hi everyone, I need some clarification regarding osquery extensions. I recently custom-built an extension in Go. It works fine on Linux and macOS, but on Windows, I'm getting the following error:

I0404 11:53:12.662837 16328 init.cpp:413] osquery initialized [version=5.16.0]
I0404 11:53:12.766654 16328 extensions.cpp:438] Found autoloadable extension: C:\Program Files\custom\extensions\compliance.exe
O2025/04/04 11:53:14 Error creating extension: dialing pipe '\\.\pipe\osquery.em': open \\.\pipe\osquery.em: The system cannot find the file specified.
W0404 11:53:16.786880  3532 watcher.cpp:739] Extension respawning too quickly: C:\Program Files\custom\extensions\compliance.exe

Flags used:

--extensions_autoload="C:\Program Files\custom\extensions.load"
--extensions_timeout=5
--extensions_interval=5
--extensions_socket="\\.\pipe\osquery.em"

(I also tried using

--extensions_socket="\\.\pipe\shell.em"

but faced the same issue.) Has anyone faced a similar issue or can help me troubleshoot this? Any help would be appreciated! Looking forward to your suggestions.

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/1e5ed3750e8f73257819d75694cd1b9f82280918|1e5ed375>

- Fix flaky mdfind test in CI (#8589) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/6b87d0cb535af8ecd4d53af39e8921c9b65727bb|6b87d0cb>

- libs: openssl: 3.2.1 -> 3.4.1 (#8586) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/ddd83fab60350090c2aa78e84e890738bd317b79|ddd83fab>

- Add support for DEB822-style apt sources (#8556) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/7815b6bf71ae26de5233c695aa8aca0a653bfbb6|7815b6bf>

- Add support for msix packages (#8585) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/c18a20d7fc7be9b13503258bcba1445090591ffe|c18a20d7>

- Implement dns_lookup_events table on Windows (#8553) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/60ce8f30dc86892a2ff3b388c6612d39f223a5ef|60ce8f30>

- Added UpgradeCode to programs table (#8587) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/24416b16f9c406d3deb1f74d5dfcee924c732bcd|24416b16>

- libs: expat bump from 2.6.0 to 2.7.1 (#8595) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by Smjert

<https://github.com/osquery/osquery/commit/455cdd7715ec2f3850b9cccced47885ed43089a2|455cdd77>

- Update ubuntu runners to 22.04 (#8592) osquery/osquery

Hey folks! 👋 I wanted to share my thoughts about Linkedin and hear your opinions. LinkedIn is turning into a total swamp — just endless sales pitches, random people trying to sell you stuff in their very first message, and so much useless noise. This is exactly why I value our communities so much, where we can communicate peacefully and I can grow my network without constantly being bombarded. Although, to be fair, scammers with suspicious files occasionally appear here too, but fortunately, there aren't many of them. Do you still find Linkedin useful? What social networks/platforms do you use for professional communication besides Slack? Looking forward to discussing this with you all! 🙌

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by directionless

<https://github.com/osquery/osquery/commit/e0ce3da13ab62cc4c5e61751059e6d084ee1d864|e0ce3da1>

- Refactor ETW helpers for unicode support (#8596) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/73123f921402c933de9b2f84ebc5e28a148b91ff|73123f92>

- Fix/startup items parsing (#8536) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/1ab05a6e4a21b8a6b6531ed45ecc4a748b47f5d1|1ab05a6e>

- Filter the Win32_Processor query to only required fields (#8598) osquery/osquery

Release - 5.17.0 New release published by zwass ## 5.17.0 Git Commits ## What's Changed • Add

CHANGELOG.md

entry for 5.16.0 by @lucasmrod in #8548 • Add

symlink_target_path

to

files

tables by @DocEmmetBrown in #8502 • cve: Ignore libarchive CVE-2024-26256 by @Smjert in #8546 • Fixes in windows helpers by @zwass in #8549 • Align ES functions with documented macOS versions by @SilverPlate3 in #8338 • Fix include path in logger-plugins.md by @zwass in #8550 • Fix integration test name in Windows build instructions by @zwass in #8552 • Fix event expiration to prevent losing events by @zwass in #8535 • Update

shell_history

table to include ash by @jbeley in #8568 • Fix dicker container table disk/write metrics, compares "op" values with ignore case by @Kislaci90 in #8566 • Escape service binary path in manage-osqueryd.ps1 by @smithclay in #8569 • Update

docker_container_stats

table to include memory_inactive_file and memory_total_inactive_file by @kfnorbi in #8577 • Add

auto_update

and

app_name

column to

homebrew_packages

table by @DocEmmetBrown in #8520 • Add support for scheduled queries to run at startup by @Micah-Kolide in #8554 • Boost 1.87 compatibility by @carlsmedstad in #8533 • Pin macos python versions in CI to fix mismatch between builder and test runner by @scottvanta in #8559 • cve: Ignore util-linux CVE-2024-28085 by @Smjert in #8579 • build(deps): bump jinja2 from 3.1.5 to 3.1.6 by @dependabot in #8563 • Fix SMC reading values by @sgress454 in #8583 • Fixes network metrics by @Kislaci90 in #8567 • Implement yara_events table for Windows by @zwass in #8580 • Fix flaky mdfind test in CI by @zwass in #8589 • libs: openssl: 3.2.1 -> 3.4.1 by @LeSuisse in #8586 • Add support for DEB822-style apt sources by @dantecatalfamo in #8556 • Add support for msix packages by @ksykulev in #8585 • Implement dns_lookup_events table on Windows by @zwass in #8553 • Added UpgradeCode to programs table by @ksykulev in #8587 • libs: expat bump from 2.6.0 to 2.7.1 by @LeSuisse in #8595 • Update ubuntu runners to 22.04 by @zwass in #8592 • Refactor ETW helpers for unicode support by @zwass in #8596 • Fix/startup items parsing by @AndreaMarangoni in #8536 • Filter the Win32_Processor query to only required fields by @jaymzjulian in #8598 ## New Contributors • @DocEmmetBrown made their first contribution in #8502 • @jbeley made their first contribution in #8568 • @Kislaci90 made their first contribution in #8566 • @smithclay made their first contribution in #8569 • @kfnorbi made their first contribution in #8577 • @scottvanta made their first contribution in #8559 • @LeSuisse made their first contribution in #8586 • @dantecatalfamo made their first contribution in #8556 • @jaymzjulian made their first contribution in #8598 Full Changelog: 5.16.0...5.17.0 osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/182672a0728f26fd20424b69ecad8d4c453c9dd0|182672a0>

- [Performance Analysis] print stderr if exists (#8600) osquery/osquery

👋 One question about this doc: https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/

Do not use arbitrary category names under the

exclude_paths

node; only valid names are allowed.

• Valid categories - Categories referenced under the

file_paths

node. In the above example config,

homes

,

etc

and

tmp

are valid categories.

Other than

homes

,

etc

and

tmp

, are there any other valid categories? can I exclude a path like

/var/logs

and call the category

var

Thought I would ask. In the middle of porting my MacAgent off Python and into Swift. Is there a Swift Framework or Library already built to easy import OSQ?