currently i am doing packet sniffing so that we can develop "osquery_extension" - during packet sniffing i want to store [Date | time |domain | URL | User | source& destination IP & port| TLS_certifying_authority | TLS_protocol, ------- I am trying with scapy library, # anyone suggest which library we should use so that we can capture all these details

Hi folks! I'm pleased to announce 5.19.0 is stable. https://osquery.io/downloads/official/5.19.0

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/f74a51f649d1bceba43b349008ab3b4cfcf0d0b0|f74a51f6>

- Change dependency for macOS universal binary in CI workflow (#8667) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/a5030826256abb8a4174bcdf6007c4ef5238977d|a5030826>

- Update CHANGELOG to point to Releases page. (#8681) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/b3e3f3b6fefe799f61191c1ebe5f2e44f0fe1390|b3e3f3b6>

- Update dns_resolvers documentation to point to interface_details on Windows (#8682) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/1a4114c729b28a2f23c1c11466ab7e45ec6c9521|1a4114c7>

- Fix build against libaudit >=4.1.1 by removing set_aumessage_mode call (#8676) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/05ddd2b6ba90529614f1bcab199be4594820b16b|05ddd2b6>

- libs: libarchive: 3.7.9 -> 3.8.1 (#8642) osquery/osquery

Hi! 🙂 Would really appreciate a hand on this issue 🙏 Thanks a lot in advance

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/05b741229d91189acb019e3923c3f5075e088a3d|05b74122>

- Add default path for CA certificate bundle on openSUSE (#8687) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by directionless

<https://github.com/osquery/osquery/commit/cab5fc757f3d70133061ead5a505ae07768049ab|cab5fc75>

- Exclude config views from db migration (#8678) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by directionless

<https://github.com/osquery/osquery/commit/ac3b20691dac898ee63fdc7bb6e2d2eec9f61bc7|ac3b2069>

- Stop trying to install strawberry perl on the windows CI runners (#8698) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by directionless

<https://github.com/osquery/osquery/commit/a34034a5bff1d4addb8d32b40dd28ec4097f34d9|a34034a5>

- Free diskspace on linux CI runners (#8697) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/56473dc9fd428e5de2e1eb11078de152bcce544d|56473dc9>

- Make

vscode_extensions

more consistently report UUID (#8693) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/181ac85d48542de41c8bb10e60713ef9c6018b81|181ac85d>

- Don't overwrite hardware_version if it has a value (#8690) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/9fdcd51bb2cbfc81b487cf9bc48f3b3aa2226bbb|9fdcd51b>

- Support

nvm

on

npm_packages

table (#8694) osquery/osquery

Whoops, we accidentally posted promotional content into this channel rather than #C01DXJL16D8. Sorry about that. Now deleted.

Hi guys, could you advise me on how to use osquery to retrieve the same configurations that I previously obtained via the

sysctl -a

command?

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/ad99fb5651afbbd1871f2de60b7873f78935262f|ad99fb56>

- Add scoped npm package path (#8686) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by directionless

<https://github.com/osquery/osquery/commit/e8f154ef3143ad31073d918612de394f2e958a77|e8f154ef>

- Fix SQL examples for system_profiler table (#8699) osquery/osquery

Is anyone using the

jetbrains_plugins

table with success? I'm unable to get it to return results on hosts that have jetbrains plugins installed. Trying both via osqueryi locally and w/ distributed queries via Fleet.

Hi, I have a question about how the

--events_optimize

parameter works; it is enabled by default. I currently have

--watchdog_level=0

in my osquery configuration, and

--events_optimize

is set to false. I collect data from the *_events tables and I’m concerned that I might run into issues with losing some logs. According to the documentation, this parameter works as follows:

Every time the SELECT query runs on a subscriber, the current time is saved. Subsequent SELECTs will use the previously saved time as the lower bound.

I’m interested in how the current time is saved: is it recorded after the query completes successfully, or before the query completes, at execution time? Just in case a query against a *_events table becomes resource-intensive, the watchdog may kill the osquery process, and if the current time is saved at execution time, I could lose logs, since the next query will no longer see older events.

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by directionless

<https://github.com/osquery/osquery/commit/57e120d124688dc866081ee6bf857994536a881c|57e120d1>

- Project Documentation/README updates (#8696) osquery/osquery

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/f4fd92fbc2648eb914859dff57f38b1fe1ff99d8|f4fd92fb>

- Add more informative descriptions for

mounts.blocks_free

and

mounts.blocks_available

(#8701) osquery/osquery

Release - 5.20.0 New release published by zwass ## What's Changed • Enhance issue description with automation note by @directionless in #8679 • Change dependency for macOS universal binary in CI workflow by @zwass in #8667 • Update CHANGELOG to point to Releases page. by @frankgraziano in #8681 • Update dns_resolvers documentation to point to interface_details on Windows by @zwass in #8682 • Fix build against libaudit >=4.1.1 by removing set_aumessage_mode call by @Blarse in #8676 • libs: libarchive: 3.7.9 -> 3.8.1 by @LeSuisse in #8642 • Add default path for CA certificate bundle on openSUSE by @iko1 in #8687 • Exclude config views from db migration by @Micah-Kolide in #8678 • Stop trying to install strawberry perl on the windows CI runners by @directionless in #8698 • Free diskspace on linux CI runners by @directionless in #8697 • Make

vscode_extensions

more consistently report UUID by @zwass in #8693 • Don't overwrite hardware_version if it has a value by @sbrito85 in #8690 • Support

nvm

on

npm_packages

table by @dantecatalfamo in #8694 • Add scoped npm package path by @lichao127 in #8686 • Fix SQL examples for system_profiler table by @zwass in #8699 • Project Documentation/README updates by @directionless in #8696 • Add more informative descriptions for

mounts.blocks_free

and

mounts.blocks_available

by @jacobshandling in #8701 ## New Contributors • @frankgraziano made their first contribution in #8681 • @Blarse made their first contribution in #8676 • @jacobshandling made their first contribution in #8701 Full Changelog: 5.19.0...5.20.0 osquery/osquery

Hey folks, Seph and I got the 5.20.0 pre-release out last week. Please test if you are able.

1 new commit pushed to

<https://github.com/osquery/osquery/tree/master|master>

by zwass

<https://github.com/osquery/osquery/commit/6f6fe28f37765fdcd57a0e85c06e5959d4fe5718|6f6fe28f>

- Improvements to password_policy table (#8705) osquery/osquery

does osquery still support centos6? and why

Hi Folks! Osquery 5.20.0 stable. 🎉 You can see the release notes in the above link. Enjoy!

cloudflare 🫠

Hi Everyone, I am facing an issue where I can't retrieve the scheduled query results through my /api/logs endpoint which is in python and I am using ngrok to serve a HTTPS server. Here is the flags file -

# Server Configuration

--tls_hostname=<http://xxxx.ngrok-free.dev|xxxx.ngrok-free.dev>

# Enrollment Configuration

--enroll_tls_endpoint=/api/enroll

--enroll_secret_path=C:\osquery_certs\enrollment_secret.txt

--disable_enrollment=false

# Config Plugin

--config_plugin=tls

--config_tls_endpoint=/api/config

--config_tls_refresh=60

--config_tls_max_attempts=3

# Logger Configuration

--disable_logging=false

--logger_plugin=tls

--logger_tls_endpoint=/api/logs

--logger_tls_period=5

--logger_event_type=true

--logger_min_status=0

# Device Identification

--host_identifier=uuid

# Verbose logging for testing

--verbose=true

--logger_min_status=0

--allow_unsafe

--force

--tls_dump

--enable_ntfs_event_publisher=true

--enable_process_etw_events=true

--enable_windows_events_publisher=true

--enable_windows_events_subscriber=true

--disable_events=false

--disable_database=false

Please someone guide me what am I doing wrong? this is the config which I am sending back to the config api response -

@app.route('/api/config', methods=['POST'])

def config():

"""Provide osquery configuration"""

data = request.get_json()

node_key = data.get('node_key', '')

print(f"\n[CONFIG] Request from node_key: {node_key}")

if node_key not in enrolled_nodes:

print(f"[CONFIG] FAILED - Unknown node_key")

return jsonify({"node_invalid": True}), 401

# Simple config with one query

osquery_config = {

"schedule": {

"os_version": {

"query": "SELECT * FROM os_version;",

"interval": 10

},

}

}

print(f"[CONFIG] Sending configuration")

return osquery_config