I clicked some buttons. Release is probably going

I'm working on porting forward an old patch for containerd support, which requires grpc. I can get it to run but it fails when upgrading grpc with a linking error. I'd rather not keep an ancient grpc version, so does anyone with experience with cmake have troubleshooting suggestions?

Working version with old grpc: https://github.com/artemist-work/osquery/tree/containerd-events Broken version with new grpc: https://github.com/artemist-work/osquery/tree/containerd-events-grpc-update

Hey folks, are we ready to mark 5.5.1 as stable?

This was just blocked on making a website PR. Let me see…

I do not even remember how to tell how what’s in the doanloads

I’ll just re-gen erate things

https://github.com/osquery/osquery/issues/7770 for the chaos

@zwass @mikermcneil Hey guys. Not sure if this is the best place to discuss this with the core team. I recently noticed that FleetDM is mirroring many of the conversations happening in this Slack on your website. https://osquery.fleetdm.com/t/2679/hi-i-am-trying-to-get-the-values-associated-to-a-windows-reg I have a problem with this because it’s taking content that you have no ownership of (including content written by me and my employees) and placing it on your webpages which have clear CTAs to try your product. I don’t mind things I say and contribute here being used to help and promote the osquery project itself, but I take issue with it being used on your domain and branding. I think that this Slack archiving capability is a great idea that will absolutely help the community, but I would be much more comfortable with it living on osquery.io not on fleetdm.com. It would be great if you guys could work with the right folks and host it on osquery.io and with osquery branding, but if you don’t have the time to do that, then I insist you take it down as soon as possible.

Thanks for raising this @terracatta. For myself, and maybe for the core team, I feel uncomfortable with slack archives there. I recognize the value in archives, but it does feel weird in the fleet branding.

A bit later than planned, but 5.6.0 has been cut and there are builds up at https://github.com/osquery/osquery/releases/tag/5.6.0

Hey folks, any concern with adding Fleet as a sponsor on the bottom of osquery.io? We are currently the biggest backer on LFX crowdfunding, invest significant development resources into osquery, and now maintain and pay for the slack archives.

I'm for that but I'm a bit biased

Hello. I have created an issue https://github.com/osquery/osquery/issues/7797. The suggested thing is to widen the info available in windows_optional_features table.

By the way, the sqlite one I forgot that we did update the library already since it's easy to update. So beyond not being affected by the original CVE, in 5.5.1 we had already updated it.

hey team, I was wondering if I can get some help tweaking or investigating this further: on certain hosts with osquery, I frequently see

Copy code

Linesize exceeds TLS logger maximum:

warnings at 5MB, 10MB, and 13MB values I believe this indicates that a query result from osquery is larger than the

logger_tls_max_linesize

value and is being dropped/not sent to the TLS endpoint. At the moment, that value is set to the default 1MB currently, I configured osqueryd to run with the following

--config_tls_max_attempts=6
--database_path=/state/osquery.db
--decorations_top_level=true
--disable_events=true
--disable_extensions=false
--disable_watchdog=false
--docker_socket=/run/docker.sock
--enroll_secret_path=/etc/osquery/enroll_secret.txt
--enroll_tls_endpoint=<endpoint>
--host_identifier=hostname
--logger_plugin=tls
--logger_tls_endpoint=<endpoint>
--logger_tls_max_linesize=1048576
--logger_tls_period=60
--read_max=209715200
--table_delay=200
--tls_hostname=<endpoint>
--tls_session_reuse=true
--tls_session_timeout=3600
--utc=true
--watchdog_memory_limit=900

I was curious if anyone would know if there are settings I can tweak to avoid dropping these results, or if there was a way I can investigate which query pack was causing such a large result?

Hello, is there an option to run osquery on windows without without installing it? E.g. using powershell (winRM) to invoke portable osquery without installing it on target servers.

Hello guys, I noticed that osquery is trying to resolve AWS ip addresses on startup (using osqueryi). I am not using any AWS related tables nor uploading results to AWS. Has anyone experienced something similar ?

Can you provide some additional detail? Where are you seeing this?

Can anyone suggest the best way to detect a short lived process on windows ?

Hello, have you experienced cases when windows_update_history table is empty but patches table is not? I mean other than the one when windows' local updates database crashes and is recreated automatically.

5.7.0 is now shipped to Fleet's

edge

channel. Should have results in the next few days.

We’ve had it running in Kolide’s beta fleet since Tuesday

In office hours today, we discussed desupporting centos6. This last came up a year ago, and there was some hesitation. Now, a year later, everything is still true. It’s hard to support, 3rd party libraries increasingly require newer kernels. Etc. We are planning on starting to drop cenost6 support. https://github.com/osquery/osquery/issues/7445

Hi the docs on the "events_expiry" flag say that events are only expired right after being queried (or if the max events buffered limit is hit), which seems great to avoid missing events even if a host goes offline temporarily. When I was looking at the code, it seemed like there are a couple other places where cleanup is done: when new events are received and on set up. Is this expected? I haven't been able to test the behavior yet, so it's possible I'm misreading, but I want to make sure we're setting the expiry time correctly to avoid losing events.

Hello, Does OSQuery support user defined functions in query ?

Hi folks. I wanted to checkin on where we are with 5.8 • I see the ETW events table was renamed. Was there anything else? • I think Stefano’s various library PRs all merged • @alessandrogario Should we merge in https://github.com/osquery/osquery/pull/7773 I think it would also be good to get some small fixes/features in: • https://github.com/osquery/osquery/pull/7916 • https://github.com/osquery/osquery/pull/7803 • https://github.com/osquery/osquery/pull/7801

Has anybody seen this error in osquery logs before?

I0208 17:44:39.302111 254910464 buffered.cpp:75] Error sending results to logger: Cannot parse JSON: The document root must not be followed by other values. Offset: 4

Hey friends, I've spun up osquery on a test macos machine (Ventura) -- I used brew to install 5.7.0, and ran

sudo osqueryctl start

after copying the example configuration file to osquery.conf. I've been playing around with the packs here: https://github.com/chainguard-dev/osqtool but for reasons that aren't apparent to me, I'm getting errors about tables missing in /var/log/osquery/osqueryd.INFO:

E0218 19:28:57.638203 -2145783808 scheduler.cpp:128] Error executing scheduled query pack_odk-detection_sketchy-fetcher-events: no such table: process_events
E0218 19:29:05.149111 -2145783808 scheduler.cpp:128] Error executing scheduled query pack_odk-detection_unexpected-privilege-escalation_macos: no such table: signature
E0218 19:29:16.931692 -2145783808 scheduler.cpp:128] Error executing scheduled query pack_odk-detection_unexpected-env-values-macos: no such table: process_envs

I even took the output here

osqueryi --list "select name, default_value from osquery_flags

and after text replacing, and adding '--' to the beginning of each line, sent the results to osquery.flags to make sure the defaults were all set. osqueryi sees those tables just fine. I did add osquery to 'Full Disk Access' in macos perms. What am I missing here? I see osqueryd running as root in

ps

output. I've attempted to toggle some of the settings -- like enabling most of the audit_allow choices, and making sure the relevant disable-* settings were set to false.