However it seems that the built-in libraries (in my case found in C:\ProgramData\chocolatey\lib\boost-msvc14\local\lib) start with "lib" (that is, libboost_system-mt-s instead of boost_system-mt-s, etc.). Moreover libboost_serialization-mt-s.lib wasn't in the library folder, so I added it manually. After that, I was able to build the extension 🎉 But then I try to run one of the examples:

i think you can also use Beast as it has been imported into the third-party folder

in your own folder (like /usr/local/yourdeps or even in the source folder)

it's still not complete, this is just a small preview

So, who wants to track Docker containers? 🙂

There don't seem to be anyway errors generated by the extension. It runs fine on a certain percentage of hosts and on the hosts it unregisters on, it runs fine via osqueryi

Any recommended extension besides Polylogyx?

Thanks @alessandrogario. I’ll probably use Python’s builtin logging libraries which can manage the buffering for me

@groob capnproto? is it any good?

@seph what do you mean? I am trying to open History db, but it is locked by Chrome/Chomium so I can't run ATC queries. the only way is to copy the file

@alessandrogario doesn't he need to be giving the

--extensions_autoload=\path\to\extensions.load

argument to

osqueryd

?

this should work...but my first problem still remains....I am on another VM and I see that a orphan osqueryd(started by service) is holding db LOCK file..and since my extension could not connect to osquery it try to restart osquery using

net

. but the new osqueryd cannot get the LOCK since it is held by the zombie osqueryd...if I kill the zombie process I see that the LOCK file still exist...this is the problem I am trying to solve.

anyone ever run into problems with

tearDown()

and destructors not being called when exiting osqueryi or osqueryd?

normally the extension just connects to an already running osquery instance

@Ski alot can you restart osquery with the --verbose flag and paste here the output?

hello all...is there a osquery table that contains ethernet/mac addresses of the machine?

I am trying to use the extension located at https://github.com/clong/detect-responder , I am trying it on Windows and Linux and I believe everything is configured correctly regarding osquery python as there is no python errors. The error I get is 'Cannot create extension process: .\detect_responder.ext' . The command is osqueryi --nodisable_extension --extension <extension> --allow_unsafe --verbose

has trailofbits put out a version of their

osquery-extensions

that works with osquery 4.1.2?

I’m not sure you’re going to get a better set of answers than you did in https://osquery.slack.com/archives/C08V7KTJB/p1581915978247200 While here, or #windows would have been more appropriate, it’s still the same people

It should show CMake detecting the compiler etc

I will try this, thanks for the clarifications!

Can osquery-go be used to write

_event

based tables? If so, is there any example code?

hi all, If I have my custom extension, How do I restrict access of my extension only to my APP. I don't want to use remote setting. I want my APP to collect data and send to my server. any suggestions/ pointers?

The example_extension.cpp in the osquery/example folder does not build if I place it in the externals folders. Are they no longer up to date or is there some other method of building them.

anyone know of an extension that exposes appcompat/amcachehive entries as a table?

we added to the source files:

osquery\logger.h  -> osquery\logger\logger.h

osquery\system.h  -> osquery\core\system.h

osquery\tables.h  -> osquery\core\tables.h

and it works! now, we execute in SYSTEM terminal

osqueryi.exe --extension path\to\extension.ext.exe --allow_unsafe=true

and we came across this error:

client connected.

TPipe::GetOverlappedResult errored GLE=errno = 109

client connected.

TConnectedClient died: Tpipe GetOverlappedResult falied

........

hey, I'm using

request.constraints[""].getAll(osquery::EQUALS)

in my extension to get the query parameters. it's looks like this:

auto connection_details_list = request.constraints["connection_details"].getAll(osquery::EQUALS);

for (std::string connection_details : connection_details_list)

{

.....

}

From some reason, I don't get anything. My query:

SELECT * FROM MyTable WHERE connection_details = "username|password" AND ... AND ...;

Built both osquery and osquery-extensions again from master branch. Still getting same error

Error: datatype mismatch

Running osqueryi.exe in verbose mode is giving this error

I0924 14:26:39.181792 35724 virtual_table.cpp:401] Failed to serialize the INSERT request
Error: datatype mismatch

@alessandrogario Do you know how well writable tables are supported outside of the C++ SDK? My impression was that it wasn't possible,but I haven't been very active in the last year.

Hi, what is reliable way to stop extension, the runner seem to stop dispatcher, event factory etc on calling shutdown() however, when we launch the extension continuously in a loop the agent complains of thrift error as start extension failed