@groob @alessandrogario using osquery-go and trying to grab greater than and less than constraints - it looks like the constraints list is empty when I use

<

or

>

in the query - works fine when using equals or not equal to (have not tested other operators yet)

Hi, we are seeing deadlock when osquery extension is using multiple threads to share the extension client between them. Is the client is thread safe or we need to create multiple clients

Hi! I compiled the osquery extensions from trailofbits, and I have been trying to use the darwin_unified_log one. It loads correctly (seen with -verbose), but when I query the table it should generate, the table is always empty, can anyone help me out with this one?

@alessandrogario do we no longer have an example extension? It seems like it was deleted in PR 6747 https://github.com/osquery/osquery/commit/ffa3da4941541840f758b286a4d21cdd4b39371d#diff-3847aba4f0050db8d10d9385a9[…]3253b7bf152611074b2f8ffa677c56f

I’m pretty sure there’s something weird in the extensions/config. I recall something about how extensions get loaded, because they can create new config sections. (This might only be c++ ones, not thrift ones)

The extension could collect data in the background and return it when a SELECT occurs; reasons for not implement this in core include not being able to cleanup the database

(well, barring the uptycs proposal for event -> log streaming.)

I'd be fine with writing an events buffer for osquery-go with a backing store if we could figure out how to resolve the events_optimize issue.

missing part is to identify the query, but we can probably find a way

(also yeah, would be nice to replace Thrift; Stefano and I looked into Apache Thrift which is more maintained but they have like huge dependencies)

Even though the C++ SDK is super bad, unless we roll our own (which is not too hard for what we need, honestly), we could consider grpc

map<string, Object>

where

Object

is a

union

should work in thrift AFAIK. Overhead for serialization/de-serialization via domain sockets should be negligible compared to JSON. We have been pushing events in near real-time for ~4 years. OSS PR https://github.com/osquery/osquery/pull/3482 and others didn't go anywhere. Our Osquery at most have a latency of 4 seconds on events. Here is a customer from 2020 @scale conference who measured events -> alerts in ~1.7 seconds The more I explore extensions, these limitations are biting me. Happy to contribute, if there is consensus.

@seph I looked at the issues (open and closed) and I don't think this has been asked before, but would Kolide Launcher accept a change to give it the ability to update osquery extensions as well as the agent?

hi everyone👋 I just released a osquery extension I've been working on for a bit, lief-osquery, https://github.com/puffyCid/lief-osquery Its an extension that lets u parse PE and MACHO file formats (similar to elf tables for the linux version of osquery). It uses LIEF (Library to Instrument Executable Formats, https://lief.quarkslab.com/) to parse the executable files and displays a variety information (imported/exported functions, basic binary info, libraries used, binary sections, and sig information for PE files) Its pretty simple right now if anyone has suggestions/feedback on things to change or add let me know! Thanks!

Surprisingly a C++ example is not straightforward in that case (but that’s a problem on our side, there should be an example) Read the readme here for a Python example https://github.com/osquery/osquery-python

Hi, I am a software engineer at Apple working with osquery. My team has identified a bug when osquery tries to create multiple copies of the same extension. How to repro: 1. start an extension with the extension watchdog disabled 2. make the extension use a lot of CPU or RAM Has anyone else noticed as well? We would like to push our local patch upstream. Who would be the person of contact to share more details, or review the code change? Thanks for any help.

@Ryan Small https://prateeknischal.github.io/apache-thrift-over-unix-sockets/

Hi All, new to this. I followed this document to create osquery python extensions. https://github.com/osquery/osquery-python this works in linux but when i try to do it in windows it just fails to register the extension. Im not sure what i did wrong, since the only error i receive is " Cannot create extension process: test2.py". I have changed the file permissions as per osquery documentation and also ran osqueryi in --allow_unsafe mode (for the time being). Any help is appreciated! Thanks!

Hi fellows, when I run my extension without Administrator privileges I get this error, which I expect, cos' the pipe was opened by an elevated process:

Unable to connect to \\.\pipe\osquery.em with uds_windows::UnixStream: Os { code: 10013, kind: PermissionDenied, message: "An attempt was made to access a socket in a way forbidden by its access permissions." }

But when I execute with Admin user or as the user guide explains to manually load an extension it cannot connect to the socket with this error:

Unable to connect to \\.\pipe\osquery.em with uds_windows::UnixStream: Os { code: 10061, kind: ConnectionRefused, message: "No connection could be made because the target machine actively refused it." }

I just checked the flags to include the path and name of the socket and enable the extension loading:

--extensions_socket=\\.\pipe\osquery.em
--disable_extensions=false

I compiled the extension, moved it to the installed folder of osquery (

c:\Programs Files\osquery

) as

myshinny.ext.exe

and executed like this without success:

.\osqueryi.exe --allow-unsafe --extension myshinny.ext.exe

Then I tried to create a Extension folder, move the extensions inside it and apply the

icacls.exe

commands listed on the osquery's extension guide but again with no success. I'm trying to update the (https://github.com/zacbrown/osquery-rs) to support windows through (https://github.com/haraldh/rust_uds_windows/)

Hello, I have a logger extension which I want to extend to receive status messages to filter out specific messages related to running queries. I’ve enabled --verbose but set --logger_stderr=false. I get all the scheduler messages now in my logger plugin and can filter out the message I need (for example:Executing scheduled query running_processes_osx_events) but they are still logged to stderr with the message prefix I0818. Is there a way to get all --verbose messages send trough a logger plugin and NOT log the same thing to stderr? We are using OSQuery 4.9.0 on macOS

Hi, does any one have any documentation on what the numeric monitoring is generating?

Hello, (about the same extension) I’m having problems running the extension in Windows I was wondering if the problem had happened before with someone else… if I load the extension manually (1st the osquery --nodisable_extensions then ./extension --socket …) it works fine. However, if I use osquery --extension or the extensions.load file, an error message shows when trying to create extension process, osqueryd seems to be booting… but then it quits in a strange way. I’m using --allow_nosafe option but I don’t think it is related. Any idea?

PS C:\Program Files\osquery> .\osqueryd\osqueryd.exe --flagfile osquery.flags --verbose
I0913 01:37:43.778841  4896 init.cpp:342] osquery initialized [version=4.7.0]
I0913 01:37:43.825711  4896 system.cpp:342] Found stale process for osqueryd (10920)
I0913 01:37:43.825711  4896 system.cpp:374] Writing osqueryd pid (5116) to \Program Files\osquery\osqueryd.pidfile
I0913 01:37:43.825711  4896 extensions.cpp:438] Found autoloadable extension: C:\Program Files\osquery\extensions\myosquery.ext
I0913 01:37:43.825711  4896 dispatcher.cpp:78] Adding new service: WatcherRunner (000001AB7BFC9F30) to thread: 13760 (000001AB7DB4FCC0) in process 5116
I0913 01:37:43.841331 13760 watcher.cpp:613] osqueryd watcher (5116) executing worker (10352)
E0913 01:37:43.856961 13760 watcher.cpp:653] Cannot create extension process: C:\Program Files\osquery\extensions\myosquery.ext
I0913 01:37:43.856961  4896 dispatcher.cpp:149] Thread: 4896 requesting a stop
...
I0913 01:37:46.891346 13672 watcher.cpp:667] osqueryd worker (10352) detected killed watcher (5116)
I0913 01:37:46.891346 12320 dispatcher.cpp:149] Thread: 12320 requesting a stop
I0913 01:37:46.891346 12320 dispatcher.cpp:156] Service: 0000021774EF2CB0 has been interrupted
...

Full log at: https://pastebin.com/Ygm7CGX1 (112233). I’ve used

procmon

and I couldn’t find any attempt to launch the extension process. While doing that, I noticed a werfault.exe was being executed. Looking at Windows Events it seems osquery crashed:

Faulting application name: osqueryd.exe, version: 4.7.0.0, time stamp: 0x6050e93f
Faulting module name: osqueryd.exe, version: 4.7.0.0, time stamp: 0x6050e93f
Exception code: 0xc0000005
Fault offset: 0x00000000009da964
Faulting process id: 0x37c0
Faulting application start time: 0x01d7a87be147ff10
Faulting application path: C:\Program Files\osquery\osqueryd\osqueryd.exe
Faulting module path: C:\Program Files\osquery\osqueryd\osqueryd.exe
Report Id: e7704eb3-e66d-439b-aa1f-331f195cb88c
Faulting package full name: 
Faulting package-relative application ID:

Hello, has anybody faced an issue with extensions using osquery 5.0.1 for windows from https://osquery.io/downloads? For some reason our extension has stopped working with that version (we just see the following in the logs:

I1104 15:49:32.779342 11716 extensions.cpp:348] Extension UUID 18380 has gone away

). When we compile 5.0.1 by ourselves then there are no any issues.

Hi, I am trying to autoload an extension in windows. But it doesnt get registered for some reason. it also does not throw back any error and osquery can start as per normal. Is this a bug? I referenced it from https://github.com/osquery/osquery/issues/7324

Hi all. I'm trying to run the osqueryi profiler on some custom extension tables and am not having any luck. I can run osqueryi interactively and all works. Passing the query directly to osqueryi along with an

extensions_require

flag works too. Can't pass the query directly if the extensions require flag is not passed. Everything works fine in osqueryd as well. If I try adding

profile_delay

it seems like the extension can't connect to the socket. Has anyone run into this issue? I'll add some osqueryi outputs in thread

Hmm that's odd because

Extension registered table plugin

for several tables implies the extension was communicating over the Thrift channel ...and then suddenly

An error occurred during extension manager startup

. Is this extension one of the public ones that others can grab and try to reproduce this problem?

Hi everyone

instance = osquery.ExtensionClient('\\\\.\pipe\shell.em')
instance.open()
client = instance.extension_client()
print(client.query('select * from time'))

In this code, it's possible to query osquery via the thrift socket without creating any new extension. I want to ask if it is also possible to set the config and get the logs for the running osquery instance without creating a new extension, and just read/write via the extension_client?

FOR WINDOWS : Hi everyone: I am trying to run this extension (file attached below:

python_config.ext

). I have placed this file in Extensions folder in the osquery root. I tried

.\osqueryd.exe --flagfile .\osquery.flags --verbose

but I am getting an error saying

E0208 12:58:29.730865  3680 watcher.cpp:702] Cannot create extension process: C:\Program Files\osquery\Extensions\python-config.ext

. I have set safe permissions according to this link: https://osquery.readthedocs.io/en/stable/deployment/extensions/#extensions-binary-permissions . Can anyone help me with this? cuz when I run this extension as

python python-config.ext --socket=\\.\pipe\shell.em

, it works perfectly and the extension is loaded

Do osquery extensions enable an ecosystem/platform for vendors like this who want to hook into an existing agent without writing their own? If so, what docs, extension-loader error messages, extension linting/tools for extension devs, and tutorials are we missing to make it dead simple? https://techcrunch.com/2022/03/16/clockwork-raises-21m-to-keep-server-clocks-in-sync/

Using osquery-go can I access the flags set in

osquery.flags

in my extension?