HI All, there is a way/query to know user last logon/logout? in a few words I want to run a query through the gui, where I see the last time the pc was online and the last time the pc went offline to track pc on and off times

how can i find jamf logs in osquery. So we have a certain service which runs from a self help app and i want to monitor when it is started by a person. I see jamf logs it when it starts but i cant find the exact log for it in osquery. I see log in console.

how can I connect the osquery agent to the fleet server? ("command")

ok I finally bit the bullet and installed Security Onion. Is it possible to make a simple change to each deployed Fleet agent to get it to talk to Security Onion, or do I have to re-install the agents? On one hand it looks like I can add the enrol secret to the new Server and adjust the FQDN (maybe), on the other hand I haven’t found the .plist that might make this possible…

hi i am performing file integrating monitoring using osqueryd this is my config file { "options": { "config_plugin": "filesystem", "logger_plugin": "filesystem", "logger_path": "/var/log/osquery", "pidfile": "/var/osquery/osquery.pidfile" }, "schedule": { "file_events": { "query": "select * from file_events;", "interval": 30 } }, "file_paths": { "root": [ "/%" ] } } this is my flag file --config_plugin=filesystem --config_path=/etc/osquery/osquery.conf --logger_plugin=filesystem --logger_path=/var/log/osquery --disable_logging=false --log_result_events=true --schedule_splay_percent=10 --pidfile=/var/osquery/osquery.pidfile --events_expiry=3600 --database_path=/var/osquery/osquery.db --verbose=false --worker_threads=2 --disable_events=false --disable_audit=false --audit_allow_config=true --host_identifier=hostname --enable_syslog=true --audit_allow_sockets=true --schedule_default_interval=3600 i am using this command to run my osueryd sudo osqueryd --config_path /etc/osquery/osquery.example.conf now when i change the content of the file i created for the test purpose in the specified path to be monitored, i don't see any record in file_events table neither in log files

Is anyone aware of a good article on the various osquery flags needed to do process and file monitoring on linux and mac? There are a few in play, and with the addition of the BPF tables I'd love to know best practices -- do we still need register for auditd, or do the BPF tables not yet cover things like

file_events

etc ?

Hey all-- New to Fleet-- any good guides on setting up an ELK stack? Or anyone use another data tool they like?

Guys there seem to be a critical vuln in the ECS deployment of fleet: The package

zlib

version

1.2.12-r1

was detected in

APK package manager

on a container image running

Alpine 3.16.0

is vulnerable to

CVE-2022-37434

, which exists in versions

\u003c 1.2.12-r2

.\n\nThe vulnerability was found in the [Official Alpine Security Advisories](https://security.alpinelinux.org/vuln/CVE-2022-37434) with vendor severity:

Critical

([NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-37434) severity:

Critical

).\n\nThis vulnerability has a known exploit available. Source: Github [[1](https://github.com/ivd38/zlib_overflow), [2](https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063), [3](https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764)].\n\nThe vulnerability can be remediated by updating the package to version

1.2.12-r2

or higher,

My osquery doesnot connect to the fleet when i have my netskope turned on. if i turn it off then i see the host online. It throws certificate verification failed error. Any help on it? FYI Curl command works just fine even if netskope is on.

im trying to connect osquery to fleet and it's not working, where can I see logs for the agent connection?

im trying to move my fleet environment to k8s and my pod of the fleet web server logs i see that message : "Tls: client offered only unsupported versions: [301]" and this msg is repeating every second when i do not even trying to connect to the fleet webeserver.

https://github.com/fleetdm/fleet/issues/7371 any interest 🙂 ?

I'm trying to deploy new fleet environment and I'm having a trouble with the certificate, when I'm logging to my web site it's says: "secured" , and when I'm trying to connect to the fleet with an osquery agent, I am getting the error: "certificate verify failed", the agent flag: tls_server_certs is set to the .crt file that fleet is using() can you help me with this one please?

Hey all! On this page: https://fleetdm.com/announcements/introducing-sandbox-the-fastest-way-to-play-with-fleet It shows “video has been removed by uploader”. Just an FYI! I found the video itself on your channel here:

Has anyone come across a scenario where all and/or some of the queries in enabled pack do not run? But when the query that hasn't run is run one off, it returns successfully?

I think there was a bug when vuln processing isn't configured. Try setting https://fleetdm.com/docs/deploying/configuration#databases-path

Hi team! What's the best way to tighten networking around my Fleet host? I have it all open on 0.0.0.0 and allowing all ports which is ofcourse not ideal and I want to tighten it further but without breaking osquery <> fleet comms. What's the best way to do that?

Hi,I am performing malware detection using yara this is my config file

{

"options": {

"config_plugin": "filesystem",

"logger_plugin": "filesystem",

"logger_path": "/var/log/osquery",

"logger_snapshot_event_type": "true",

"schedule_splay_percent": "10"

},

"yara": {

"signatures": {

// Each key is an arbitrary group name to give the signatures listed

"sig_group_1": [ "/home/slyb/yara_rules/hello_worlds.yar" ]

// "sig_group_2": [ "/Users/wxs/sigs/baz.yar" ]

},

"file_paths": {

"system_binaries": [ "sig_group_1" ]

}

},

// Paths to watch for filesystem events

"file_paths": {

"system_binaries": [ "/home/slyb/%" ]

},

"packs": {

"osquery-monitoring": "/home/slyb/osquery/packs/osquery-monitoring.conf",

"fim": "/home/slyb/osquery/packs/fim.conf"

}

}

and this is my flag file

--config_plugin=filesystem

--config_path=/etc/osquery/osquery.conf

--enable_yara_sigurl=true

--logger_plugin=filesystem

--logger_path=/var/log/osquery

--disable_logging=false

--log_result_events=true

--schedule_splay_percent=10

--pidfile=/var/osquery/osquery.pidfile

--events_expiry=3600

--database_path=/var/osquery/osquery.db

--verbose=false

--worker_threads=2

--disable_events=false

--disable_audit=false

--audit_allow_config=true

--host_identifier=hostname

--enable_syslog=true

--audit_allow_sockets=true

--schedule_default_interval=3600

--enable_file_events=true

this is my yara rule file

rule ExampleRule

{

strings:

$my_text_string = "hello world"

$my_hex_string = { E2 34 A1 C8 23 FB }

condition:

$my_text_string or $my_hex_string

}

the problem is im getting no entry in yara_events table after testing for a file that has the same signature as mentioned in yara rule

Upgraded from fleetdm 4.17.1 > 4.19.0 and had to play open heart sql surgery to get it to work ended up with

INFO: 12:50:42 Increasing width of software.vendor...
2022/08/29 12:50:43 FAIL 20220818101352_ChangeSoftwareVendorWidth.go (adding new uniquess constraint: Error 1062: Duplicate entry 'openpgm-5.2.122-rpm_packages-2.el7--x86_64' for key 'unq_name'), quitting migration.

Which led to

2022/08/29 12:56:43 FAIL 20220818101352_ChangeSoftwareVendorWidth.go (creating temp column for vendor: Error 1060: Duplicate column name 'vendor_wide'), quitting migration.

After deleting the column and row i was able to upgrade.

Hi all, Running into a

constraint failed

error when querying the

windows_eventlog

table from fleet. After some troubleshooting I found that

channel

is a required constraint in the WHERE clause, which I have added but still get the same

constraint failed

error. is there another required constraint when querying

windows_eventlog

? Any help is greatly appreciated!

If your concern is restricting access, we recommend exposing ‘/api/v1/osquery’. That way, you're covered for any changes going forward as new features may be added. Here's a list of the current endpoints:

/api/v1/osquery/enroll
/api/v1/osquery/config
/api/v1/osquery/distributed/read
/api/v1/osquery/distributed/write
/api/v1/osquery/carve/begin
/api/v1/osquery/carve/block

Hope that helps!

Anyone have a query to see what applications have access to specific privacy setting? For example, what applications have access to “Screen Recording”?

I've a general question around running fleet. We use a self-signed certificate to run Fleet container. Is that key material that's stored on the container used to help generate enrol secrets?

Fleet Error: I'm trying to login to fleet using SSO, and even without SSO I get this error "Expected JSON Body" Error 500. Any idea ?

@Marc Roelofs @Jason Roberts @Alexander Samrega And anyone else who may have run in to database migration issues moving to 4.19.0: The patch to resolve migration issues is live and upgrading should get you back on track. If not, please don't hesitate to let me know, I'm happy to set up a meeting and help get things sorted for you.

is there any way to forward the osquery logs directly to spunk without files?

Hey guys may be pushing it here but trying to configure my Raspbian Debian 11 osquery 5.4 agent to my fleet this is arm64 with the arm64 deb of osquery set up. I have taken and adjusted the following flag file and know that I have my cert and secret setup correctly. Fleetctl fails with "/usr/lib/node_modules/fleetctl/install/v4.19.1/fleetctl: 1: /usr/lib/node_modules/fleetctl/install/v4.19.1/fleetctl: 1: _: not found k: not found /usr/lib/node_modules/fleetctl/install/v4.19.1/fleetctl: 1: @ ^@6: not found /usr/lib/node_modules/fleetctl/install/v4.19.1/fleetctl: 1: ELF: not found /usr/lib/node_modules/fleetctl/install/v4.19.1/fleetctl: 2: Syntax error: "(" unexpected" and when I try it manually with osqueryd --flagfile=flagfile.txt --verbose the closet I get is "Failed enrollment request to https://ip:8090/api/latest/osquery/enroll (Cannot parse JSON: Invalid value. Offset: 0) retrying... I0903 190438.469650 264500 smbios_tables.cpp:252] Could not read SMBIOS memory " Looking through old issues I see a suggestion to add--tls_dump to the output so I've attached that as well. Please let me know if you have any thoughts I have already checked networking and should not be having any firewall or blocking issues. Thanks.

hi, my osquery_resault.log at my fleet stop getting data in the past two weeks, and idea why does can it happen?

Hello, how are you, I hope you are well!
I deployed a fleet of which I deployed osquery agents. Getting to a certain number of agents, often when a new host is deployed, it downgrades another one from the list. I get the following errors on the output to the osquery server:

1/osquery/distributed/read","ts":"2022-09-05T152012.164277378Z"} Sep 5 152015 osquery fleet[69161]: {"component":"http","err":"authentication error: invalid node key: /uLuK4hiUVdU3hZVXS5dcivDzQFpwfAX","level":"info","path":"/api/v1/osquery/config","ts":"2022-09-05T152015.9287988Z"}

Does osquery support

NOT EXISTS

? I'm trying to run a query for a policy that will return true if a process is not running... I;m running into issues.