Hey everyone. I hope everything is alright with y'all. Can someone provide me with materials on registering Windows Hosts to Kolide Fleet ? Thanks in advance !

socket_events can't get data when it left join process_events I encountered strange things.I record my computer's some info with socket_events and process_events.here is my sql.

sql
select * from process_events
select socket_events.*,process_events.cmdline,process_events.cwd,process_events.pid as pepid from socket_events left join process_events  on socket_events.pid=process_events.pid;

but I found that the

cmdline

,

cwd

,

pepid

are all empty in

socket_events

.for eaxmple

cmd:  curl <https://osquery.io>

name": "process_events",
    "@version": "1",
    "columns": {
      "parent": "21451",
      "cwd": "\"/root\"",
      "btime": "0",
      "auid": "1001",
      "egid": "0",
      "atime": "1448209686",
      "owner_gid": "0",
      "owner_uid": "0",
      "path": "/usr/bin/curl",
      "cmdline": "curl <https://osquery.io>",
      "gid": "0",
      "pid": "21923",
      "ctime": "1461222192",
      "time": "1543840554",
      "uptime": "28088276",
      "mode": "0100755",
      "mtime": "1448209686",
      "uid": "0",
      "euid": "0"
    },


"name": "socket_events",
"@version": "1",
"columns": {
    "pepid": "",
    "local_port": "0",
    "cwd": "",
    "status": "unknown",
    "auid": "1001",
    "path": "/usr/bin/curl",
    "action": "connect",
    "cmdline": "",
    "family": "2",
    "fd": "3",
    "pid": "21923",
    "local_address": "",
    "remote_port": "443",
    "time": "1543840554",
    "uptime": "28088276",
    "remote_address": "54.193.126.242"
},

as you can see,the

socket_events

row has the same pid with the

process_events

row,but the

cwd

,

cmdline

,

pepid

are all empty in

socket_events

table. it it very strange. this Scenario has happened in all my 10 host.

the best way is to read through the documentation and try to set something up. and ask questions here along the way when you run into trouble

or change the query name

when I read the osquery

sokcet_events.cpp

source code, I found that

// skip operations on NETLINK_ROUTE sockets
if (saddr[0] == '1' && saddr[1] == '0') {
    continue;
}

why is the saddr with 10 the NETLINK_ROUTE sockets?I can not find some info about it,does anybody knows it?

how can i make osquery log alert in slack?

hey channel Not sure if this is the right place to ask. But running into error using the flag

--audit_allow_sockets

Thanks for not push forcing again, I really appreciate it! It's a lot easier to follow now 🙂

So.... is there any word on spending the extra $$ to get the >10,000 messages archive back for this slack? It is a major bummer not being able to find the answers and context to previously asked questions anymore.

A project like fleet (disclaimer I work on it) is a good fit for that with osquery‘ s distributed plugin

I have a customer asking if osquery has been successfully used on SUSE Linux, specifically SLES 11.x Apparently they are having trouble making it run. I don't have any details. Anybody here know if the tool has been made to work on SLES?

When doing an on-demand yara scan, does the signature file have to be stored locally or could it be stored in a fileshare?

other then disabling prelink?

@spookerlabs https://osquery.slack.com/archives/C08VA3XQU/p1544828441041800

@钢铁侠 The flag is created by the macro HIDDEN_FLAG respectively OSQUERY_FLAG (see include/osquery/flags.h)

There is more than that. You will not be able to view the event tables, and may not be able to run queries on a schedule.

@speckled on resource control, I advise to use cgroups like https://github.com/juju4/ansible-osquery/blob/master/tasks/cgroups.yml (initial tips from trailofbits)

i was going to rig up a script to parse schedule and packs in config and determine the ideal event_expiry. Before I do, has anyone already done this?

is that macOS?

hello quick noob question. I have osquery deployed with kolide fleet and have imported some query packs. Where can i view the results of the queries? I can’t seem to find any documentation on where the output is saved to. ty

the nproc has backticks around it - gets set to number of processor cores. you can skip the "-j XX" as well

is there somewhere i can find some useful queries or kibana dashboards?

Thanks @fmanco for the Slack workspace upgrade. Nice to be able to see older results from searches, etc

Q: If I create a custom attack pack like testpack.conf and co-locate with the others, is it as simple as adding that new path to the osquery.conf file? Or am i missing steps?

congrats on upgrading to standard plan so we have full history. 👏

Hello, I've got a bunch of osqueryd running at 100% CPU, what can I do to find out why?

It’s easy to run expensive queries. One thing to look at is the

osquery_schedule

table. https://blog.kolide.com/profiling-osquery-performance-with-kolide-cloud-8e01097469db has some info (and there are probably other blog posts about)

looking forward to your improvements packetzero 😄

Thanks for the clarification @packetzero

@packetzero, are you concerned with another tables or at the moment just the events ones?