Ahmed
12/22/2019, 7:59 PMJoão Godinho
12/23/2019, 12:00 AMlast
table only shows logins (type 7). After pulling hairs and compiling osquery myself, I found this PR: https://github.com/osquery/osquery/pull/5274 (btw I couldn’t find any reference to this on the releases) which is filtering for USER_PROCESS
only. Should I open an issue for this? or can I just open a PR and also add the DEAD_PROCESS
event?TonyC
12/24/2019, 5:05 AMAhmed
12/24/2019, 10:10 AMMichael Persson
01/02/2020, 3:59 PMTyler Fisher
01/02/2020, 9:51 PMprocess_events
table - does anyone know where the documentation is?
root@ubuntu:/etc/osquery# cat osquery.flags
--audit_allow_config=true
--audit_allow_sockets
--audit_persist=true
--audit_allow_process_events=true
--disable_audit=false
--events_expiry=1
--events_max=500000
--logger_min_status=1
--logger_plugin=filesystem
--watchdog_memory_limit=350
--watchdog_utilization_limit=130
$ sudo osqueryi --flagfile /etc/osquery/osquery.flags
Using a virtual database. Need help, type '.help'
osquery> select * from process_events;
W0102 16:44:29.887578 30811 virtual_table.cpp:930] Table process_events is event-based but events are disabled
W0102 16:44:29.887630 30811 virtual_table.cpp:937] Please see the table documentation: <https://osquery.io/schema/#process_events>
I don't have auditd enabled, and osquery is running as root.Tyler Fisher
01/02/2020, 10:23 PMDongho Kim
01/03/2020, 6:37 AMW0103 15:36:34.866801 22423 filesystem.cpp:112] Cannot read file that exceeds size limit: /snap/slack/20/usr/lib/slack/slack
W0103 15:36:34.895962 22423 filesystem.cpp:112] Cannot read file that exceeds size limit: /opt/google/chrome/chrome
W0103 15:36:35.829485 22423 filesystem.cpp:112] Cannot read file that exceeds size limit: /snap/spotify/36/usr/share/spotify/spotify
David Payne
01/03/2020, 5:17 PMchristran
01/06/2020, 11:03 AMJoão Godinho
01/06/2020, 4:12 PMfile_events
, I can exclude paths, but not a specific file and/or multiple files, correct?Anatol Pomazau
01/06/2020, 6:33 PMlaudecay
01/06/2020, 10:01 PM--enroll_secret_path=/etc/osquery/enroll_secret
option set, and when i try to enroll w/ kolide launcher i get something about "unexpected response" over grpc
W0106 15:59:47.299160 143402432 tls_enroll.cpp:74] Failed enrollment request to <https://fleet.secure.redacted.com/api/v1/osquery/enroll> (Request error: Failed to connect to <http://fleet.secure.redacted.com:443|fleet.secure.redacted.com:443>: Operation timed out) retrying...
I0106 15:59:48.303138 143402432 tls.cpp:253] TLS/HTTPS POST request to URI: <https://fleet.secure.redacted.com/api/v1/osquery/enroll>
Jams
01/06/2020, 10:55 PMwall_time
from osquery_schedule
table is that it’s the unix time difference between the start and end of a query. However, does that imply it’s the difference of when the query was last executed? Further, system_time
& user_time
are both milliseconds and I would have to divide by executions
to understand its performance profile?Jesse Lepich
01/07/2020, 9:14 PMbenbass
01/08/2020, 3:17 PMdefensivedepth
01/08/2020, 4:33 PM--watchdog_level=0
----
Performance limit level (0=normal, 1=restrictive, -1=disabled). The watchdog process uses a "level" to configure performance limits.
The level limits are as follows: Memory: default 200M, restrictive 100M CPU: default 25% (for 9 seconds), restrictive 18% (for 9 seconds)
The normal level allows for 10 restarts if the limits are violated. The restrictive allows for only 4, then the service will be disabled. For both there is a linear backoff of 5 seconds, doubling each retry.
-----
Is this saying that after 10 / 4 restarts of the worker process, the osqueryd service will be disabled? I have tested this on a Win10 system and am not seeing this behavior, just the query being put on the blocklist and the worker process being restarted - I am not seeing any kind of backoff either.Vijay
01/08/2020, 10:16 PMcalve
01/09/2020, 3:47 PMmake test
runs 86 stages and take more than an hour on my laptop. Is there any way to run a limited set of tests ? make test/fast
does not seems much quicker.theopolis
01/16/2020, 12:35 AMyum
and apt
repositories. Please find the install instructions at https://osquery.io/downloads/official/4.1.2 as well as direct downloads for the packages. They should install on almost all Linux platforms supporting either RPM or DEB packages. In the past we copy-pasted packages to repos named, trusty, precise, centos6, etc, those duplicate repos will be removed, if you still use these please move to the generic repos.
All distros using RPMs:
curl -L <https://pkg.osquery.io/rpm/GPG> | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
sudo yum-config-manager --add-repo <https://pkg.osquery.io/rpm/osquery-s3-rpm.repo>
sudo yum-config-manager --enable osquery-s3-rpm
sudo yum install osquery
All distros using DEBs:
export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
sudo apt-key adv --keyserver <http://keyserver.ubuntu.com|keyserver.ubuntu.com> --recv-keys $OSQUERY_KEY
sudo add-apt-repository 'deb [arch=amd64] <https://pkg.osquery.io/deb> deb main'
sudo apt-get update
sudo apt-get install osquery
Kuzma Fesenko
01/16/2020, 3:48 PMIvanlei
01/18/2020, 3:02 PMsnapshot=true
on our eventing queries and measured a 5X increase in the events per second throughput of process_events
before we saw events buffers overflowMatthew
01/18/2020, 11:56 PMTommy
01/20/2020, 5:44 PMJean M
01/21/2020, 11:58 AMMatt K
01/22/2020, 6:08 PMAditya
01/27/2020, 6:34 AMZach Zeid
01/27/2020, 9:28 PMwcc526
01/29/2020, 3:25 AMwcc526
01/29/2020, 3:35 AM