Hey Folks, I have 3k osquery enrolled in kolide fleet, and I’m aiming for 50k machines to be enrolled. But from my test group i started to see some issues with kolide fleet(open source) which i can clarify later. My question is there anyone managed to have a large fleet of osquery managed and what was your solution? How do you handle results of interactive queries, do they get logged or pushed to the browser? Appreciated

Hi, I noticed that after updating from v3.3.2 the

last

table only shows logins (type 7). After pulling hairs and compiling osquery myself, I found this PR: https://github.com/osquery/osquery/pull/5274 (btw I couldn’t find any reference to this on the releases) which is filtering for

USER_PROCESS

only. Should I open an issue for this? or can I just open a PR and also add the

DEAD_PROCESS

event?

Hello, I wrote a couple extensions for OsQuery that have long run times as much as 30 seconds. When scheduling them to both run every 300 seconds in a pack, they sometimes run at the same time, or at least overlap. Is there a way to guarantee ALL scheduled queries are run serially, and never at the same time? Thank you

Hey Folks, How can we determine which config is bing used by osqury agents. When i run a query about the configs i get the same hash so thats good but i want to know which config is being used. When i try to calc the hash i dont get same results

Wrote this for my own use case to expose osquery as a REST API using MTLS (Mutual TLS) not sure if it's useful to anyone. If not it might serve as an example. https://github.com/mickep76/osquery_api

Hey everyone, I've been looking for a few hours, and I can't figure out how to use the

process_events

table - does anyone know where the documentation is?

root@ubuntu:/etc/osquery# cat osquery.flags
--audit_allow_config=true
--audit_allow_sockets
--audit_persist=true
--audit_allow_process_events=true
--disable_audit=false
--events_expiry=1
--events_max=500000
--logger_min_status=1
--logger_plugin=filesystem
--watchdog_memory_limit=350
--watchdog_utilization_limit=130

$ sudo osqueryi --flagfile /etc/osquery/osquery.flags
Using a virtual database. Need help, type '.help'
osquery> select * from process_events;
W0102 16:44:29.887578 30811 virtual_table.cpp:930] Table process_events is event-based but events are disabled
W0102 16:44:29.887630 30811 virtual_table.cpp:937] Please see the table documentation: <https://osquery.io/schema/#process_events>

I don't have auditd enabled, and osquery is running as root.

Does anyone know if there's an osquery flag that toggles support for Thrift on/off? I was working on some Python code that retrieves process events via the Thrift API, but I'm not sure why the transport is failing after adding support for events. 🤷

it returns

W0103 15:36:34.866801 22423 filesystem.cpp:112] Cannot read file that exceeds size limit: /snap/slack/20/usr/lib/slack/slack
W0103 15:36:34.895962 22423 filesystem.cpp:112] Cannot read file that exceeds size limit: /opt/google/chrome/chrome
W0103 15:36:35.829485 22423 filesystem.cpp:112] Cannot read file that exceeds size limit: /snap/spotify/36/usr/share/spotify/spotify

I have a question regarding setting up logging to tls and the filesystem. I've been looking into the documentation on how to provide multiple logging plugins via the flag system. Which I've been using the flag system for the full setup process, due to needing to have this setup between Linux, Mac, and Windows machines. This process is currently being tested on a Windows 10 machine. The tls is reporting back to our fleet server, which is working perfectly. However, when I added the filesystem appending, it will report to tls fine, but it never builds the logs on the local machine. And if I utilize the supplied config it will build to the filesystem properly as well, but this method removes tls. I have a felling I might be missing something, I included a screen snippet below to show our flags file on the Windows machine. Any advice would be highly appreciated! Here is also where I've been grabbing my information from the documentation: https://osquery.readthedocs.io/en/stable/installation/cli-flags/#loggingresults-flags Thank you for any assistance you can offer.

Hi everyone, I’m just started using osquery and when I query to see powershell event in osquery then I get output like that “W0106 153336.802225 12808 virtual_table.cpp:967] Table powershell_events is event-based but events are disabled” I have tried with cli like “osqueryi.exe --disable_events=false --windows_event_channels=Micorsoft-Windows-PowerShell” but I get empty output. And I also check in table osquery_event and got result like that select name, publisher, subscriptions, events, active from osquery_events where name like '%powershell_%events%'; +-------------------+----------------+---------------+--------+--------+ | name | publisher | subscriptions | events | active | +-------------------+----------------+---------------+--------+--------+ | powershell_events | windows_events | 1 | 0 | 1 | +-------------------+----------------+---------------+--------+--------+ no Events. Anyone can help me thanks

Hey 👋 quick question regarding

file_events

, I can exclude paths, but not a specific file and/or multiple files, correct?

Does osquery support pacman (Arch Linux) package manager?

hiya im currently getting this when i try to enroll my mac, i have the

--enroll_secret_path=/etc/osquery/enroll_secret

option set, and when i try to enroll w/ kolide launcher i get something about "unexpected response" over grpc

W0106 15:59:47.299160 143402432 tls_enroll.cpp:74] Failed enrollment request to <https://fleet.secure.redacted.com/api/v1/osquery/enroll> (Request error: Failed to connect to <http://fleet.secure.redacted.com:443|fleet.secure.redacted.com:443>: Operation timed out) retrying...
I0106 15:59:48.303138 143402432 tls.cpp:253] TLS/HTTPS POST request to URI: <https://fleet.secure.redacted.com/api/v1/osquery/enroll>

My understanding of

wall_time

from

osquery_schedule

table is that it’s the unix time difference between the start and end of a query. However, does that imply it’s the difference of when the query was last executed? Further,

system_time

&

user_time

are both milliseconds and I would have to divide by

executions

to understand its performance profile?

Howdy folks, I'm new to osquery and wondering what might be the fastest/easiest way to query for cmdline, path, and parent_path. I'm currently using: process_events": { "query": "SELECT * FROM process_events;", But this doesn't give me parent_path. Thanks for any help you can provide 🙂

In the cpu_time table, what are the units of time reported for iowait? Is it ms? I can’t find any documentation on what the units are. I am specifically interested in RHEL 7 if the os makes a difference.

speaking of the watchdog. From https://osquery.readthedocs.io/en/stable/installation/cli-flags/#daemon-control-flags under

--watchdog_level=0

---- Performance limit level (0=normal, 1=restrictive, -1=disabled). The watchdog process uses a "level" to configure performance limits. The level limits are as follows: Memory: default 200M, restrictive 100M CPU: default 25% (for 9 seconds), restrictive 18% (for 9 seconds) The normal level allows for 10 restarts if the limits are violated. The restrictive allows for only 4, then the service will be disabled. For both there is a linear backoff of 5 seconds, doubling each retry. ----- Is this saying that after 10 / 4 restarts of the worker process, the osqueryd service will be disabled? I have tested this on a Win10 system and am not seeing this behavior, just the query being put on the blocklist and the worker process being restarted - I am not seeing any kind of backoff either.

Anyone know of an extension (or if there are plans to support natively) that can provide the equivalent of regqueryinfo? i.e., i am looking to read timestamp (which osquery returns) of registry keys as well as class values (which osquery does not).

Hi there, I'm developing a feature for osquery, but I cant get the whole tests suite running.

make test

runs 86 stages and take more than an hour on my laptop. Is there any way to run a limited set of tests ?

make test/fast

does not seems much quicker.

The 4.1.2 packages are now available in our

yum

and

apt

repositories. Please find the install instructions at https://osquery.io/downloads/official/4.1.2 as well as direct downloads for the packages. They should install on almost all Linux platforms supporting either RPM or DEB packages. In the past we copy-pasted packages to repos named, trusty, precise, centos6, etc, those duplicate repos will be removed, if you still use these please move to the generic repos. All distros using RPMs:

curl -L <https://pkg.osquery.io/rpm/GPG> | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery
sudo yum-config-manager --add-repo <https://pkg.osquery.io/rpm/osquery-s3-rpm.repo>
sudo yum-config-manager --enable osquery-s3-rpm
sudo yum install osquery

All distros using DEBs:

export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
sudo apt-key adv --keyserver <http://keyserver.ubuntu.com|keyserver.ubuntu.com> --recv-keys $OSQUERY_KEY
sudo add-apt-repository 'deb [arch=amd64] <https://pkg.osquery.io/deb> deb main'
sudo apt-get update
sudo apt-get install osquery

Hi everyone, an old employee in my organization had set up an installer for Macs which included the flags file, and installed the service, etc. I was able to build an OSX package, but having trouble figuring out how to include my osquery.flags file. Can't seem to find any information in the documentation on this, and have also tried searching here in Slack.

• we use benchmarks to create artificial constant rate of process events per second • we monitor CPU, RAM, & diskIO • we monitor the osquery logs to see when event buffers overflow one finding i wanted to share - we set

snapshot=true

on our eventing queries and measured a 5X increase in the events per second throughput of

process_events

before we saw events buffers overflow

https://github.com/kolide/fleet/blob/master/docs/infrastructure/adding-hosts-to-fleet.md#kolide-osquery-launcher Here it's mentioned that you can grab the precompiled binaries and it looks like they are no longer included in the releases? Looks like it stopped after 0.10.3, is this intentional?

hey everyone, what’s the best channel for asking questions about the repository https://osquery-packages.s3.amazonaws.com/ ? We use this with yum but seems like a release Friday 8pm GMT wiped out the centos7 artefacts

Hi, not sure if this is the best place to ask, maybe someone knows: I’m using fleet to make queries and receive the results, however, regardless how I configure the logging plugin in fleet, it is not writing my live queries results to the file system, is this expected?

Got a question about the CLA, details in thread.

filesystem.cpp:113] Cannot read file that exceeds size limit:

is there an alternative to Kolide Fleet that is out there?

Yes,I’m talking about performance issue on Linux. such as https://github.com/osquery/osquery/issues/5339 @alessandrogario

And why so many osquery team member left facebook after they work on osquery just 1~2 years. such as @javuto https://www.linkedin.com/in/javiermarcosdeprado/