What does 

return code 78

 mean in osquery ?

Is there someone doing vulnerability scanning with osquery? e.g. based on installed apps

Hi all, I need some very basic help that I can't seem to find the answer to in the docs. I'm trying to use the api and cant figure how to use my access token in a

curl

call or using python requests. What is the header for authentication called? I saw somewhere on github someone used

curl -H Authorization: [tokenhere]

but that didn't work for me

👋 one of our user have an issue with performance spike and a recurrent log

Jun 22 12:35:33 xxxxxxx osqueryd[198]: osqueryd worker (82507) stopping: Memory limits exceeded: 222240768

I may have determined that this is linked to his bash history (

SELECT * from users JOIN shell_history using (uid);

) because when we move it somewhere else and create a new one, the log doesn’t appear again. His history is 4.5MB, I don’t know if it’s too big (guess not but saying it just in case). Any thing we try to do to find the root cause without deleting his all history ?

Hi all, I need some helps on getting logger plugin working. I tried https://github.com/osquery/osquery-python/blob/master/examples/foobar_logger.ext using command “python .\foobar_logger.ext --socket \\.\pipe\osquery.em” to attach osqueryd but nothing was logged. Thx!

https://blog.fleetsmith.com/fleetsmith-acquired-by-apple/ an osquery-based security agent is now an Apple subsidiary

@Mike Myers Was their agent utilizing osquery under the hood? I don't recall that being the case.

Hi! Can you tell me, is there any specific recommendations on the system requirements for deploying a kolide fleet to stable collect osquery requests with maybe 5k-6k hosts?

This message was deleted.

Any free ui tools available for view osquery_result log ?

hi, I'm writing a custom logger plugin on a windows server that logs to one of my rest services, running "select value from osquery_extensions;" from osqueryi gives "\\.\pipe\shell.em", running the same query from osqueryd schedule gives "\\.\pipe\osquery.em", when my plugin runs, it hangs on connecting to the named pipe, I wonder how I can fix it.

how can I find this "\\.\pipe\shell.em" pipe on windows?

hi there! I am noob to osquery. Is there a ER (entity relationship) diagram for osquery schema, much like in traditional RDBMS? That will help understand how the tables are linked together and what info can be queried.

is osquery.io down?

What does it mean when osqueryi command has a return code = 78 ?

Given a process path and container id, is there a way to get the package information of that process which is running in a container using osquery ? If there is no possibility using osquery, is there any other way ?

@seph thanks for taking such awesome notes during #officehours! It's great to look-back on all the bi-weekly discussions: https://github.com/osquery/foundation/tree/master/docs/office-hours

Does anyone know if osqueryd can be configured to send results to different logging backend/targets depending on the query pack? For example a compliance related query pack results go to compliance kafka queue, system info query pack results go to a different queue.

sudo osqueryi --json 'select * from docker_container_ports'

is not showing any output even though there are docker ports associated with host ports.. Any idea ?

what happens when you run it without

sudo

?

@Hugh (Zercurity) I'm gonna check, thanks

Has anyone attempted to build osquery for aarch64? I'm running into this error during the build step

[  7%] Building C object libs/src/boost/CMakeFiles/thirdparty_boost_context.dir/src/libs/context/src/asm/jump_arm64_aapcs_elf_gas.S.o
/home/ec2-user/osquery/libraries/cmake/source/boost/src/libs/context/src/asm/jump_arm64_aapcs_elf_gas.S:54:1: error: expected identifier or '('
.file "jump_arm64_aapcs_elf_gas.S"
^
/home/ec2-user/osquery/libraries/cmake/source/boost/src/libs/context/src/asm/jump_arm64_aapcs_elf_gas.S:60:7: error: invalid preprocessing directive
    # prepare stack for GP + FPU
      ^
/home/ec2-user/osquery/libraries/cmake/source/boost/src/libs/context/src/asm/jump_arm64_aapcs_elf_gas.S:63:7: error: invalid preprocessing directive
    # save d8 - d15
      ^

Hi everyone! When working with *_events tables in osquery, should I always select everything from those tables to flush events from RocksDB? Otherwise /var/osquery/osquery.db directory will grow in size, which as I understand affect the osquery performance. I transport osquery events with syslog. The problem is when select * I lose some data because of suppressed messages by systemd therefore I’d like to change select * to get only required data. But i don’t want my RocksDB grow in size and never drops old events from *_events tables. Correct me I’m wrong because I doubt that osquery works as I understand it.

Hi, I'm new to osquery. Can you change configuration via osquery? I see some hints that it's possible from Slack here, but the official docs seem to say you can't (https://osquery.readthedocs.io/en/stable/introduction/sql/#sql-as-understood-by-osquery). Thanks!

@seph how to know the package associated with a docker process ?

@Zweasta maybe this will help https://github.com/osquery/osquery/pull/6414#issuecomment-630190327

Is it possible for osquery to monitor command line data in real time(continues streaming) instead of taking snapshots??

https://osquery.readthedocs.io/en/stable/introduction/sql/#tables-with-arguments This doc pages says, for tables with arguments that "these tables, and their columns, are flagged by a dropper icon in the schema documentation". So I went to the file table on the schema docs https://osquery.io/schema/4.4.0/#file. I don't think I see a 'dropper' icon anywhere. Am I missing something? I was trying to get a list of tables like this

'Afternoon Everyone! Looking for some help plz - I'm trying to build my Kolide stack; I cannot work with my certificates. Am getting W0714 162921.859051 135417856 tls.cpp:100] Cannot read TLS server certificate(s): ~/Desktop/OSQueryTmp/cert.pem W0714 162921.926555 135417856 tls_enroll.cpp:76] Failed enrollment request to <<Domain>> (Request error: certificate verify failed) retrying...

Knowing very little about sqlite wizardry, could you utilize a COUNT function to determine total number of rows, then use CTEs to return the data in sets eg. If rpm_packages returns 15k rows and the rpm_db chokes when trying to return all at once, could you partition the result-set using row_id and then reassemble afterwards with a UNION? (eg.

WITH rpm_result_set1 AS (SELECT * FROM rpm_packages WHERE rowid > 0 AND rowid < 1000), rpm_result_set2 AS (SELECT * FROM rpm_packages WHERE rowid >= 1000 AND rowid <= 2000)... SELECT * FROM rpm_result_set1 UNION ALL SELECT * FROM rpm_result_set2

)