osquery #general

Cameron Just

07/15/2020, 12:42 AM

Hi All, Also looking for some help. Trying to get FIM working and have followed the documentation but can't get it to work. osquery.conf - https://pastebin.com/0rSc8fvw My guess is the error is here Subscriber disabled via configuration but not sure what I'm missing in the above conf to enable it

Copy code

[root@primary osquery]# osqueryi "SELECT * FROM file_events;"
I0715 10:41:40.372663 18293 options.cpp:100] Verbose logging enabled by config option
W0715 10:41:40.372741 18293 options.cpp:91] Cannot set unknown or invalid flag: enable_monitor
I0715 10:41:40.507570 18293 smbios_tables.cpp:104] Reading SMBIOS from sysfs DMI node
I0715 10:41:40.508178 18293 events.cpp:863] Event publisher not enabled: syslog: Publisher disabled via configuration
I0715 10:41:40.509068 18293 events.cpp:1122] Error registering subscriber: process_file_events: Subscriber disabled via configuration
I0715 10:41:40.509141 18293 events.cpp:1122] Error registering subscriber: selinux_events: Subscriber disabled via configuration
I0715 10:41:40.509174 18293 events.cpp:1122] Error registering subscriber: socket_events: Subscriber disabled via configuration
I0715 10:41:40.513377 18293 file_events.cpp:82] Added file event listener to: /etc/**
I0715 10:41:40.513458 18293 file_events.cpp:82] Added file event listener to: /root/.ssh/**
I0715 10:41:40.513478 18293 file_events.cpp:82] Added file event listener to: /home/*/.ssh/**
I0715 10:41:40.513536 18293 file_events.cpp:82] Added file event listener to: /tmp/**
W0715 10:41:40.526444 18293 filesystem.cpp:311] Symlink loop detected possibly involving: /etc/xdg/systemd/user/sockets.target.wants
I0715 10:41:40.548197 18293 dispatcher.cpp:77] Adding new service: AuditdNetlinkReader (0x275c6d8) to thread: 140344453695232 (0x26cc720) in process 18293
I0715 10:41:40.548367 18293 dispatcher.cpp:77] Adding new service: AuditdNetlinkParser (0x26a3448) to thread: 140344445302528 (0x26c95c0) in process 18293
I0715 10:41:40.548961 18294 auditdnetlink.cpp:623] Failed to set the netlink owner
W0715 10:41:40.560115 18293 filesystem.cpp:311] Symlink loop detected possibly involving: /etc/xdg/systemd/user/sockets.target.wants
I0715 10:41:40.565127 18296 events.cpp:784] Starting event publisher run loop: auditeventpublisher
I0715 10:41:40.565162 18297 events.cpp:784] Starting event publisher run loop: inotify
I0715 10:41:40.565232 18298 events.cpp:784] Starting event publisher run loop: udev
I0715 10:41:40.565570 18293 dispatcher.cpp:148] Thread: 140344499352960 requesting a stop
I0715 10:41:40.565644 18293 dispatcher.cpp:155] Service: 0x275c6d8 has been interrupted
I0715 10:41:40.565670 18293 dispatcher.cpp:155] Service: 0x26a3448 has been interrupted
I0715 10:41:40.565703 18293 dispatcher.cpp:121] Thread: 140344499352960 requesting a join
I0715 10:41:41.548689 18293 dispatcher.cpp:139] Service thread: 0x26c95c0 has joined

Garret

07/16/2020, 5:10 PM

Is there any kind of tool that provides basic sanity checks for an osquery configuration? I'm specifically thinking of something that consumes a configuration + scheduled queries and checks that all evented tables that are enabled have a corresponding scheduled query that drains them, but I'm sure there are other configuration level issues that could be detected.

Daniel Parry

07/17/2020, 10:24 PM

Is there any way to change the syslog tag used based on pack or query? I'm guessing not, but would like to double check 🙂

moulik

07/18/2020, 9:18 AM

I am making a curl request to

<http://portquiz.net:1234|portquiz.net:1234>

If the osquery db and osquery pid is in

/tmp/

folder, I see some inconsistency in the number of record in

socket_events

table Sometimes there is only 1 entry and sometimes there are 2 entries for every curl request If I change the path to a permanent location then I see only one entry per curl request

nle

07/19/2020, 4:02 PM

Hey, I’m trying to build osquery extension while looking at the documentation without much luck. The exe file isnt created as it should. Do you happen to have a more updated documentation? Or has anyone else come across this problem? https://osquery.readthedocs.io/en/latest/development/building/

Zweasta

07/19/2020, 10:51 PM

Did anyone get osquery executed command's return code as 78 ? On one of my machines, I am constantly getting the return code as 78. Don't know why. It is seen every time I execute a command. I tried installing the latest osquery 4.4.0, but still the return code is 78. Coming to the output, I am seeing getting the output and after that, it freezes for like 2 secs and then exists the process.

Bitterino95

07/20/2020, 12:33 PM

Hi, I'm trying to implement a publish-subscriber extension for osquery in Linux, but I'm encountering some problems. Is there an example explaining me how to do it?

Nam B

07/20/2020, 3:26 PM

Hi Have a basic query on generation of crosstool-ng-config-x86_64 in osquery-toolchain. How do I create it for a different architecture. Any pointers to some relevant documentation will be appreciated.

Jacek

07/21/2020, 10:19 AM

Hi guys, I am having a problem with osquery on macos. I believe it's actually a bug, but I just started to work with osquery 2 days ago. Where would be a good place to ask? Googling does not help. What I notice is a lot duplicated events (different eid, same timestamp). It seems to boil down to duplication of subscribers for some tables every time new config with some changes is apllied.

doggles

07/22/2020, 8:29 AM

Question: if the fleet management server is unavailable at the time an endpoint received the osquery pkg + enroll secret and the daemon launches, will it continue retrying to enroll at some set interval until it succeeds?

MaxosxOsquery

07/22/2020, 6:40 PM

Hi all.. Can someone share good Macos osquery use cases?

vaar

07/24/2020, 2:08 PM

is there a fast way to export the full schema in json format with the field desc like on web site?

Kshitij Gupta

07/25/2020, 4:55 PM

Hello everyone!! I want to build OSquery on aarch64 instances ( on a1 or similar instances on AWS) I have seen PRs on Github for the same. Can someone please tell me how should I proceed. I am not able to find any documentation for the same. Thanks in advance.

Zweasta

07/25/2020, 7:14 PM

iptables

table for linux, is there any plan to build a table for windows systems ?

KaremAli

07/27/2020, 8:46 AM

Hello, ntfs_journal_events is not displaying any result for FIM this is the config

Copy code

{
  "options": {
    "host_identifier": "WindowsTest",
    "utc": "true"
  },
  "schedule": {
    "users": {
      "query": "select 'users' AS query_name, uid,username from users;",
      "interval": 10
    }
  },
  "file_paths": {
    "downloads": [
      "C:\\Users\\Noname\\Downloads",
      "C:\\Users\\Noname\\Downloads\\*"
    ]
  }
}

** osqueryi.exe --config-path='path to config' --disable-events=false ** USN is enabled on my device and I make changes to file on downloads but it's not reflecting in osqueryi ** I check the change in USN by parsing it using MFTCMD (Eric tool) and the changes are displayed any idea for solving this ?

Zach Zeid

07/28/2020, 8:27 PM

I'm working on splitting results to multiple interfaces, but I'm running into an issue. it says I can enable multiple loggers by setting

--logger_plugin

to a comma separate list. My config file is JSON, but when I do

Copy code

"logger_plugin": "aws_firehose","tls",

it fails

config-check

but when I do

Copy code

"logger_plugin": ["aws_firehose","tls"],

it doesn't like that either.

Zach Zeid

07/28/2020, 9:03 PM

Interestingly, I have this as a schedule

Copy code

"schedule": {
     "ping_pong": {
        "query": "select year, month, day from time;",
        "interval": 10
       }
  },

but I don't see it show up in either my tls endpoint, or in aws_firehose, or in the results.log

William Guilherme

07/30/2020, 5:07 AM

Hi everyone. Have anybody seen or create a query able to perform geolocation? either by querying an external source or pointing a range of IPs? Thank you

brad_anton

07/30/2020, 4:17 PM

anyone running FIM on production linux hosts - how's the performance?

07/30/2020, 5:27 PM

@fritz good idea, let me check

👍 1

Ryan Mack

08/05/2020, 11:29 AM

Just a heads up this triggered a bug in the createPidFile() function that I've got a follow-up PR open to fix here: 6578

Chris Broome

08/05/2020, 7:15 PM

Does anyone know of a way to get osquery to connect to a local tls endpoint without having to compile the binary with the

--tls_allow_unsafe

option turned on?

08/06/2020, 9:20 AM

Hi guys, Maybe I missing something but "*carbon_black_info"* not work at all (return empty table), Anyone know about it?

Vikram

08/06/2020, 12:53 PM

How do we force osquery to expire old data in case of no connection between the osquery endpoint and the host server. For example if there is no connection between the server and the endpoint for say 12 hours, how do we make sure osquery will return the latest ntfs_journal_events data when the connection is re-established? Right now when doing FIM, if connection is lost for some time and then returns back osquery which start with the oldest data and will lag for multiple hours. I have tried using --events_expiry but did not get the desired results.

Zach Zeid

08/06/2020, 6:25 PM

general question: There isn't really a way for osquery to read a file, correct?

sean.cavanaugh

08/06/2020, 6:36 PM

What would the ramifications of using the

--disable_database

flag be? Would blacklisted queries no longer be recorded/enforced?

Liam

08/07/2020, 9:06 AM

Does anyone have any examples of finding versions of command line tools and binaries such as git? We’re using

homebrew_packages

at the moment, but that misses out on things such as the AppleGit versions included in the Xcode CLI tools. I’m thinking the extension route might be the way to go, but just checking if anyone has solved this in an easier way?

sanjaykcse

08/09/2020, 12:28 PM

If worker thread is executing a live query request and the CPU/memory exceeds the set limit, does watchdog thread kill the worker thread or the monitoring by watchdog thread is limited to scheduled queries only?

Eddy

08/10/2020, 9:28 AM

Hello everyone. Does someone know if it is possible to get the details about the current network speed using osquery? I was trying to get

link_speed

from interface_details
but it always returns 0 for every interface

08/10/2020, 9:15 PM

Hey Yall, I am getting the following error when running an extension on Windows:

Copy code

Thrift: Mon Aug 10 14:03:35 2020 TPipe ::GetOverlappedResult errored GLE=errno = 109
Thrift: Mon Aug 10 14:03:35 2020 TConnectedClient died: TPipe: GetOverlappedResult failed

This repeats in the shell over and over. Everything seems to be working but I’d prefer if I can get the errors silenced. I dug into some of the previous times this was brought up in Slack but they all seemed to revolve around SSL issues which is not the case here. Has anyone come across this and had any luck with getting them to disappear? Error appears with and without

--verbose