Hello I am new to OSQuery and was wondering how does OSQuery gather information from the operating system? Sorry if this is a silly question.

I’m having some trouble trying to determine the best path forward for client collection. We are trying to find the right settings to allow us to: • Update end user computers with new ad hoc queries and new scheduled query packs • Reduce network overhead for remote clients connecting to our TLS logging endpoint (Kolide) • Allow for on-the-fly configuration changes such as to auto_table_construction Can I get a little help understanding when things like pack_refresh_interval apply (and are ad hoc queries considered a “pack”?), distributed_interval, and config_refresh apply to the above goals?

Does anyone know how long fleet (by default) waits for a client check-in before it marks that client offline? Also, which client setting controls the 'check-in'? I'm guessing there may be various client actions that could signal to fleet that a client is online, including a config_refresh, or checking with the distributed query server to check if there are queries to execute (i.e. distributed_interval) and others. Any guidance?

Does the profiler work on fleet yaml at all?

Hi, is there a way to disable

file_events

while keeping

process_file_events

enabled. We plan to enable audit based FIM enabled while keeping inotify based FIM disabled? We want to reduce the resource consumption by reducing the inotify handles opened.

How come

profile.py

only seems to work on

osquery.conf

files, and not files that are just rule packs like

incident-response.conf

?

Hi Guys! I wanted to ask if anyone knew whether on-demand YARA scanning was working for Windows since I've been trying to test it by creating a notepad file with a string and creating a rule in the same folder, however when I query it, "*SELECT* * FROM yara WHERE path=" U:\test" AND sig_group=" U:\test\new.yar";" , it doesnt work

let me example my complete situation. 1. First I was trying to configure osquery without remote settings. 2. I enabled process events logging using rsyslog made changes to rsyslog.conf as per documentation.

template(
  name="OsqueryCsvFormat"
  type="string"
  string="%timestamp:::date-rfc3339,csv%,%hostname:::csv%,%syslogseverity:::csv%,%syslogfacility-text:::csv%,%syslogtag:::csv%,%msg:::csv%\n"
)
*.* action(type="ompipe" Pipe="/var/osquery/syslog_pipe" template="OsqueryCsvFormat")

3. After that I enabled scheduled queries and everything worked fine. I was able to query process events successfully. (after configuring required flags). Now, I am trying the same thing with docker container as a host and kolide fleet as server. I made same changes for this but changed properties as per requirement for TLS . This time able to make queries from fleet to osqueryd running inside docker container. But the only issue is with process events. It's doesn't get logged. I installed rsyslog on container but restart rsyslog doesn't work here. Finally: My doubt is is rsyslog is really required when kolide fleet is used to schedule process events queries.

Does osquery has any support to launch extensions on-demand instead of auto loading extensions at start

Ah, I was wondering about that before as well. Gives it time to bake in before hitting the repos. I like it. Thanks for the heads up, didn’t realize the full process.

Hi 👋 I’ve got the following question: Say, we have some devices (Mac OS) which are online for several hours then goes offline then again turned on etc. As I got it, osquery resets its inner timer every time after it (even if device has been put to sleep, hibernated) and some queries with high interval will never launch. Right? If so, is there any workarounds to make such queries run except reducing interval itself as it causes an increase of events?..

The table windows_eventlog is for 4.5.0 right? I have that version and the Query fails

HI Failed run osqueryd on OS Windows 10 C:\Windows\system32>sc.exe qc osqueryd [SC] QueryServiceConfig: успех Имя_службы: osqueryd Тип : 10 WIN32_OWN_PROCESS Тип_запуска : 2 AUTO_START Управление_ошибками : 1 NORMAL Имя_двоичного_файла : C:\ProgramData\osquery\osqueryd\osqueryd.exe --flagfile="C:\ProgramData\osquery\osquery.flags" Группа_запуска : Тег : 0 Выводимое_имя : osqueryd Зависимости : Начальное_имя_службы : LocalSystem

are sysdig's falco and osquery competitors?

Hi Community, I have an issue I don't understand. I have a simple diff query

select * from crontab;

Every-time this query runs, I get the log message

Storing initial results for new scheduled query

which means this is behaving like a snapshot query, not a diff query. Any idea how how to troubleshoot or resolve this?

@Prateek Kumar Nischal here is a fix https://github.com/osquery/osquery/pull/6694

Hey guys, I have been implementing FIM in my org using the process_file_events and it is working good in regular systems. But lately in certain systems which has high I/O, the CPU usage is getting kind of crazy shooting upto 150% parsing all those read, open, write syscalls and sometimes shooting the memory limit. Most of those events are noise, Due to the the watchdog is going crazy on osquery and respawning the daemon. Is there something obvious that I am missing in the config. The audit params are almost default with just

events_max=50000

which I don’t think is very tightly related with audit logs. I don’t have any immediate optimisations to keep the cpu under control and I don’t want to move the watchdog to level -1 (i.e. unbounded). Is there something i can do with this. I am fine for now to drop a few events (I know auditd does that) if there are too many events.

Also, would the experimental bpf based implementation help in this regard so that we can rule out most of noise in the kernel space and not let it enter the full blown processing within osquery. I would be really interested in that. PS: I am not using the managed audit config and letting osquery manage the audit config as we kind of need some globbing patterns in the file patterns.

In your situation I recommend setting a CPUQuota for the systemd service to limit osquery’s usage to something reasonable.

one quick clarification,

// % of (User + System + Idle) CPU time worker can utilize
// for LATENCY_LIMIT seconds.
{WatchdogLimitType::UTILIZATION_LIMIT, {10, 5, 100}},

// Seconds of tolerable UTILIZATION_LIMIT sustained latency.
{WatchdogLimitType::LATENCY_LIMIT, {12, 6, 1000}},

This utilization limit is cpu time considering a single core right.. and utlization limit 100 means osquery is free to fully utilize a single core for itself.

hey guys, I have a question 🙂. I am trying to add swap memory info for windows. according to https://osquery.io/schema/4.5.1/#memory_info, the memory_info table is only available on linux. I already have a python script that fetches swap memory usage details using psutils. My question is, what would be the most elegant way to add this info to osquery? Do I need to edit the source code and recompile? would there be a problem for me to write a python script that checks the os, and if it's windows, it would just create the _memory_info_ table and insert the relevant information?

Getting SIGSEGV  for osquery daemon (osqueryd). It cores even there is no execution of pack/query from fleet. I have downloaded the debug symbols  also , but still not getting the address mapping to symbol file . Any pointers how to debug this Osquery  daemon crash ? # gdb -iex "set auto-load safe-path /lib" /tmp/osqueryd-4.4.0-1.x86_64.debug -c /var/cores/core.osqueryd  GNU gdb (GDB) 7.10 Copyright (C) 2015 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-openwrt-linux". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /tmp/osqueryd-4.4.0-1.x86_64.debug...done. warning: core file may not match specified executable file. [New LWP 4862] [New LWP 4871] [New LWP 4870] [New LWP 4869] [New LWP 4868] [New LWP 4867] warning: Unexpected size of section `.reg-xstate/4862' in core file. warning: Could not load shared library symbols for linux-vdso.so.1. Do you need "set solib-search-path" or "set sysroot"? warning: Unable to find libthread_db matching inferior's thread library, thread debugging will not be available. warning: Unable to find libthread_db matching inferior's thread library, thread debugging will not be available. Core was generated by

osquery                         '.
Program terminated with signal SIGSEGV, Segmentation fault.

warning: Unexpected size of section

.reg-xstate/4862' in core file. #0 0x00007f43fac971db in ?? () [Current thread is 1 (LWP 4862)] (gdb) bt  #0 0x00007f43fac971db in ?? () #1 0x0e24f4832af29500 in ?? () #2 0x0e24f4832af29500 in ?? () #3 0x00007f43fd415a80 in ?? () #4 0x00007f43fd408318 in ?? () #5 0x00007f43fd43aa48 in ?? () #6 0x00007fff53d99700 in ?? () #7 0x00007fff53d997a0 in ?? () #8 0x00007f43fb44425a in ?? () #9 0x00007f4300000000 in ?? () #10 0x00007fff53d99730 in ?? () #11 0xffffffffffffffff in ?? () #12 0x00007f43fba1ff4d in ?? () #13 0x0000000000000000 in ?? () (gdb) info r rax      0xe24f4832af29500 1019208259891008768 rbx      0x7f43fd415a80 139929988455040 rcx      0x7f43f92c2b98 139929919957912 rdx      0x7f43fa28a7b7 139929936504759 rsi      0x0 0 rdi      0x7fff53d995a0 140734600156576 rbp      0x7fff53d99c90 0x7fff53d99c90 rsp      0x7fff53d99540 0x7fff53d99540 r8       0x7fff53d99560 140734600156512 r9       0x7f43f905dda0 139929917447584 r10      0x4e585f3531314758 5645366814972135256 r11      0x7f43f9097f40 139929917685568 r12      0x0 0 r13      0x7f43fd43aa48 139929988606536 r14      0x7f43fa28a7b7 139929936504759 r15      0x7fff53d995a0 140734600156576 rip      0x7f43fac971db 0x7f43fac971db eflags     0x10246 [ PF ZF IF RF ] cs       0x33 51 ss       0x2b 43 ds       0x0 0 es       0x0 0 fs       0x0 0 gs       0x0 0 (gdb) x/i 0x7f43fac971db => 0x7f43fac971db: Cannot access memory at address 0x7f43fac971db (gdb) x/i 0x7fff53d99540   0x7fff53d99540: add  %dl,-0xb7cd50e(%rbp) (gdb) x/i $rsp         0x7fff53d99540: add  %dl,-0xb7cd50e(%rbp) (gdb) x/10x $rsp 0x7fff53d99540: 0x2af29500 0x0e24f483 0x2af29500 0x0e24f483 0x7fff53d99550: 0xfd415a80 0x00007f43 0xfd408318 0x00007f43 0x7fff53d99560: 0xfd43aa48 0x00007f43 (gdb) x/10i $pc => 0x7f43fac971db: Cannot access memory at address 0x7f43fac971db (gdb) x/10x $bsp Value can't be converted to integer. (gdb) x/10x $rbp 0x7fff53d99c90: 0xfd43aa10 0x00007f43 0xfd43aa10 0x00007f43 0x7fff53d99ca0: 0x00000001 0x00000000 0x6261740a 0x0000656c 0x7fff53d99cb0: 0x00000000 0x00000000

Hello, I use the Fleet Kolide 3.1 with osquery V4.5.0-1, in the osquery.conf configuration I changed the decorators example : "decorators": { "load": [ "SELECT cpu_type AS arch FROM system_info;", "SELECT uuid AS host_uuid FROM system_info;", . "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;", ] }, but in the fleet logs osquery_result doesn't change it uses the default decorators, Is in Osquery 4.5.0-1 the code to change for decorators management ?

@Sam.P what do you mean numeric fields to true?

Hey all, I have been actively working with osquery and Kolide for over a few months now and I have come here multiple times for doubts and discussions. I want to thank you all especially @zwass, @seph and @fritz. To contribute back to the community I have a couple of custom osquery extensions, I just wanted to ask if custom tables are accepted as contributions or not.

Hi All, Is it possible to integrate os query installed in a windows 10 machine with zeek installed in linux machine. I wanted to send os query related logs from windows machine to zeek machine . If possible how is it done. could anyone please guide.

@Sam.P

SELECT physical_memory FROM platform_info;

Hi Guys! I wanted to ask if anyone knew where the base FileEventSubscriber for windows is defined?

Hi all, I'm getting a

could not start extension process

error when trying to use a python .ext extension. It only works if I suspend osqueryi and run the extension with python. Any help would be appreciated. The extension is the sample python extension, I'll paste it in thread

Hi Guys, Can some tell what number represents what protocol in "listening_ports" table. For example here protocols value is 6. what does it mean? TCP/UDP or any other protocol if any. Here state "ESTABLISHED" suggest TCP connection. But I would to know if protocol number can be mapped to protocol name. Can anyone please either give reference to a document or list its type.

{
  "family": 2,
  "fd": 3,
  "local_address": "45.55.41.97",
  "local_port": 22,
  "net_namespace": 4026531957,
  "path": "",
  "pid": 29831,
  "protocol": 6,
  "remote_address": "128.199.169.146",
  "remote_port": 42266,
  "socket": 32357509,
  "state": "ESTABLISHED"
}

Thanks for your help.