osquery #general

manikant singh

10/16/2020, 10:28 AM

Hi Guys, I need a little help understanding the problem of memory limits exceeded.

we have 16 immutable memtables (waiting to flush), max_write_buffer_number is set to 16

Expiring events for subscriber: file_events (overflowed limit 50000)

Subscriber events file_events exceeded limit 5000 by: 200

Can someone please guide what is the problem here. As of now I have only two users on the machine. One is the root with which osqueryd is running and the other is guest user. which has only access to machine is via ssh. Not sure why would limit will exceed here. I have also configured FIM as follows

Copy code

file_accesses: 
  - homes
file_paths: 
  homes: 
    - /home/%%

Any help is appreciated ,thanks.

Jattind

10/16/2020, 7:54 PM

Anyone know if it's possible to make osquery work where the logger sends to the local filesystem?

Alejandro

10/19/2020, 4:53 PM

Hi, I wonder if I could get some ideas on further troubleshooting a recent EC2 performance alert that seems was generated by osquery (version 4.5.1). The EC2 runs a high number of containers and the alert was a decreased on the EBS Burst Balance. I have followed some of the recommended troubleshooting so I could determine: • None of the scheduled queries got denylisted • There is an important number of process events in the machine • osquery_events table showed at one point there were up to 1 million process events • osquery_info db size got up to 300Mb Is there any way we could reduce IOPs operations by any of the settings for highly loaded machines that generate a lot of process events? Relevant osquery config is attached. Also is there any way we can get disk statistics on Linux so we can further determined that osquery was not the cause (I think it relates to this open PR https://github.com/osquery/osquery/issues/6288 but wanted to double check). Thanks

Dan Achin

10/19/2020, 7:54 PM

Hello everyone. As we start planning our rollout, we are looking at how best to limit the impact of osquery to our production systems. I've watched this excellent presentation by @zwass, and we plan to leverage pretty much everything he discussed. However, I'm assuming that the data gathered from osquery_schedule is for scheduled queries and not ad-hoc queries. We are planning to schedule as much as possible, but at some point our security team will need to run queries as part of an investigation on a tight timeline and might revert to running something ad-hoc to get results more quickly. Assuming I'm correct in that osquery_schedule won't capture information about these queries, what are others doing to track their performance? Also, I'd love to hear if others have success stories or lessons learned around the items discussed in Zach's talk. Thanks!

Esteban

10/20/2020, 4:09 PM

There's any performance issue un 4.5.1? I'm running queries on kolide on 4.5.1 hosts and they are not returning nothing until i restart the service on each hosts. Even an osquery_info Query is taking forever and not returning nothing

Ben Montour

10/21/2020, 2:29 PM

would this be the right room to ask about Pull Request questions or is there a better room for that?

Raff_B

10/22/2020, 9:33 AM

Hi all, reviewing the resource protection mechanisms available in 4.5.1, and the fact that OSquery now sets CPUQuota to 20% time of one cpu max. upon install, isn't there a conflict with the CPU watchdog default config (25% CPU time for 9 secs) that would prevent it to fire and kill runaway queries?

fritz

10/23/2020, 4:04 PM

Copy code

SELECT datetime(unix_time, 'unixepoch', 'localtime') FROM time;

❤️ 3

Mystery Incorporated

10/25/2020, 9:34 AM

Looks to me like that article goes to great lengths to tell us about these events without mentioning how the f we turn them on....

Mystery Incorporated

10/26/2020, 4:14 AM

Hiya, What is the best way to not let osquery result log get too big? Sitting there recording event log in about 12 hours has used 574MB lol

Tej Gandhi

10/27/2020, 2:42 PM

Hello All, are we able to download files,or interact with UsrJournal or MFT utilizing OSQuery?

Ivanlei

10/27/2020, 9:47 PM

I'm hiring security engineers, SREs, & engineering managers at Apple to work on our osquery deployment. We've got a fleet of ~600k linux hosts running osquery, running custom golang plugin for audit capture, & sending results to our custom golang server.

👍 2

apple rainbow 2

osquery 2

😎 1

💯 2

Ben Montour

10/28/2020, 10:42 AM

Thanks for my first PR into osquery, first into an open source project in general actually. Even though it was a tiny thing and fairly inconsequential.

🎉 8

🍻 1

🦜 2

👍 1

Tej Gandhi

10/28/2020, 3:23 PM

Hello All,was able to deploy a fleet server on AWS, wanted to enroll in local Windows clients ,1 or 2 at the beginning and 1000's of the later on how should I proceed?

fritz

10/28/2020, 6:00 PM

@Tej Gandhi If you can, please refrain from simultaneously cross-posting in 3+ channels. It's reasonable to pursue a second channel after you've given people a chance to respond and gotten no answer, but otherwise it can come across as spamming and may be poorly received.

Mystery Incorporated

10/28/2020, 6:28 PM

There has to be a way to stop these logs blowing out right?

Mystery Incorporated

10/28/2020, 6:31 PM

Copy code

Expiring events for subscriber: windows_events (overflowed limit 50000)

allister

10/29/2020, 3:47 AM

it's been several years at this point, is there a place I can file a bug that osquery.io doesn't write the actual page on first access? 😉

fritz

10/29/2020, 1:49 PM

@Mystery Incorporated If you guys are using Launcher, I will just throw out another 💯 for @seph’s awesome WMI passthrough table (

kolide_wmi

) which allows you to get things like USB devices on Windows. For example I just wrote a PoC query to do exactly that:

Copy code

WITH pnp_raw AS (
  SELECT * FROM kolide_wmi WHERE class = 'Win32_PnPEntity' AND properties = 'Availability,Caption,ClassGuid,CompatibleID,ConfigManagerErrorCode,ConfigManagerUserConfig,CreationClassName,Description,DeviceID,ErrorCleared,ErrorDescription,HardwareID,InstallDate,LastErrorCode,Manufacturer,Name,PNPClass,PNPDeviceID,PowerManagementCapabilities,PowerManagementSupported,Present,Service,Status,StatusInfo,SystemCreationClassName,SystemName'),
pivot_wmi AS (
  SELECT 
    MAX(CASE WHEN key = 'Availability' THEN value END) AS availability,
    MAX(CASE WHEN key = 'Caption' THEN value END) AS caption,
    MAX(CASE WHEN key = 'ClassGuid' THEN value END) AS class_guid,
    MAX(CASE WHEN key = 'CompatibleID' THEN value END) AS compatible_id,
    MAX(CASE WHEN key = 'ConfigManagerErrorCode' THEN value END) AS config_mgr_err_code,
    MAX(CASE WHEN key = 'ConfigManagerUserConfig' THEN value END) AS config_mgr_user_config,
    MAX(CASE WHEN key = 'CreationClassName' THEN value END) AS creation_class_name,
    MAX(CASE WHEN key = 'Description' THEN value END) AS description,
    MAX(CASE WHEN key = 'DeviceID' THEN value END) AS device_id,
    MAX(CASE WHEN key = 'ErrorCleared' THEN value END) AS error_cleared,
    MAX(CASE WHEN key = 'ErrorDescription' THEN value END) AS error_description,
    MAX(CASE WHEN key = 'HardwareID' THEN value END) AS hardware_id,
    MAX(CASE WHEN key = 'InstallDate' THEN value END) AS install_date,
    MAX(CASE WHEN key = 'LastErrorCode' THEN value END) AS last_error_code,
    MAX(CASE WHEN key = 'Manufacturer' THEN value END) AS manufacturer,
    MAX(CASE WHEN key = 'Name' THEN value END) AS name,
    MAX(CASE WHEN key = 'PNPClass' THEN value END) AS pnp_class,
    MAX(CASE WHEN key = 'PNPDeviceID' THEN value END) AS pnp_device_id,
    MAX(CASE WHEN key = 'PowerManagementCapabilities' THEN value END) AS pwr_mgmt_capabilities,
    MAX(CASE WHEN key = 'PowerManagementSupported' THEN value END) AS pwr_mgmt_supported,
    MAX(CASE WHEN key = 'Present' THEN value END) AS present,
    MAX(CASE WHEN key = 'Service' THEN value END) AS service,
    MAX(CASE WHEN key = 'Status' THEN value END) AS status,
    MAX(CASE WHEN key = 'StatusInfo' THEN value END) AS status_info,
    MAX(CASE WHEN key = 'SystemCreationClassName' THEN value END) AS system_creation_class_name,
    MAX(CASE WHEN key = 'SystemName ' THEN value END) AS system_name
  FROM pnp_raw
  GROUP BY parent)
SELECT * FROM pivot_wmi WHERE pnp_class = 'USBDevice'

Julian Scala

10/29/2020, 6:45 PM

Hey! Good afternoon everyone! I have a Daemon requesting config on and endpoint using the

--config_endpoint

. Does anyone has the response payload I need to respond to the daemon? I want to pass flags to the daemon and the docs only show how to schedule queries.

Dan Achin

10/29/2020, 8:43 PM

Hi, we are currently working to evaluate using launcher to build our packages and the engineer we have looking at the Windows side is having some trouble getting started. Windows is not something we have tons of expertise with. 🙂 Looking at the documentation, I see: Building windows packages Windows packages use

wix

and

package-builder

must be run on a windows machine with binaries in the appropriate places. Can anyone tell me where those appropriate places are? I'm guessing someone here has used launcher to build windows packages.

Gonzalo Saad

10/29/2020, 8:59 PM

Hi! I'm playing around with the distributed queries. I got the daemon to

read

(I saw that in the osqueryd logs) but I do not get the daemon to

write

or even show something like this:

Executing distributed query: kolide_detail_query_os_version: select * from os_version limit 1

I'm not using the fleet server, doing an experiment haha. I

disable_distributed=false

and the result of the

/distributed/read

is this one:

Copy code

{
  "queries": {
    "dad0f587-abf3-4278-8664-7bc6fa8a8b762": "select * from system_info"
  },
  "node_invalid": false
}

What could be misconfigured in the daemon to not write data?

Mystery Incorporated

10/30/2020, 5:09 AM

back into my conf file, even tho it is in the flags file. Is that a bug? How do i know what goes in flags and what goes in conf?

Stefano Bonicatti

10/31/2020, 1:41 PM

@Zach Zeid The schema https://osquery.io/schema/4.5.1/#rpm_packages shows that there's an install_time

Brandon

11/02/2020, 8:51 PM

I cannot seem to collect powershell logs. Can someone let me know where my config is off?

Copy code

--disable_events=false
--disable_forensic=false
--enable_windows_events_publisher=true
--enable_windows_events_subscriber=true
--windows_events_channel=System,Application,Setup,Security,Microsoft-Windows-PowerShell

sundsta

11/05/2020, 10:10 PM

osquery’s stdout/stderr should contain the details about where its logging, and any errors its running into while writing

Macear

11/06/2020, 10:58 AM

Hi 👋 does osquery have some option like

sslCommonNameToCheck

? It would be really useful to specify common name of TLS server manually. Does the flag

insecure

disable common name checking?

manikant singh

11/06/2020, 1:59 PM

Hi, I am getting an error while scheduling queries Malformed syscall event. The saddr field in the AUDIT_SOCKADDR record could not be parsed: "00000000000000000000000000000000" can someone please help what does this error means ?

Ahmed

11/09/2020, 1:20 PM

Hey Folks, trying to build network_monitor extension from trailofbits followed the build guide for osquery and their github page. keep getting fatel errors. i’m building in a fresh debian:latest docker image. any advise, i’m only interested in building the extensions and not osquery itself. thanks a lot.

Dan Achin

11/09/2020, 10:13 PM

Hello everyone. I have a question on the watchdog defaults. The docs have: The level limits are as follows: Memory: default 200M, restrictive 100M CPU: default 25% (for 9 seconds), restrictive 18% (for 9 seconds) However, the osquery at scale presentation that zwass gave had different values (for CPU). • Default settings: “normal” • CPU - Over 10% for up to 12 seconds • Memory - Up to 200MB • --watchdog_level=1: “restrictive” • CPU - Over 5% for up to 6 seconds • Memory - Up to 100MB Those are pretty significant differences for CPU so I'd like to verify the defaults. Thanks!