Seshu
01/30/2021, 2:11 AMdemonbhao
02/01/2021, 8:37 AMzwass
We are seeing this random issue on servers having 4.6 version installed being unresponsive after a while from fleet using live queries. 4.5.1 is working fine without any issues. I went on the server and did a restart of the agent and it started back up but then it went back to being non responsive again. Verbose TLS logging on agent side wont show anything since it was restarted.
David J Davis
02/02/2021, 5:44 PMDavid Marshall
02/02/2021, 8:26 PM<https://pkg.osquery.io/rpm/osquery-s3-rpm.repo>
demonbhao
02/04/2021, 2:03 AMccombs
02/04/2021, 3:50 PMarod
02/04/2021, 7:49 PMfritz
02/04/2021, 7:58 PMBacarus
02/05/2021, 11:11 AMharroldhino
02/08/2021, 5:43 PMValentín
02/09/2021, 12:54 AMJuan Alvarez
02/09/2021, 2:15 PMwindows_event_channels
? I tried to update it via fleet, and also via the flags file, but i do not get a consistent behavior. I would say it works better via flags file, but it seems that once a channel is enabled, removing it from the flags file does not take effect. It would seem those channels get stored somehwere.ccombs
02/09/2021, 7:30 PMepoch
works when it comes to distributed queries. I've tried looking through the documentation but it doesn't seem to be very clear, if epoch
isn't set in the osquery configuration files then is it 0 by default? I'm asking because I'm trying to make differential distributed queries, but I keep getting results back with epoch
and counter
both set to 0 which seems odd.Macear
02/11/2021, 10:59 PMMacear
02/12/2021, 2:13 AMWilliam Guilherme
02/12/2021, 5:15 PMSELECT common_name, issuer, strftime('%d/m/%Y', datetime(not_valid_after, 'unixepoc')) as expiration_date FROM certificates WHERE path = "CurrentUser\Trusted Root Certification Authorities" ORDER BY common_name;
SELECT common_name FROM certificates WHERE common_name IN ('SGIO Test Root CA - G2' OR common_name = 'SGIO Root CA G2' OR common_name = 'SGIO Basic Assurance CA2' OR common_name = 'SGIO Basic Assurance CA2 G2' OR common_name = 'SGIO Basic Assurance CA G2');
Bacarus
02/15/2021, 11:27 AMBacarus
02/15/2021, 3:56 PMChris Benninger
02/17/2021, 5:53 PMShawn Hoskins
02/18/2021, 2:11 PMAhmed
02/18/2021, 3:26 PMW0218 10:08:54.518049 1393 events.cpp:311] Expiring events for subscriber: user_events (overflowed limit 500000)
W0218 10:10:09.537274 1393 events.cpp:311] Expiring events for subscriber: process_events (overflowed limit 500000)
this is the eventing part in my flags file hopefully its correct
--audit_allow_config=true
--audit_allow_sockets=true
--audit_persist=true
--disable_audit=false
--events_max=500000
--events_expiry=86400
--disable_events=false
--audit_persist
--events_optimize=true
any thoughts, suggestions or help. Thanks a lot.Macear
02/19/2021, 7:14 AMdemonbhao
02/20/2021, 9:47 AMdemonbhao
02/25/2021, 8:35 AMThomas Marsh
02/25/2021, 4:09 PMosqueryd
(and osqueryi
is just a symbolic link to that).Thomas Marsh
02/25/2021, 6:16 PMAhmed
02/26/2021, 2:42 PMFeb 26 09:37:33 osquery-1 systemd[1]: Stopping The osquery Daemon...
Feb 26 09:37:33 osquery-1 systemd[1]: Stopped The osquery Daemon.
lsof |grep LOCK
osqueryd 3892 root 4uW REG 8,1 0 109052187 log/osquery/db/osquery.db/LOCK
rocksdb:b 3892 3894 root 4uW REG 8,1 0 109052187 log/osquery/db/osquery.db/LOCK
rocksdb:b 3892 3895 root 4uW REG 8,1 0 109052187 /log/osquery/db/osquery.db/LOCK
rocksdb:b 3892 3896 root 4uW REG 8,1 0 109052187 /log/osquery/db/osquery.db/LOCK
rocksdb:b 3892 3897 root 4uW REG 8,1 0 109052187 /log/osquery/db/osquery.db/LOCK
rocksdb:b 3892 3971 root 4uW REG 8,1 0 109052187 /log/osquery/db/osquery.db/LOCK
Extension 3892 3972 root 4uW REG 8,1 0 109052187 /log/osquery/db/osquery.db/LOCK
Extension 3892 3973 root 4uW REG 8,1 0 109052187 /log/osquery/db/osquery.db/LOCK
ConfigRef 3892 3974 root 4uW REG 8,1 0 109052187 /log/osquery/db/osquery.db/LOCK
ps aux|grep osquery
root 3892 0.0 0.4 324152 18112 ? SNl Feb24 0:02 /usr/bin/osqueryd
when starting the service without killing the old one.
Feb 26 09:42:16 osquery-1 osqueryd[11789]: I0226 09:42:16.969327 11791 rocksdb.cpp:149] Rocksdb open failed (5:0) IO error: While lock file: /log/osquery/db/osquery.db/LOCK: Resource temporarily unavailable
Ryan Small
02/26/2021, 6:03 PMStefano Bonicatti
03/02/2021, 3:39 PMwindowseventlogpublisher
creates.
There are multiple tables that will receive those events, and which receives what event is chosen by the shouldFire
function in the publisher, which as you can see uses the event channel name that a subscriber listens to.
Each subscriber selects the channels in their init
function and put them in channel_list
which is later used in shouldFire