Hi guys, In my organization there is Windows DC׳s servers with a lot of login users (around 50 users). When I tried to ask query from users or logged_in_users table the process was hang until I kill the process. Anyone meet this? An idea for a solution? osquery 4.3.0

I am getting peculiar issue with osquery daemon. In my setup , osquery daemon is taking to fleet and configure to send log/results to fleet. If fleet is down or there is no connectivity between fleet and osqueryd for 3- mins to 1hr , the worker thread is getting segfault and core dumps continuously . If I set logger_plugin to filesystem , fleed does not receive results also . Any suggestion , how to fix this ?

I am trying to import osquery conf files(packs) in fleet. I don't see any option in UI. Can anyone give me some pointers if I can import conf files directly instead of creating them manually via fleet UI.

hello everyone.  I think this question belongs here vs #fleet, but could go either way I guess.  After watching one of the presentations at osquery@scale (Reliable osquery deployment for the paranoid), we have decided that we are going to manage our osquery config at our clients (via puppet mostly) vs setting the config centrally at Fleet (which we do currently).  Current config in our flags file (minus anything sensitive), some of which is already being overridden by Fleet:

--enroll_secret_path=

--tls_hostname=

--host_identifier=

--enroll_tls_endpoint=/api/v1/osquery/enroll

--config_plugin=tls

--config_tls_endpoint=/api/v1/osquery/config

--config_refresh=3600

--disable_distributed=false

--distributed_plugin=tls

--distributed_interval=60

--distributed_tls_max_attempts=3

--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read

--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write

--logger_plugin=tls

--logger_tls_endpoint=/api/v1/osquery/log

--logger_tls_period=10

I'd just like to confirm the recommended approach to do that would be to remove the following settings from our osquery.flags file (and remove the config we are setting at Fleet - the stuff in osquery options / fleetctl get options):

--config_refresh

--config_plugin

--config_tls_endpoint

Anything else?

Anyone seen errors like

RocksDB: [WARN] [db/db_impl/db_impl_open.cc:1805] Persisting Option File error: OK

? This seems to be perhaps associated with the database getting reset (we notice a new

instance

host identifier) right around the time this is logged.

Hello everyone, I need help with this query: given an ip, there is a way to have the route to reach that ip with osquery? (something like the tracert command)

Hi, I got a question I found /metrics endpoint is it publically open or can I use this metrics data to show in graph? I am totally new in fleetOSquery

Hi. What are the differences between the file_events and process_file_events table? For example, one table leverages inotify publisher while the latter table requires the Linux audit framework.

Hey all is there a delay between when a command is ran and when it gets populated in the

shell_history

table?

hey trying to troubleshoot a table extension on ubuntu18 it works as expected when I manually load the extension. either via

osqueryi --extension /etc/osquery/foo.ext

or

osqueryi --nodisable_extensions

and other session

/usr/bin/python /etc/osquery/foo.ext --socket /root/.osquery/shell.em

the very same extension autoloads fine on an older box different distro... double checked the configs. they match on working and non-working endpoints. turned on --verbose, but all I see in the non-working logs is

/var/log/osquery/osqueryd.INFO.20210312-185550.13594:I0312 18:55:58.125411 13630 registry_factory.cpp:107] Extension 37844 registered table plugin foo
/var/log/osquery/osqueryd.INFO.20210312-203820.19041:I0312 20:38:29.640424 19081 interface.cpp:110] Registering extension (foo, 26890, version=1.0.0, sdk=1.8.0)

I see it registered

osquery> select * from osquery_extensions;
+-------+-------------------+---------+-------------+-------------------------------+-----------+
| uuid  | name              | version | sdk_version | path                          | type      |
+-------+-------------------+---------+-------------+-------------------------------+-----------+
| 0     | core              | 4.5.1   | 0.0.0       | /root/.osquery/shell.em       | core      |
| 35494 | foo               | 1.0.0   | 1.8.0       | /root/.osquery/shell.em.35494 | extension |
+-------+-------------------+---------+-------------+-------------------------------+-----------+

but when auto-loading

osquery> select * from foo;
Error: no such table: foo

just wondering if there's any other pointers out there that I'm not finding in the docs.

Thank you

Also - sounds like a really neat blog post

Is osquery able to detect what files/folders in a system are accessed including just a READ? I would like to find out the entire set of files/folders or other assets accessed without knowing the list beforehand. Most other monitor tools you have to know what you want to monitor first. Anyone with example will be appreciated.

basically I'm getting an error that osquery can't find conf file, but I'm able to list the contents via powershell in the path listed in the error message. Running this in a 2019 core docker containers.

Has anyone had issues with the osquery client creating new sessions at the same interval as tls logger period? We set ssl_session_reuse to true, but that didn't change the behavior

HI guys, I run “osqueryi --line “SELECT version from osquery_info;” and nothing respond, do you know what is the problem.?

If I have an expensive query in a view, and I query it multiple times, does it benefit from caching at all?

Hiii, I am struggling add host, Getting error TLS/HTTPS POST request to URI: https://xxxxx:8412/api/v1/osquery/enroll Failed enrollment request to https://xxxxx:8412/api/v1/osquery/enroll (Request error: certificate verify failed) retrying... flagfile.txt

# Server
--tls_hostname=xxxxx:8412
--tls_server_certs=/home/dell/fleet.pem

# Enrollment
--host_identifier=instance
--enroll_secret_path=/home/dell/secret.txt
--enroll_tls_endpoint=/api/v1/osquery/enroll

# Configuration
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_refresh=10

# Live query
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=10
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write

# Logging
--logger_plugin=tls
--logger_tls_endpoint=/api/v1/osquery/log
--logger_tls_period=10

# File carving
--disable_carver=false
--carver_start_endpoint=/api/v1/osquery/carve/begin
--carver_continue_endpoint=/api/v1/osquery/carve/block
--carver_block_size=2000000

secret.txt and fleet.pem are at home directory. please help me to resolve this issue. Thank you

https://github.com/osquery/osquery-site/tree/source/src/data/osquery_schema_versions has all the recent-ish versions

Hi, how can I put static data in as a decorator so say I just want to always include the string "TAG81928" as a decorator.

Another question, my osqueryd seems to make a gazillion .info and .warning files. Is there anyway I can stop this happening?

Hey all, the carves table gives the message

The carves table returns data based on the current user by default, consider JOINing against the users table

I don't see a uid or shared data field between the carves table and the users table. What can be done to address this message?

I tried select * from file_events; to test out file creation (use touch comand) an dit works; but how can when I jsut READ the very same file again using more or ls; it is not showing the file was accessed as READ. how can I do that?

how can I use pid as a key to query for file_evernts? I want to know which files a known pid has accessed and changed? I am not seeing pid as part of the file_events table returned.

I'm trying to connect orbit to a fleet server but whenever I run orbit I get the error:

download target osquery/windows/stable/osqueryd: tuf: unknown target file: osqueryd/windows/stable/osqueryd.exe

I'm running a fleet preview instance with fleetctl3.9.0 on ubuntu server. The client is a windows10 desktop with osquery4.7.0 installed. I'm using the orbit v0.0.1 release binaries running from an elevated command prompt.

Hello everyone. We are experiencing a very strange issue with some of our osquery clients (both Windows and Mac) where they send massive amounts of data to Fleet - 1 - 3 GB per hour. The bandwidth usage is orders of magnitude more than the size of the events on disk (in logs) and in our backend Splunk infra. We are still investigating, but we were able to get a pcap from a Windows client while it was happening and we see osquery sending each packet 5 - 7 times, which then causes Fleet to respond 5 - 7 times. Has anyone experienced anything like this? I've opened https://github.com/osquery/osquery/issues/7021 and planned to bring it to office hours next week.

anyone know how to collect dns requests made?

@here I am new to osquery like to clarify few questions. 1) if there is no change in the table the schedule interval query result will not be added to log file ? 2) is there a way to configure to output each query into a new output file

Hey guys, so while installing osquery in docker images in a M1 laptop, I noticed that the

ubuntu:20.04

images identify the architecture as

aarch64

instead of

arm64

. Does it make sense to duplicate the published package to be both

arm64

and

aarch64

?

hello,I found a problem and need help: the result of the query on the terminal is normal, but when running through a scheduled task, the result is different from the display on the terminal. Why?