Hello, I found through the log that my osquery difference detection memory sends a log every 7 days. From the feedback of the log, it seems that the information querying by osquery before has been deleted within 7 days. Is this caused by the problem of RocksDB within my osquery?

I guess I misundertand what process_open_files privides in macos. I installed an applicaton under /home/app (forexample( that writes and access a bunch of temp logs under the (/home/app). What I want to do is to check all the files accessed in the sytem post installation. But the result returned from. select * from process_open_files does not show any results under /home/app which I doube checked and am sure new files and folders are created. Anyone know why? And sure some user error.

hi, is there a way to have all scheduled queries run once on boot (or shortly thereafter) and then back off to a less frequent differential/snapshot interval? Trying to solve the problem of visibility into short-lived cloud instances without overloading the query interval for ones that live longer.

Does anyone use osquery to detect abnormal server ports and processes? Share my query statement, welcome everyone to discuss the feasibility Abnormal port: select p.name as process_name, p.path, lp.port, lp.address, lp.protocol from listening_ports lp LEFT JOIN processes p ON lp.pid = p.pid WHERE lp.port != 0 AND p.name != '' Abnormal proccess: select distinct(pr.name), usr.username, pr.path, pr.cmdline from processes pr LEFT JOIN users usr ON pr.uid = usr.uid WHERE pr.cmdline != '' AND pr.name not like '%systemd%' AND pr.name not like '%nslcd%' AND pr.name not like '%filebeat%' AND pr.name not like '%agetty%' AND pr.name not like '%node_exporter%' AND pr.name not like '%zabbix%' AND pr.name not like '%dns%' AND pr.name not like '%dockerd%' AND pr.name not like '%redis%' AND pr.name not like '%sleep%' AND pr.name not like '%chronyd%'

Hello, is it possible to rename the windows service/linux daemon so that a malicious script that gains elevated privileges doesn't just search for osqueryd running and kill it? Of course not saving in C:\Program Files\osquery would be a requirement of this.

Hey Folks, have anyone developed a query that gathers performance data about the osquery agents them selfs across all systems ? Thank you so much!

Will osquery daemon process auto reload when osquery.conf changes at runtime by user?

morning, I have a question and problem, I made a query to bring powershell events through the powershell_events table: I created a pack with this query select * from powershell events But when I did it started to get a flood of events and the traffic went up from 150MB to 1GB I realized after 5 min later .... When I realized I stopped the pack, even excludes it but still this event keeps coming is there anything to be done so that the hosts stop sending or just wait to normalize? This pack was run for 2500 hosts

Hi! Has anyone tried to deploy Kolide Fleet? 😕 I am having issues with the certs.

Hello everyone, is there a group that addresses fleet issues.thanks

HI all .... Sorry for this simple question: I am doing some tests with osquery and I need to uninstall it in Windows platforms ... but there is not an uninstall procedure ... How can I uninstall osquery in Windows platforms?

Facing this issue while running the tailsofbits OSQuery extension in MAC E0408 182608.503185 189222912 registry_factory.cpp:179] table registry HostDenylist plugin caused exception: Failed to create the firewall object Error: Failed to create the firewall object The code snapshot of trailsofbuts fwctl code IFirewall& GetFirewall() { static bool conf_dir_init_status = InitializeConfigurationFolder(); if (!conf_dir_init_status) { throw std::runtime_error( "Failed to initialize the firewall configuration folder"); } static std::unique_ptr<IFirewall> firewall; static IFirewall::Status firewall_init_status = trailofbits::CreateFirewallObject(firewall); if (!firewall_init_status.success()) { throw std::runtime_error("Failed to create the firewall object"); } return *firewall.get(); }

Had a user in my org report an issue installing osquery. They're using RHEL, so I'm following along with the 'alternative install options' on https://osquery.io/downloads/official/4.70. For my test, running all in docker:

docker run -it <http://registry.access.redhat.com/ubi8/ubi:8.1|registry.access.redhat.com/ubi8/ubi:8.1> bash

# yum-config-manager needs to be installed on this system
yum install yum-utils

# no sudo installed by default and already running as root, so I've modified instructions to remove sudo, but otherwise are the same:
curl -L <https://pkg.osquery.io/rpm/GPG> | tee /etc/pki/rpm-gpg/RPM-GPG-KEY-osquery

yum-config-manager --add-repo <https://pkg.osquery.io/rpm/osquery-s3-rpm.repo>

yum-config-manager --enable osquery-s3-rpm
Error: No matching repo to modify: osquery-s3-rpm.

^ I noticed the instructions failed at this point. I opened https://pkg.osquery.io/rpm/osquery-s3-rpm.repo to take a look... Looks like the repo name changed or something? Shows as

osquery-s3-rpm-repo

instead of

osquery-s3-rpm

. Seems to pan out, because changing the line to this works:

yum-config-manager --enable osquery-s3-rpm

And then I'm able to successfully install osquery with

yum install osquery

hi all Is there any way to monitor the use of a dll or the execution of a dll? I am looking to monitor the use or execution of "wininet.dll"

Hey everyone. I noticed that the rpm for the 4.7 version of osquery for linux comes with the .linux suffix, but the previous versions did not. Is that expected?

Hello everyone! Is it possible to find something like http://woshub.com/sccm-and-wmi-query-to-find-all-laptops-and-desktops/ using osquery? We want to do some aggregation based on host type for some statistics stuff, but I don’t clearly understand how to do it remotely using osquery.

@Artem if you use Kolide's SaaS service or kolide launcher, we have a WMI table which allows you to build a query similar to what is shown in that article.

Hi! When i try FIM in osquery in logs i see

auditdnetlink.cpp:647] Failed to set the netlink owner

But, i don't have auditd in my OS. This is my conf

"options": {
    "audit_allow_config": "true",
    "audit_allow_fim_events": "true",
    "audit_allow_sockets": "true",
    "audit_fim_show_accesses": "true",
    "enable_file_events": "true",
    "disable_events": "false",
    "audit_persist": "false",
    "disable_audit": "false",
    "audit_allow_process_events": "true",
    "pack_delimiter": "/",
    "config_plugin": "filesystem"
  },

Whai is my error? could anyone help pls?

^ https://osquery.slack.com/archives/C08VA3XQU/p1618481966125200

Temporary tag to test something in the new codesigning workflow 🙂

Hi! Does anybody know how I can correctly set exclusions for process_events through auditd? As I know I can not do it via osquery configuration, correct me if I’m wrong. On some servers osquery cpu utilization is high because of lot of process syscalls.

Hi, Are there any plans to support IMDSV2 instead of IMDSV1 for aws instance metadata. Most of accounts today disable the use of IMDSV1 due to security issues

Hi all, when it comes to the watchdog, all its flags (watchdog_level, enable_extension_watchdog, etc...) need to be configured in the flags file? Meaning, i cannot configure them in the config tls endpoint, am i right?

Howdy folks. how can I upgrade an osquery agent without launcher? Lets say I only want to upgrade one of the endpoints to a specific version. Could I simply execute the binary from that version?

Hi, I’ve some decorators configured (remote tls config), however, scheduled queries are not sending all expected decorators, the config is:

spec:
  config:
    decorators:
      load:
        - SELECT uuid AS host_uuid FROM system_info
        - SELECT hardware_serial FROM system_info LIMIT 1
      always:
        - >-
          SELECT user AS username FROM logged_in_users WHERE user <> '' ORDER BY
          time DESC LIMIT 1
      interval:
        '3600':
          - SELECT hostname FROM system_info LIMIT 1
...

I’ve also restarted osqueryd, and tried to remove the DB before restarting, is there anything I can do to know which decorators it is considering or the cause of the issue? I may add that it is working for two other hosts and they are using the same configuration 🤔 It is only including the `hostIdentifier`in the scheduled query results (I guess it’s the default?) thanks!

Does anyone have a bash script (macOS/Linux) and/or powershell/batch script that updates osquery endpoints with a flagfile I ran the "newer" exe and it still didn't update.

Good morning to all. Is it possible to retrieve wifi info in linux platforms with osquery 4.8 like in macOS with wifi_status table?

Hi everyone. We've noticed that our osquery clients are opening and tearing down connections each time they check in on the distributed interval. We have

tls_session_reuse: true

. Is that only for the logger perhaps? It's surprising to me that we have constant sessions up and down - this is currently 5000 per min and will go even more crazy as we scale.

i dont know how it takes, i guess that if i enable the tls_dump, it would take until i see the response?