@Zander Mackie by the way, another user might have the same issue; I’m briefly having a look at it in #ebpf. If you could report there what osquery version are you using, which distro and kernel. Thanks!

Hai All, I'm new to osquery. Can I execute osquery remotely on-demand? Or I need to login to the machine to execute the query? (Assume the remote system contains osquery and I'm having the privilege to login(ssh). And I'm not ready to run a service in the remote machine.)

general question, is there a way to define destinations based on a query pack in osquery?

Does anyone here have links from where I can download bare package of osquery which gives me osqueryd of version 4.7.0 , 4.8.0 after I unzip it. PS: I need it for Mac and currently I can only get it for 5.0.1 and not even 5.0.0 and 4.9.0, I mean I have to build it so, that is the problem.

Does anyone here have links from where I can download bare package of osqueryd for versions 4.8.0, 4.7.0 .

what is the --allow_unsafe flag for?

how to avoid using this flag, I was successful in turning osqueryd to xyz_daemon and now I have to use 

--allow_unsafe

 to add my daemon to the fleetDM server, I am looking forward to avoid this issue and solve it.

Hey folks, I was wondering whether

read_max

applies to all interactions that

osqueryd

may have with a given file - such as hashing, and on-demand yara scans ( triggered via snapshot queries)?

Hey Everyone, I just wanted to ask a quick question, as we love hearing stories from the community! How did you first get started using osquery? meep awestruck

Hello please see here because the query for python packages is returning different to the python packages installed on the device. https://osquery.slack.com/archives/C01DXJL16D8/p1630781846091900

<!here> I’m incredibly pleased to announce that 5.0.1 is stable on github. This release has several exciting changes, as well as some breaking ones. 🎉

Just noticed that the

osquery_packs

table doesn’t seem to be registering my shard settings correctly. I’m guessing this is a bug? Happy to file it.

[STD-DEV]16:48:00 root@si-i-02caa65087583c219 /home/zmackie # cat /usr/share/osquery/packs/testing.conf
{
  "testing": {
    "shard": 10, <<<--
    "queries": {
      "osquery_info": {
        "query": "SELECT * FROM osquery_info;",
        "interval": 86400,
        "description": "Information about the running osquery configuration",
        "snapshot": true
      },
      // This is a simple example query that outputs basic system information.
      "system_info": {
        // The exact query to run.
        "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
        // The interval in seconds to run this query, not an exact interval.
        "interval": 3600
      },
      "crontab": {
        "query" : "select * from crontab;",
        "interval" : "3600",
        "platform": "posix",
        "version" : "1.4.5",
        "description" : "Retrieves all the jobs scheduled in crontab in the target system.",
        "value" : "Identify malware that uses this persistence mechanism to launch at a given interval"
      }
    }
  }
}
[STD-DEV]16:48:23 root@si-i-02caa65087583c219 /home/zmackie # echo "select * from osquery_packs;" | osqueryi
+--------------------+----------+---------+-------+----------------------+----------------------+--------+
| name               | platform | version | shard | discovery_cache_hits | discovery_executions | active |
+--------------------+----------+---------+-------+----------------------+----------------------+--------+
| main               |          |         | 0     | 1                    | 1                    | 1      |
| base               | posix    |         | 0     | 1                    | 1                    | 1      |
| testing            |          |         | 0 <<< | 1                    | 1                    | 1      |
| osquery-monitoring |          |         | 0     | 1                    | 1                    | 1      |
+--------------------+----------+---------+-------+----------------------+----------------------+--------+

To keep things clean I had to reinstall 4.9.0 and run osqueryctl stop, then reinstall 5.0.1 and start osquery. Should there be functionality for the 5.x version to stop the older versions? Moving forward I will probably have a pre-flight that turns off 4.9 prior to installing version 5.

Hi folks. I’m making some changes to how we serve packages. This probably won’t break anyone, but if it does, please speak up!

Hi, has somebody been able to gather

Microsoft-Windows-DNSServer/Analytical

events with osquery? I have added the channel to the config but i do not seem to be able to get results. If i get the evenlog list via PS, the log does not show in the list but it does show in the Event Viewer UI.

Hi thanks for updating osquery.io to show v5.0.1 for download. Unfortunately the url https://pkg.osquery.io/windows/osquery.msi is still serving the older v4.9.0

👋 hey quick question for those who have used ATC json config files has anyone used them to query browser history? many of browsers use sqlite, so im trying to use ATC to query them it works fine for safari

{
    "auto_table_construction": {
        "safari_history": {
            "query": "SELECT id, url, domain_expansion, visit_count, daily_visit_counts, weekly_visit_counts, autocomplete_triggers, should_recompute_derived_visit_counts, visit_count_score, status_code FROM history_items;",
            "path": "/Users/%/Library/Safari/History.db",
            "columns": [
                "id",
                "url",
                "domain_expansion",
                "visit_count",
                "daily_visit_counts",
                "weekly_visit_counts",
                "autocomplete_triggers",
                "should_recompute_derived_visit_counts",
                "visit_count_score",
                "status_code"
            ],
            "platform": "darwin"
        },
    "safari_visits": {
            "query": "SELECT id, history_item, visit_time, title, load_successful, http_non_get, synthesized, redirect_source, origin, generation, attributes, score FROM history_visits;",
            "path": "/Users/%/Library/Safari/History.db",
            "columns": [
                "id",
                "history_item",
                "visit_time",
                "title",
                "load_successful",
                "http_non_get",
                "synthesized",
                "redirect_source",
                "origin",
                "generation",
        "attributes",
        "score"
            ],
            "platform": "darwin"
        }
    }
osquery> select count(*) from safari_history;
count(*) = 8

but for chrome/chromium i get some issues

{
    "auto_table_construction": {
        "chromium_history": {
            "query": "SELECT id, url, title, visit_count, typed_count, last_visit_time, hidden from chromium_history;",
            "path": "/Users/%/Library/Application Support/Chromium/Default/History",
            "columns": [
                "id",
                "url",
                "title",
                "visit_count",
                "typed_count",
                "last_visit_time",
                "autocomplete_triggers",
                "hidden"
            ],
            "platform": "darwin"
        }
    }
}

osquery> select * from chromium_history;
W0916 16:46:23.718451 315801088 auto_constructed_tables.cpp:47] ATC Table: Error Code: 1 Could not generate data: Could not prepare database for path /Users/%/Library/Application Support/Chromium/Default/History

same error for the Firefox history.sqlite file too im not sure its a bug or user error? it looks similar to the issue at https://github.com/osquery/osquery/issues/5225 but im not 100% sure ? just curious has anyone been able to use ATC with browser history like chrome/chromium or firefox? thanks

It seems that python packages on linux are not being updated in the table, when I run the query to list python packages, it returns a list containing old packages that have since been updated and doesn't show the new ones. it's like super broken.

Can you use two different configuration types? For instance, if I want to use filesystem and TLS is this possible?

Yup. I’ll just add an rm for the /usr/local/bin osqueryd. I already have a preflight that turns off osquery using osqueryctl before dropping 5.0.1 to disk. I wasn’t sure if there was a desire to keep a symlink in place to the old binary location.

Hi! https://github.com/osquery/osquery/pull/7315 failed for reasons that I don't think have anything to do with my changes and that seem like they're probably transient?, so I thought I'd come in here and ask if the correct thing to do is to retry the checks, and if so how y'all tend to do that around here? (Like normally and amend and force push the latest commit, but some places don't like that sort of shenanigans.)

I'm trying very hard to understand https://github.com/osquery/osquery/pull/6982 and what, exactly, it breaks, and I'm having some trouble.

There is a dump database switch in the latest versions of osquery, it's really useful!

can you try again with --verbose? may print some additional information

Is there anywhere to gather a list of SCSI devices on a Linux system? It'd appear that it's in https://osquery.io/schema/5.0.1/#disk_info but that's for Windows only?

anybody has an idea of how i can query users that are logged_in for more than 8 hours?

is there a way to find users that are logged in to multiple windows machines at once ?

this is dumb, but is there an invite link I can give someone to join this slack?

Hi guys, I was searching to find a way to add UNICODE support to my osquery extension. I know that osquery supports Unicode from (v4.5.0) but does it support Unicode for extensions too? if yes, then how can I configure it to support Unicode?

I've been looking through Fleet's standard query library, but I was curious if anybody has a recommendation on a query that they can't live without? 👾