Hi everyone, does anybody know if osquery requires yara binary installed locally or it relies on builtin support via libyara ?

hey folks, asked about this in #windows but i'll ask here as well. Just updated osquery to 5.2.0 on windows, from 4.8, and my osquery.conf file is failing to parse. Just as a sanity check for myself, i took the FIM config example from the online docs, and modified it very minimally, and even that very basic config failed to parse:

{
  "schedule": {
    "file_events": {
      "query": "SELECT * FROM ntfs_journal_events;"
      "removed": false,
      "interval": 300
    }
  },
  "file_paths": {
    "windows": [
      'C:\Windows\Temp\'
      'C:\Windows\Tasks\'
    ],
    "Users": [
      'C:\Users\%\'
    ],
    "osquery": [
      'C:\Program Files\osquery\'
    ]
  },
  "exclude_paths": {
    "windows": [
      'C:\Windows\Temp\test\'
    ],
    "Users": [
      'C:\Users\teddoro\test\'
    ]
  }
}

If I am using Fleet to send to a destination and it loses connectivity is there any sort of caching that goes on? I think perhaps it would stop removing results from the REDIS database - but I cannot find any information on how/when data is removed from there.

When I have a scheduled query that fails because of the watchdog process interrupting it for exceeding time or memory, where can I conveniently locate which query has failed? We've got numerous packs of scheduled queries, and it seems tricky to tease out which one's running afoul of the resource constraints.

Hey, I am facing a issue in windows deployment. I used same setting for linux and it works fine.  .\osqueryd.exe --flagfile=“C:\Program Files\osquery\osquery.flags” --tls_dump W0125 081321.274359 4444 tls.cpp:101] Cannot read TLS server certificate(s): fleet.pem W0125 081321.368111 4444 tls_enroll.cpp:101] Failed enrollment request to <domain> (Request error: certificate verify failed) retrying...

I'm getting an occasional 'no such table' error with some extensions, and wanted to test for that periodically. Is there a command-line flag version of

.connect

so that I can more easily automate this test?

Did the debian repo get rolled back from 5.1? Because I have a bunch of ubuntu hosts on 5.1 and others on 5.0.1 and it seems that 5.0.1 is latest on debian repo?

Hi everyone! Can someone help me please? I am doing some tests with Osquery on Windows 10 with some queries I tried to write by myself. These queries work alone when I use them with osqueryi, and also if I put them in the osquery.conf file in "schedule" section and the run osqueryd. The problem appears when I try to put in the schedule section more than one of them, like for example 10 queries. In this case when i run the daemon I cannot see any log in the results. If someone can help me, thanks a lot.

This message was deleted.

@seph Hi. Do you know if it's possible to bind yara table to

bpf_process_events

instead of a

file_events

? Idea is to scan

path

of a process if such process has valid path

We've got a centralized logging system. Especially when we have a rolling upgrade of osquery, it'd be really helpful to know in the logs which version of osquery they're coming from. Is there provision to add things to the logs, anyone know? I don't see any logging flags that seem to pertain.

Hi, Would someone kindly give me some advice on memory sizing of osqueyd? I'm trying to monitoring some Linux servers using osqueryd. During test at staging environment, some of the agent process restart frequently(every 5 minutes) due to excessive memory usage. The --watchdog_memory_limit is set to 300MB now. What should I consider to increase this threshold? Increase it from 300MB to 1GB may resolve the problem at staging environment. However, load of servers at production environment are higher than those at staging environment, thus I need a general method to decide a reasonable limit.

Hi everyone. Does anybody know how this message affects osqueryd ? I see couple dozens of such messages right after daemon start:

osqueryd[36060]: I0130 16:44:32.672724 36192 systemstatetracker.cpp:294] Created empty process context for pid 38689. Fields will show up empty
osqueryd[36060]: I0130 16:44:32.673085 36192 systemstatetracker.cpp:294] Created empty process context for pid 38691. Fields will show up empty

any documentation on what permissions osquery needs to run? working a strange case where osqueryi.exe on Windows 10 dies with exit code -1073741511 (0xC0000139), and no other message. Execution is being handled by an RMM, but it is running under LocalSystem/SYSTEM.

Hi everyone. For some reason, yara_events table events generated ONLY for first item of the 

file_path

 list, for the rest 

file_events

  are generated

{
    "file_paths": {
        "binaries": [                   
            "/usr/bin/%%",     <-- Yara events generated
            "/usr/sbin/%%",       # <-- file_events generated, but NOT yara_events!
            "/bin/%%",            # <--|
            "/sbin/%%",           # <--|
            "/usr/local/bin/%%",  # <--|
            "/usr/local/sbin/%%"  # <--|
        ],
        "configuration": [
            "/etc/init/%%", <-- Yara events generated
            "/etc/passwd",
            "/etc/shadow",
            "/etc/ld.so.preload",
            "/etc/ld.so.conf",
            "/etc/ld.so.conf.d/%%",  # <--  file_events generated, but NOT yara_events!
            "/etc/pam.d/%%",         # <--| file_events generated, but NOT yara_events!
            "/etc/resolv.conf",
            "/etc/rc%/%%",           # <--  file_events generated, but NOT yara_events!
            "/etc/my.cnf",
            "/etc/modules",
            "/etc/hosts",
            "/etc/hostname",
            "/etc/fstab",
            "/etc/crontab",
            "/etc/cron%/%%",         # <--  file_events generated, but NOT yara_events!
            "/etc/rsyslog.conf"
        ]
    },
    "yara": {
        "file_paths": {
            "binaries": [
                "eicar",
                "custom"
            ],
            "configuration": [
                "eicar",
                "custom"
            ]
        },
        "signatures": {
            "custom": [
                "/opt/osquery/yara/custom.yar"
            ],
            "eicar": [
                "/opt/osquery/yara/eicar.yar"
            ]
        }
    }
}

Hi all, any idea when/if 5.2.1 will become stable?

question about file carver:

carver_disable_function

and

disable_carver

both default to true. What happens if you set one to false? What is the difference between the two flags?

distributed_plugin=tls

is the default setting, but what are the other plugins?

filesystem

caused osqueryd to crash. context: I'm trying to test my config and queries locally without posting results anywhere, I haven't set a

tls_endpoint

because i just want query results to be saved to /var/log/osquery/osqueryd.results.log

@Divya

user_time

and

system_time

are in milliseconds,

wall_time

is in seconds. They are all cumulative among query executions

Has anyone ever thought about an extension that could make osquery work like an RMM so execute powershell scripts and stuff? Because it's halfway there with listing service status/running processes and such. Just do script execution and update management and now osquery is an RMM haha

confused about the

overrides

key. My osquery.conf file basically is in this format: options <stuff> file_paths <list of linux file paths> overrides platforms windows options <same stuff as above> file_paths <windows file paths> exclude_paths <windows file paths> darwin options <same stuff as above> file_paths <mac file paths> When i start my daemon on a mac, i only see the linux file paths being loaded. My config is syntactically correct, osquery isn't barfing on it.

👋 hey folks, I saw this video https://asciinema.org/a/302647 on

process_dns_events

table in osquery and I think I remember it being mentioned before in an office hours call, is this something that is/will be added to osquery?

Hi everyone. Does anybody knows which kind of address this is

00:02:08:10:60:00:00:00:00:00:00:00:00:00:88:82

(address redacted) ? I seed such addresses in bpf_socket_events remote_address field and are not recognized with usual utilities like nc, ping and so on.

Hi everyone, does anyone know if the following issue will be fixed? https://github.com/osquery/osquery/issues/6911

Does anyone know if

is_active

on the

running_apps

table is cached? https://osquery.io/schema/5.1.0/#running_apps

Hi everyone, Does anyone know query: SELECT * FROM last ,but table last only hostname, now i want to get more detail ipaddress, i see table "interface_addresses" have 2 columns: address and interface , how to query with last table has ipaddress. thank

Hi! Anyone have an idea why am i getting

Error: app_not_configured_for_user

from google SSO? Was following this instructuions Getting this error for any user: existing/non-existing, with/without SSO enabled

Hi everyone, I am a new cybersecurity user. For this reason I ask if there is an easy guide for using this tool

SELECT first_name || ' ' || last_name AS name

I am working on some queries using augeas, and notice a lens that needs a quick fix. I am not sure how the default lenses get built into osquery, could someone point me to the right place? (I want to fix the lens upstream so the next version of osquery has the right one)