Hi Team, Iam using osquery, but i see osquery sometime get wrong primary_ip, it not get ens33,bond0,ens160... so osquery get docker interface. how to config for osquery get right primary_ip? Thanks

Hi team, We have been using Auditbeat for system calls. We are in the process of deploying Osquery for incident response and thus getting further visibility on servers. Long story short, we were wondering to throw away Auditbeat and only Osquery even for System Calls (execve for instance). For now, I have been comparing both and in a nutshell they are very similar in what we want to achieve (monitor execve system calls). It would allow us to have only one agent instead of 2 on servers. I have just a couple of questions for you and looking for return of experience: • What would be the pros of keeping Auditbeat for system calls and only Osquery for scheduled tasks? • The main thing missing from Osquery process_events while comparing it to Auditbeat is the Selinux context. We use those intensively for whitelisting and few others things. Do you know any ways to get those? (eg. Process name A, PID, Selinux Context). Thank you 🙂.

If I don't tell osquery.conf to load packs, does it load all of them or none?

Hi channel, does anybody had success collecting events for servers with a high volume of Windows events (i.e DCs) ? If so, would you be able to share what configurations you use to do so? I have tried several configurations but everything begins to behave flaky when events are over 300 EPS (or less sometimes) , if i move to something bigger (like over 1k EPS typically in WEC servers) then i run into the rocksDB issue like we talked in: https://osquery.slack.com/archives/C0FHNQ2N6/p1640173682046400 It would be awesome to hear if somebody is being able to solve this use case using vanilla osquery. We do

select * form windows_events

every 60 secs, and send that data via tls to our SIEM.

If I wanted to log from within an osquery extension, any advice on what I should use? Is there a way to insert log entries in using osquery's logger?

Any plan to integrate something like google rapid response (https://github.com/google/grr) in OSQuery? I would be amazing to get this type of functionality from osquery directly.

Hello channel, I have been checking event control flags and I have two doubts about the behavior of the event buffering. - I’ve seen that --events_expiry flag sets the time an event is going to be stored (i suppose in rocksDB) after being consulted until being deleted, but that means that if I never do a select on the correspondient table, is never going to be removed? (until events-max value is reached) - In the case I loose (for any reason) the connection with fleet, osquery is still working and pub-sub is storing events in rocksDB but when the connection is restablised how stored events and new events are sent? First the old ones and then the new ones? it does some kind of round robin? I suppose that is the first one since events works with event timestamp as offset but I’d like to know a bit deeper how it works. Maybe these are quite newbie/stupid questions, but I would like to know the behavior in both cases.

Hello! Ran into the following error, let me know if anyone knows how to fix it. Error: "dial unix /var/osquery/sock/osquery.em: connect: connection refused" I could see "/var/osquery/sock/osquery.em" was getting dropped frequently. When /var/osquery/sock/osquery.db is dropped the error went away, not sure what was causing this issue. The size of /var/osquery/sock/osquery.db was 473MB at the time when issue occurred, if that is relevant. Please help debug the issue. I have multiple machines failing for the same, hence need to find the root cause so that it doesn't happen again.

Hello all, can anyone please suggest if there is a way to get more debug logging from osquery beside

--verbose

? We use osquery with fleetdm and face this file carving issue. After creating file carving live query to carve several files, we obtain the carve ids and check the carve endpoint for results. Sometimes, several of the carve ids don't appear on the carve endpoint until a next carve query is requested. The verbose log on the osquery side just shows a bunch of

begin

and

block

calls, different number for 'failed' and 'successful' attempt.

Anyone using osquery for File Intergrity Monitoring? How is the actual detection/alerting done in practice? I've read the osquery documentation, but that hasn't really answered my question. I feel like I am missing part of the puzzle here

Hey there. Should expanding a table be a bug report or a feature request?

specs/darwin/sharing_preferences.table

does not currently include the recently added

AirPlay Receiver

option, but i'm not sure if that's a bug because it's not there (but should be), or if it's a feature request to get it added because it's a newer preference

Hi All How can I detect if an endpoint has full disk encryption, antimalware, antivirus and endpoint firewall using Osquery ?

I wonder if this is a bug or a feature? The command

select * from users

only comes up with local users, as the documentation states. Thus, anything I join it to (like

shell_history

) is similarly only local users. However, if you put in a where clause that calls out a specific username or uid, it'll grab information about non-local users (like myself, so easy to test). Is there some way to enumerate all the users?

hello is this the slack channel for Fleet or osquery?

Hi @ all

I guess with a "500: Oh, something went wrong" in the UI, #fleet is the correct channel?

@seph I want to enhance this request. https://github.com/osquery/osquery-go/issues/95 Could I open a pull request directly?

any thoughts on why my kernel_integrity table is missing? i checked your codebase and there was no reference to that string that but looks like maybe it’s a kernel module we might need to compile with some kind of option? maybe it works automatically on supported operating systems?

Hey I want to delete the older agent from my hosts but in windows i dont see it in add or remove programs. And new install is not upgrading the older one but doing a fresh new one as separate application. How do i remove old one now?

#general Can someone explain me the expected behavior when events_expiry flag is used in osquery config for daemon mode? we have set the value to 1800 sec and expected that the events store in tables like file_events, hardware_events to expire within in 30 min after the event has been read. But this is not happening in our system. Which events does this flag cater to ?

Hi! I'm trying to cross-compile to generate windows packages from Linux. I couldn't find any useful threads in the slack. Does anyone have successfully overcome this situation? Can someone share some resources?

Hello team, I created this rust library couple of months ago : https://github.com/abdulrhmanalfaifi/osquery-rs, it is a Rust wrapper that uses Thrift API to communicate with osqueryd socket to execute SQL queries. I use this library as a dependency to another project called Fennec : https://github.com/abdulrhmanalfaifi/fennec which is an artifact collection tool for *nix systems. Currently Fennec pack osqueryd into the binary and at runtime dopes it on the filesystem and execute it. Finally Fennec will use the library

osquery-rs

to communicate with osquery socket to execute SQL queries. I want to change the library

osquery-rs

from spawning another process to call the C API directly. To accomplish that I need to do the following: • Compile

osquery

as a library then statically compile it with the Rust wrapper • Figure out which function to call in the osquery API (I can use the same code used in the

osqueryi

) I have been working on compiling

osquery

as a library for weeks and I have came up with nothing. I do not have a lot of experience developing in C and C++. If you have any resources (open source projects compiling osquery as library, blogs, videos, etc) that might help it will be appreciated. If you want to discuss this more you can message me here or on twitter: https://twitter.com/A__ALFAIFI Thanks!

Hey folks 👋 We're seeing a bit of strangeness with Kernel soft locks due to

kauditd

since Kernel

5.4.0-1069.73

(Ubuntu AWS package). Looking at the change set it appears there was a patch to the Kernel which "penalises user space the same as the kernel when under pressure". The cause seems to be the Kernel change, but it seems we're hitting it on systems under load with osquery deployed. Systems running the same osquery version with Kernels prior to this release do not observe this behaviour. The patch set can be found here: https://www.mail-archive.com/linux-audit@redhat.com/msg15527.html Any suggestions? 😄

qweop[]

Hey everyone, I wrote a blog for people looking to build their first osquery table. In the post I create a new table that doesn’t currently exist in osquery for macOS. If there is a better channel to post this in, please let me know! https://www.kolide.com/blog/how-to-write-a-new-osquery-table

Is there a way to tell the size of a directory (on Mac)? I'm assuming I wouldn't %% inside a folder and then potentially walk thousands of files and sum them or something…

Hey folks! Raising this question again because I haven’t seen a clear answer in search history. Does osquery currently support the containerd runtime? If I have osquery installed as an rpm on a K8s node, would the

osquery_docker

tables work?

Noticed something odd yesterday: Osquery v5.2.2 is marked as stable/latest in both GH Releases [0] and the Project Site [1], but it looks like pre-release v5.2.3 was pushed to the S3 bucket containing hosting the apt/yum/et al repos. There is some additional details in GH Issue #7552 [2] where some folks are detailing mismatches between the repo indexes and .deb and .rpm files, leading to broken installs/updates. Any possibility for getting the pre-release version backed out of the hosted package repos until v5.2.3 is declared stable? [0] https://github.com/osquery/osquery/releases [1] https://osquery.io/downloads [2] https://github.com/osquery/osquery/issues/7552

Hi there... does anyone knows of an agent or ChromeExtension for ChromeOS devices?