Hey How do i change the log level from fleet config? Info level logs are creating too much noise. I want to shift to warning ones and above

Hi there, how often is the data received in the software inventory per device? 🤔

Hello. Curious what happens in this scenario with latest osquery: • osquery running loaded schedule of queries and forwarding events to AWS Kinesis • Network connection on endpoint is severed (e.g. wifi goes out) • osquery continues executing schedule of queries • Some time later network connection is restored Short of digging through code to find the answer can anyone tell me the expected behavior in that scenario in 5.2.2? I see logs written to osquery.results.log for the time of disconnection. Am I to expect the logs during inability to resolve the Kinesis endpoint to be transmitted at a later time? What about across a restart of osquery during the outage? Thanks in advance for any info or direction to Docs links on the subject.

This message was deleted.

Team, Anyone knows how to check open ports using OS-Query in Windows ??

Can anyone help me with how can I connect Fleetdm to plain osquery

Hi all, are there audit logs for usage available for Fleet by any chance? Couldn't find a reference in the docs

Hey again 👋 Just a note, with a CPU soft lockup issue I mentioned above. It appears that in Ubunut's 5.4 LTS Kernel two "new" linux-audit patches were bundled: • [RFC PATCH] audit: improve audit queue handling when "audit=1" on cmdline • [PATCH] audit: ensure userspace is penalized the same as the kernel when under pressure These first made it into the AWS, Azure, GKE, and GCP Ubuntu Kernels with versions greater than 5.4.0-1068. Unfortunately, this appears to have a detrimental impact on systems running osquery - or with audit rules installed which generate quite a lot of events. Under load we see kernels above this version reliably killing systems entirely due to CPU soft lockups.

kernel: watchdog: BUG: soft lockup - CPU#1 stuck for 22s! [kauditd:22]

Downgrading to Kernel

5.4.0.1068.50

and rebooting the system with no other changes resolves the issue. Subsequent load spikes to not experience this issue. However, if we roll the Kernel forward to an "affected" version, we once again see the soft lockups.

Hey all, I'm getting an issue where I'm getting upwards of 50% CPU usage by the osquery daemon on windows domain controllers. running the daemon in verbose, it happens right after the following messages (and hangs there while the CPU spikes):

I0420 11:22:13.001909  6160 eventsubscriberplugin.cpp:492] Found 15 events for subscriber WindowsEventLogPublisher.powershell_events
I0420 11:22:13.533206  6160 events.cpp:70] Skipping subscriber: powershell_events: Required publisher is disabled by configuration

After which it gets stopped by the watchdog, and the whole thing repeats a few seconds later. Any insights?

Hi everyone, I've enrolled a host with fleet/orbit successfully. However, fleet doesn't succeed in fetching all vitals. The host in question is one of many Ubuntu systems I've enrolled in fleet. When running orbit in debug mode, I see a number of queries and their results. Even queries from fleet server are executed, e.g. Label queries. I ran most queries manually under "orbit shell" to understand if a query might hang but all queries worked fine. There are no errors in the log on the agent side. From fleet server perspective, the host has status Online. fleet is up to date about host's memory, processor type, operating system and osquery version. Other details such as disk available, software inventory and users stay empty. I'm also not able to run queries from within fleet UI. I do not see any errors in fleet server log, even when run in debug mode. There is no firewall in between host and fleet server. I also checked SSL certificates and API access from host perspective. It's all fine. I'm a little bit lost, as I have no idea what else to check or how to investigate this issue further. Any help / shared experience appreciated. Thanks.

is the augeas lens for json files not expected to work, and therefore kolide made their own extension/table for it? This is the weird area where osquery in theory doesn't want to infringe on privacy by being an all-purpose exfil/file reading util, but… just like how carving is behind a flag it seems like if augeas has the lens it should Just Work™, no?

I don't see a filter limiting the json.aug file… are there known paths it does work on, or is it that it's specifically missing that which is causing it to not work?

Hi, how do you identify an Active Directory Domain Controller? I've the following approaches in mind: 1. Check for Service "Active Directory Domain Services" in services table, if it exists (not necessarily started) its a Domain Controller. 2. Check if sysinfo.local_hostname matches ntdomains.domain_controller_name, if there is a match, its a Domain Controller. This assumes that a DC identifies itself in ntdomains. 3. Check if specific roles are installed. Not sure how to do this with osquery. The statement for 2) looks like this and it works in my environment.

SELECT 1

WHERE EXISTS (SELECT split(nt.domain_controller_name, "\", 0) AS dc, UPPER(sys.local_hostname) AS host FROM ntdomains nt JOIN system_info sys WHERE dc = host);

Any other ideas or experiences?

maybe this

SELECT * FROM windows_optional_features WHERE name = 'DirectoryServices-DomainController' AND statename = 'Enabled';

👋 Hi everyone! I have just installed osquery on Kali , but I can not get it to start up. I am trying to follow along with a Tryhackme room. Can anyone give me some insite?

Hi , does anybody know if the buffered events are sent in any specific order? In example, i have some hundreds agents collecting events (in this case, collecting from the

syslog_events

table). osquery is configured to send to a tls endpoint, and the tls endpoint stops working for 3 hours. Once the tls endpoint is responsive again, osquery starts sending data but, will it come in any order? Will it start sending older events first and newer after? Or will the order be random? Thanks!

Hey My fleet says i have few softwares with Vulnerabilities and it says its on 20 hosts. But when i click view host it dosent show any. On other it says 30 hosts and only show 2 of them?

I am facing this error and host is not online on fleet ?

hi everyone, we have a very old version of kolide fleet osquery running , we were looking at upgrade option , is the forked version compatible ? https://github.com/fleetdm/fleet ?

Can someone explain me how osquery detects if software is vulnerable or not? like are you checking with some open source database or something else?

hi everyone, how osquery finds some antivirus.

Error: fleetctl login failed: login received status 401 Authentication failed: Authentication failed

can anyone explain why i am getting this error

Hi, everyone. I’m facing some issues with the filesystem logging option, on which hopefully someone can shed some light: • In a fairly heavy load environment, I’ve set osquery to log all events from a Windows machine in the local filesystem as the only output. The result is a

osqueryd.results.log

file that grows in size very quickly. Ideally, the size of the results file should be kept under control. • I configured the -

-logger_rotate

and associated options to keep a maximum number of files and their respective sizes in a predictive way (e.g., 10 files of up to 250MiB each). This works well and I see the files created correctly, moving the older ones to the

.zst

archives, etc. • The actual problem is once I hit the total limits (maximum number of files and archives). As stated in the documentation, osquery drops the overflowing events. As much as this being the designed behaviour, I would expect the possibility for osquery to manage the housekeeping of the existing files, giving the choice of working as stated before -i.e., dropping any new events-, or automatically rotating the files, deleting the older ones and always logging newer events. • Furthermore, in the documentation, it is mentioned the possibility of older files to be removed but I’m not quite getting how this can be enabled… or if I’m interpreting this correctly. The actual reference in https://osquery.readthedocs.io/en/stable/installation/cli-flags/ is under the `--logger_rotate_max_files = 25`: “_[…] If a rotation happens after hitting this max, the oldest file will be removed_.“. So, the questions, after such long explanations, are: is rotated logs deletion delegated to external tools (as suggested, e.g.,, in here ? What are the recommended best practices in multi-OS environments (e.g., use task manager + cron)? Is there any chance this option to be incorporated into osquery e.g., as an extra flag to the baseline

--logger_rotate

functionality?

We are getting empty snapshots for Evented tables like process_events, file_events in Security Onion Fleetdm. Can anyone suggest some solution?

C:\Windows\System32\WDI\LogFiles\BootCKCL.etl or BootPerfDiagLogger.etl file seems to contain all exe, dll, sys file details that were launched at the time of the windows boot up. Would it be possible to get this information parsed via a OSQuery schema, if yes how and where to make that request? The information in the file could be useful to investigate persistence on a system if associated with booting up of the machine.

Hi folks, is it expected that the "Linux (x86_64)" download listed in https://osquery.io/downloads/official/5.2.2 contains debug symbols?

👋 Hi everyone!

Hi, I was trying to find information regarding data collection. Do you perhaps have any information about that? And maybe osquerys take on GDPR?

hello all trying to dive back into osquery. At previous jobs I've used tools such Zentral/Kolide/Fleet to deply manage however I've been tasked to see if its possible to send osquery logs directly to a SIEM like sumologic via an http endpoint? Is this possbile?