is there any good way to clear my config? I'm trying to get fleet preview running and im trying to unbreak what I broke locally

Hi Team, --distributed_interval= parameter will delay the live query being executed from fleet or this will only affect the periodic query scheduled?

Hi, I'm experiencing issues with osquery 5.3 when requesting HTTPS site with curl. With osquery 5.2.2 this just worked. With osquery 5.3 I receive this error:

W0617 13:30:39.820879  5988 curl.cpp:83] Error making request: certificate verify failed

With osquery 5.2.2 I do not see this error. Not sure what's going on. The HTTPS resource requested uses the same certificate as osquery is communicating to for reporting its results / logs. Any help appreciated.

Is it possible to use osquery to collect Mac logs and send them to Sumo logic?

Hi, I'm sure this question is played out but does osquery run on Raspberry Pi? Apparently it's asked enough that google pulls up conflicting answers, many over 5 yrs old. Thanks for your time

Hey all! quick question - Why are we adding the

arch

to the

name

here if we already are extracting the

arch

here ? - Thanks!

Hi! We stumbled on the issue with our usage of osquery and found that there are already a couple of trackers: https://github.com/osquery/osquery/issues/7586 https://github.com/osquery/osquery/issues/7602 Looks like it is marked for completion by 5.4.0 (by June 30th) which is fairly soon. Is anybody working on it?

I am being encouraged to NOT file an issue with a question on github, so… Here's a weird, basic-feeling blind spot: Ubuntu does not have a 'patch' field in its os-release output, and so osquery initializes integer 0 and that becomes the value. The patch level is present in the full, all-caps "VERSION" string output with a whole bunch of info, (e.g. "20.04.4 LTS (Focal Fossa)") but the os_version table doesn't bend over backwards attempting to parse it out of there. Should I file a feature request to fix it?

Nicholas Anderson, I trust you are storing your publishing cert safely lol

And thank you for signing the package so I can pin to a publisher 😄

Hi, I'm trying to figure out local Admins on Windows endpoints but I'm struggling because osquery only returns local accounts. User accounts from the domain are missing. Here is the query I use:

SELECT * FROM users JOIN user_groups ON users.uid = user_groups.uid WHERE user_groups.gid = 544;

A quick look at the user_groups table reveals that only local user accounts are related to local groups.

SELECT * FROM user_groups;

Am I missing something?

Hi guys,

I want to build a my own library with osquery sdk in c++, is it possible for anyone to guide me

Hi, I have noticed some incoherence in the system_info > hardware_model values between intel and apple silicon macs. On apple silicon, the result is the verbose name “Mac mini” instead of the code name “Macmini9,1". Looking at the code, this is because IOKit product-name is used, and on apple silicon, even fetched from a different level. Any reason why the IOKit “model” property is not used ? It seems to return the same kind of values on both platforms, without having to look at different places.

test command:

ioreg -p IODeviceTree -n device-tree -d2

on an intel mac:

ioreg -p IODeviceTree -n / -d2

Howdy all….on the topic of plugins, I know I can use a custom plugin for config, logger, and distributed queries, but I am having a hard time finding any docs on how to register a custom carve plugin. Can anyone point me to that please? Thanks! (specifically, I am looking to change how the carved file gets exported off the system)

thanks!

hello. i configured osquery to use the aws_firehose logger plugin (

--logger_plugin=aws_firehose

). it had been working fine for a couple years, but i recently started seeing the following in the logs:

<snip> aws_util.cpp:223] Exception making HTTP POST request to URL (<https://firehose>.<region>.<http://amazonaws.com|amazonaws.com>): certificate verify failed
<snip> aws_log_forwarder.h:219] aws_firehose: Successfully sent 1 out of 1 log records

i confirmed that the cert has not expired. despite the log line saying that logs were successfully sent, they do not actually end up in aws_firehose. i found this bug, which appears to be related. the bug has been closed, but i guess the fix won’t hit until milestone 5.4.0? while waiting for 5.4.0 to be released, do i need to downgrade to 5.2.3? is there anything else i can do in the meantime?

👋 Hi everyone!

Hi guys, question about osqueryd. osqueryd seems to depend on SysV to be enabled (chkconfig package is required to be installed), however it starts just fine. This doesn't really make sense to me. osquery should be able to be enabled through systemd if it can be started through systemd. Does anyone know why this is the case? Is this a potential bug or is there a workaround? I would prefer to not use SysV.

[jordan ~]$ sudo systemctl enable osqueryd

Synchronizing state of osqueryd.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.

Executing: /usr/lib/systemd/systemd-sysv-install enable osqueryd

Failed to execute /usr/lib/systemd/systemd-sysv-install: No such file or directory

[jordan ~]$ sudo systemctl start osqueryd

[jordan ~]$ sudo systemctl status osqueryd

● osqueryd.service - The osquery Daemon

Loaded: loaded (/usr/lib/systemd/system/osqueryd.service; disabled; vendor preset: disabled)

Active: active (running) since Wed 2022-06-22 09:55:31 UTC; 5s ago

Has anyone built an extension in C#? I think it is possible as Thrift supports it from my reading, but then I can see that it says the extension must import the core code which is c++ so can it be done?

👋 Hello everyone

👋 Hi everyone!

Hi Team, Is there a way we can make use of osquery in a kubernetes environment which runs as a container? As I see, even if we run it as a container, the scope of query will be limited to the pod it is running. Is there a way we can avoid this, are there any guidelines or documentation for containerising the osquery?

Morning all - I am testing this extension and running into what I thing is an issue. I have added a log line at the beginning of GenerateConfigs, and I am only seeing that function run once. I expected to see it run every `--extention_interval`….does anyone have any ideas where I am going wrong?

Hello all, does anyone know what table I can use to get more information on Apple Silicon boot process? for intel I'm using the platform_info table however it appears the booting process for silicon chips is independent of EFI/BIOS/etc. when i run

SELECT * FROM platform_info;

on M1 host, i get no results

Hi Everyone, a QQ if I may,

SELECT bundle_short_version FROM apps WHERE bundle_identifier = 'com.google.Chrome' AND bundle_short_version < '103.0.5060.114';

returns 0 results, whilst,

SELECT bundle_short_version FROM apps WHERE bundle_identifier = 'com.google.Chrome' AND bundle_short_version < '103.0.5060.999';

returns :

+----------------------+
| bundle_short_version |
+----------------------+
| 103.0.5060.53        |
+----------------------+

Visually

103.0.5060.53

is less than `103.0.5060.114`yet using the boolean operator does not seem to follow this logic 🤔 . I'm presuming something is awry with my version comparison, any directions would be most appreciated, thank you 🙇‍♂️

I assume the version strings' data types are all strings, and a

<

comparison isn't possible (without someone more clever with SQL than myself)

yeah, maybe stripping the dots would help it to consider it as a number (or even explicitly CASTing to it)