https://github.com/osquery/osquery logo
Powered by
#general
  • j

    JD

    07/18/2022, 11:14 AM
    Hello, i’m just learning about osquery and had a question: is there a way to get processes which share runtime using osquery?
    f
    • 2
    • 10
  • y

    Yassine CHAOUCHE

    07/18/2022, 11:53 AM
    👋 Hi everyone!
    👋 3
  • n

    nick fury

    07/18/2022, 4:57 PM
    hello! i have writen mine yara table that scans all the procces at my comuter, it works well when watchdog is disabled, but when he is on he is restarting my oasis procces, do you have any solution to this problem without disabling the watchdog?
    s
    • 2
    • 1
  • n

    nick fury

    07/18/2022, 4:58 PM
    at windows
  • s

    seph

    07/19/2022, 9:20 PM
    5.4.0 is stable. 🎉 should be in the repos, I still need to update the website.
    🎉 1
  • y

    Yassine CHAOUCHE

    07/20/2022, 12:44 PM
    Hello again
  • y

    Yassine CHAOUCHE

    07/20/2022, 12:44 PM
    I have a little question regarding my config, it seems same config works with osqueryi but not osqueryd regarding events
  • y

    Yassine CHAOUCHE

    07/20/2022, 12:44 PM
    Here's my flags file
  • y

    Yassine CHAOUCHE

    07/20/2022, 12:45 PM
    Copy code
    # cat /etc/osquery/osquery.flags
--audit_allow_config=true
--audit_allow_sockets
--disable_audit=false
--disable_events=false
--events_max=50000
 #
  • y

    Yassine CHAOUCHE

    07/20/2022, 12:45 PM
    Here's my config file
  • y

    Yassine CHAOUCHE

    07/20/2022, 12:45 PM
    Copy code
    # cat /etc/osquery/osquery.conf
{
    "schedule" : {
        "net.connexions" : {
            "query" : "SELECT action, cmdline, socket_events.status, remote_address, remote_port, local_port, datetime(socket_events.time,'unixepoch') as time, socket_events.time as epoch FROM socket_events JOIN process_events ON socket_events.pid = process_events.pid WHERE remote_address NOT IN ('127.0.0.1');",
            "interval" : 10
        }
    }
}
#
  • y

    Yassine CHAOUCHE

    07/20/2022, 12:46 PM
    The flags and the query work on osqueryi
  • y

    Yassine CHAOUCHE

    07/20/2022, 12:46 PM
    but on osqueryd I get the following error lines in the logs
  • y

    Yassine CHAOUCHE

    07/20/2022, 12:47 PM
    Copy code
    # cat /var/log/osquery/osqueryd.INFO
Log file created at: 2022/07/20 12:45:44
Running on machine: ychaouche-PC
Running duration (h:mm:ss): 0:00:00
Log line format: [IWEF]yyyymmdd hh:mm:ss.uuuuuu threadid file:line] msg
I0720 12:45:44.297425 20782 eventfactory.cpp:156] Event publisher not enabled: BPFEventPublisher: Publisher disabled via configuration
I0720 12:45:44.297636 20782 eventfactory.cpp:156] Event publisher not enabled: inotify: Publisher disabled via configuration
I0720 12:45:44.297663 20782 eventfactory.cpp:156] Event publisher not enabled: syslog: Publisher disabled via configuration
E0720 12:51:56.921167 20900 udev.cpp:89] udev monitor returned invalid device: No buffer space available
#
  • y

    Yassine CHAOUCHE

    07/20/2022, 12:47 PM
    I'm not using bpf/inotify, only sockets_events
  • y

    Yassine CHAOUCHE

    07/20/2022, 12:48 PM
    auditd is not installed on my machine
  • y

    Yassine CHAOUCHE

    07/20/2022, 12:48 PM
    Copy code
    # auditd
The program 'auditd' is currently not installed. You can install it by typing:
apt-get install auditd
#
  • s

    Stefano Bonicatti

    07/20/2022, 12:48 PM
    @Yassine CHAOUCHE the logs starting with a capital 
    I
    are not errors; those messages are just telling you that those publishers have not been enabled, as requested by the configuration
  • y

    Yassine CHAOUCHE

    07/20/2022, 12:49 PM
    Oh, OK. I shouldn't bother then.
  • y

    Yassine CHAOUCHE

    07/20/2022, 12:50 PM
    osqueryd.results empty though
  • y

    Yassine CHAOUCHE

    07/20/2022, 12:51 PM
    First time trying osqueryd, just used osqueryi to prepare the sql statement and now I'm trying to have osqueryd run it.
  • y

    Yassine CHAOUCHE

    07/20/2022, 12:52 PM
    I started learning about this like 2 weeks ago or so, I'm not very familiar with it yet.
  • s

    Stefano Bonicatti

    07/20/2022, 12:52 PM
    You might want to try to run the the daemon from the shell (as root or with sudo), with 
    --verbose
    and see if there’s additional information there.
  • y

    Yassine CHAOUCHE

    07/20/2022, 12:53 PM
    nice tip thanks.
  • y

    Yassine CHAOUCHE

    07/20/2022, 12:53 PM
    stopping the main daemon first w/ osqueryctl stop
  • y

    Yassine CHAOUCHE

    07/20/2022, 12:54 PM
    socket events disabled by configuration?
  • y

    Yassine CHAOUCHE

    07/20/2022, 12:54 PM
    Copy code
    root#ychaouche-PC  13:53:10 ~ # osqueryd --verbose
I0720 13:53:31.541921 24652 init.cpp:363] osquery initialized [version=5.3.0]
I0720 13:53:31.542140 24652 system.cpp:390] Writing osqueryd pid (24652) to /var/run/osqueryd.pidfile
I0720 13:53:31.542264 24652 extensions.cpp:453] Could not autoload extensions: Cannot open file for reading: /etc/osquery/extensions.load
I0720 13:53:31.542379 24652 dispatcher.cpp:78] Adding new service: WatcherRunner (0x560368cffa18) to thread: 139940879791872 (0x560368c985a0) in process 24652
I0720 13:53:31.543812 24653 watcher.cpp:674] osqueryd watcher (24652) executing worker (24654)
I0720 13:53:31.557133 24654 init.cpp:360] osquery worker initialized [watcher=24652]
I0720 13:53:31.557353 24654 dispatcher.cpp:78] Adding new service: WatcherWatcherRunner (0x55910dd436c8) to thread: 140281252464384 (0x55910dd4c9b0) in process 24654
I0720 13:53:31.557462 24654 rocksdb.cpp:132] Opening RocksDB handle: /var/osquery/osquery.db
I0720 13:53:32.138518 24654 dispatcher.cpp:78] Adding new service: ExtensionWatcher (0x55910de2ccd8) to thread: 140280602814208 (0x55910dd58360) in process 24654
I0720 13:53:32.138625 24654 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (0x55910de042a8) to thread: 140280611206912 (0x55910dd58340) in process 24654
I0720 13:53:32.138716 24654 auto_constructed_tables.cpp:99] Removing stale ATC entries
I0720 13:53:32.138722 24768 interface.cpp:299] Extension manager service starting: /var/osquery/osquery.em
I0720 13:53:32.169941 24654 eventfactory.cpp:156] Event publisher not enabled: BPFEventPublisher: Publisher disabled via configuration
I0720 13:53:32.170172 24654 eventfactory.cpp:156] Event publisher not enabled: auditeventpublisher: Publisher disabled via configuration
I0720 13:53:32.170205 24654 eventfactory.cpp:156] Event publisher not enabled: inotify: Publisher disabled via configuration
I0720 13:53:32.170230 24654 eventfactory.cpp:156] Event publisher not enabled: syslog: Publisher disabled via configuration
I0720 13:53:32.183421 24654 events.cpp:70] Skipping subscriber: apparmor_events: Subscriber disabled via configuration
I0720 13:53:32.197979 24654 eventsubscriberplugin.cpp:492] Found 1 events for subscriber udev.hardware_events
I0720 13:53:32.231513 24654 eventsubscriberplugin.cpp:492] Found 759 events for subscriber auditeventpublisher.process_events
I0720 13:53:32.231659 24654 events.cpp:70] Skipping subscriber: process_file_events: Subscriber disabled via configuration
I0720 13:53:32.232661 24654 events.cpp:70] Skipping subscriber: seccomp_events: Seccomp subscriber disabled via configuration
I0720 13:53:32.233608 24654 events.cpp:70] Skipping subscriber: selinux_events: Subscriber disabled via configuration
I0720 13:53:32.246840 24654 eventsubscriberplugin.cpp:492] Found 1008 events for subscriber auditeventpublisher.socket_events
I0720 13:53:32.246949 24654 events.cpp:70] Skipping subscriber: socket_events: Subscriber disabled via configuration
I0720 13:53:32.249785 24654 eventsubscriberplugin.cpp:492] Found 110 events for subscriber auditeventpublisher.user_events
I0720 13:53:32.298410 24654 main.cpp:104] Not starting the distributed query service: Distributed query service not enabled.
I0720 13:53:32.298446 24769 eventfactory.cpp:390] Starting event publisher run loop: udev
I0720 13:53:32.298477 24654 dispatcher.cpp:78] Adding new service: SchedulerRunner (0x55910df6a828) to thread: 140281139685120 (0x55910e01aa20) in process 24654
I0720 13:53:41.300858 24770 scheduler.cpp:119] Executing scheduled query net.connexions: SELECT action, cmdline, socket_events.status, remote_address, remote_port, local_port, datetime(socket_events.time,'unixepoch') as time, socket_events.time as epoch FROM socket_events JOIN process_events ON socket_events.pid = process_events.pid WHERE remote_address NOT IN ('127.0.0.1');
  • y

    Yassine CHAOUCHE

    07/20/2022, 12:56 PM
    I have 
    --audit_allow_sockets
    and 
    --disable_events=false
    in the flags file.
  • y

    Yassine CHAOUCHE

    07/20/2022, 12:57 PM
    Copy code
    I0720 13:53:32.246949 24654 events.cpp:70] Skipping subscriber: socket_events: Subscriber disabled via configuration
    Why?
  • s

    Stefano Bonicatti

    07/20/2022, 12:59 PM
    --flagfile
    doesn’t have a default, you need to provide it with the path to the osquery.flags file
1...565758...79Latest