https://github.com/osquery/osquery logo
Join Slack
Powered by
# general
  • y
    oh...
  • y
    apparently osqueryd and osqueryl will battle to set the owner for netlink
  • y
    got a few 
    I0720 14:00:55.600761 25136 auditdnetlink.cpp:648] Failed to set the netlink owner
    until I quit osqueryi
  • s
    Yeah the netlink socket can only be accessed by a single process
  • s
    That’s why auditd must be stopped for osquery to work
  • s
    technically there’s the audisp “plugin” for audit which multiplexes the events, but osquery is not using that
  • y
    ACK.
  • y
    auditd isn't even installed, but i'll try to remember to not also run osqueryi in parallel
  • y
    🙂
  • s
    I mean you can run osqueryi in parallel, just not to test audit events, and with that configuration enabled.
  • y
    yes we're on the same line.
  • y
    results file still empty 😞
  • y
    Got a few 
    Malformed syscall event. The saddr field in the AUDIT_SOCKADDR record could not be parsed: "00000000000000000000000000000000"
  • y
    osqueryi quit, osqueryd restarted after osqueri quit
  • s
    As far as I can tell it’s receiving events now, it just encountered an event that wasn’t sure how to parse correctly. There might be a bug, or the event (or even the actually API call) might’ve been malformed. That been said if now you try to create some socket events that match your query, they should be logged.
  • y
    hmm, I've made a few (half a dozen) curl requests to google just to test, still nothing.
  • y
  • y
    Not sure what's the best way to share logs
  • y
    Yeah, not that great at all.
  • y
    I think I'll share a gist.
  • y
  • s
    Something I realized, you’re querying the process_events table but you need to enable events for that table too with 
    audit_allow_process_events
  • y
    didn't have to on osqueryi
    1
  • y
    is that a flag?
  • s
    actually nvm, you’re right, the default is true
  • y
    Copy code
    $ sudo osqueryi --disable_audit=false  --audit_allow_config=true --events_max=50000 --audit_allow_sockets --disable_events=false
Using a virtual database. Need help, type '.help'
osquery> select action, process_events.path, cmdline, socket_events.status, remote_address, remote_port, datetime(socket_events.time,'unixepoch') from socket_events join process_events on socket_events.pid = process_events.pid;
osquery> select action, process_events.path, cmdline, socket_events.status, remote_address, remote_port, datetime(socket_events.time,'unixepoch') from socket_events join process_events on socket_events.pid = process_events.pid;
+---------+---------------+-----------------+-------------+-----------------+-------------+------------------------------------------+
| action  | path          | cmdline         | status      | remote_address  | remote_port | datetime(socket_events.time,'unixepoch') |
+---------+---------------+-----------------+-------------+-----------------+-------------+------------------------------------------+
| connect | /usr/bin/curl | curl <http://google.com|google.com> | in_progress | 142.250.200.238 | 80          | 2022-07-20 12:59:12                      |
+---------+---------------+-----------------+-------------+-----------------+-------------+------------------------------------------+
osquery>

$
  • s
    @Yassine CHAOUCHE could you try again with the daemon but with 
    --events_optimize=false
    ?
  • y
    spot on!
  • y
    AND, it was recording events
  • y
    the old curl commands are there.
1...575859...905Latest