👋 Hi everyone!

I am new to osquery, I am trying to get my server Syslog from osquery using Syslog-ng. I tried by adding the below in Syslog-ng.conf file, however, am getting data till the syslog_pipe file. but not able to fetch it using osqueryi =================== # Reformat log messages in a format that osquery accepts rewrite r_csv_message { set("$MESSAGE", value("CSVMESSAGE") ); subst("\"","\"\"", value("CSVMESSAGE"), flags(global) ); }; template t_csv { template("\"${ISODATE}\",\"${HOST}\",\"${LEVEL_NUM}\",\"${FACILITY}\",\"${PROGRAM}\",\"${CSVMESSAGE}\"\n"); template_escape(no); }; # Sends messages to osquery destination d_osquery { pipe("/var/osquery/syslog_pipe" template(t_csv)); }; # Stores messages sent to osquery in a log file, useful for troubleshooting destination d_osquery_copy { file("/var/log/csv_osquery" template(t_csv)); }; # Log path to send incoming messages to osquery log { source(s_src); filter(f_auth); destination(d_auth); rewrite(r_csv_message); destination(d_osquery); #destination(d_osquery_copy); }; =================== One more thing is; Also, I have made changes in osquery.conf to enable FIM. When I tried Syslog-ng(client-master server), if disable FIM am getting data from the client machine for 'select * from Syslog;' in the master server machine. If enabled, no data for Syslog-ng(client-master server) or for the Syslog-ng(for my own server) Could any one help me to figure this out.

Hi, Could any one help me to resolve the below error: osquery> select * from syslog; osquery> E0901 095102.788415 12938 udev.cpp:89] udev monitor returned invalid device: No buffer space available

@zwass am trying to get syslog entries via osquery, for that I have integrated syslog-ng with osquery. I was able to get the syslog table, how ever not as non-root user. Hence I tried the below to get it :

sudo useradd -r -s /bin/false <username>
sudo systemctl stop osqueryd
sudo mkdir /var/run/osquery
sudo chown -R osquery:osquery /var/osquery
sudo chown -R osquery:osquery /var/run/osquery
sudo mkdir /etc/systemd/system/osqueryd.service.d
cat << EOF | sudo tee /etc/systemd/system/osqueryd.service.d/nonroot.conf
[Service]
User=<username>
Group=<username>
AmbientCapabilities=CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_DAC_READ_SEARCH
PIDFile=/var/osquery/osqueryd.pidfile
EOF
echo "--pidfile=/var/osquery/osqueryd.pidfile" | sudo tee -a /etc/osquery/osquery.flags
sudo systemctl daemon-reload
sudo systemctl start osqueryd

After this as a root user and non-root user I was able to fetch syslog data, however, after some time I start to get the error as I shown above : and no data obtained for syslog till now(both as root and non-root user. E0901 110339.587262 10114 udev.cpp:89] udev monitor returned invalid device: No buffer space available

This message was deleted.

Hi all

I am facing the issue: Extension socket not available: /var/osquery/osquery.em when try to execute below cpp program!.. int main(int argc, char* argv[]) { osquery::Initializer runner(argc, argv, ToolType::EXTENSION); auto status = startExtension("example", "0.0.1"); if (!status.ok()) { LOG(ERROR) << status.getMessage(); runner.requestShutdown(status.getCode()); }} requesting a help here

for ur ref: https://osquery.readthedocs.io/en/stable/development/osquery-sdk/

Another Query !... How to write the C++ Query to get fetch the list of users from the system ? like select uid from users; (edited) require a help for even the above issue.

I am getting empty pid list when invoked the code: osquery:tables:pidsFromContext(pidsContext, false); Could someone suggest a way to proceed ?

Even I am getting the error: Unknown registry plugin: ephemeral

Hi Everyone,

I have written a custom logger plugin for linux platform. But when I perform a complete cmake build (cmake --build . -j10), it does not generate library for the logger plugin. Also, there are no errors in the build and osquery executables are generated successfully. (Followed the build steps as per : https://osquery.readthedocs.io/en/stable/development/building/#linux-ubuntu-18) I have added the following code to /plugins/logger/CMakeLists.txt : -------------------------------------

generatePluginsLoggerShhlogger()

function(generatePluginsLoggerShhlogger)

add_osquery_library(plugins_logger_shhlogger EXCLUDE_FROM_ALL

shh_logger_linux.cpp

)

enableLinkWholeArchive(plugins_logger_shhlogger)

target_link_libraries(plugins_logger_shhlogger PUBLIC

osquery_cxx_settings

plugins_logger_commondeps

osquery_filesystem

osquery_utils_config

osquery_utils_conversions

)

set(public_header_files

shh_logger_linux.h

)

generateIncludeNamespace(plugins_logger_shhlogger "plugins/logger" "FILE_ONLY" ${public_header_files})

endfunction()

------------------------------------ I have observed that, it does generate some cmake artifacts related to this plugin in the "build" folder. Eg: "/build/plugins/logger/CMakeFiles/plugins_logger_shhlogger.dir". But, the cmake build does not generate symbolic link for the header file "shh_logger_linux.h" under "build" folder. For eg, I was expecting following symlink to be generated: /build/ns_plugins_logger_shhlogger/plugins/logger/shh_logger_linux.h. But 'ns_plugins_logger_shhlogger' was not generated. However, other default logger plugins do generate such symlink, eg "tls" logger plugin generates (/build/ns_plugins_logger_tlslogger/plugins/logger/tls_logger.h). Somehow, the cmake build is not building this plugin. Does anybody have any suggestions to resolve this ? (PS: I have observed the same behavior with plugins_logger_windowseventlog. Though, it produces some artifacts in "/build/plugins/logger/CMakeFiles/", it does not get built) Thanks Kunal

Hello, how are you, I hope you are well!
I deployed a fleet of which I deployed osquery agents. Getting to a certain number of agents, often when a new host is deployed, it downgrades another one from the list. I get the following errors on the output to the osquery server:

1/osquery/distributed/read","ts":"2022-09-05T152012.164277378Z"} Sep 5 152015 osquery fleet[69161]: {"component":"http","err":"authentication error: invalid node key: /uLuK4hiUVdU3hZVXS5dcivDzQFpwfAX","level":"info","path":"/api/v1/osquery/config","ts":"2022-09-05T152015.9287988Z"

Is there any documentation on creating logger plugin\extension for osquery ? I need to pipe osquery results to my extension without external storages like kafka

auto sw_vers = SQL::selectAllFrom("plist", "path", EQUALS, kVersionPath); kVersionPath = '/System/Library/CoreServices/SystemVersion.plist' fetchs the empty data. please look into this

please find the screenshot from the xcode for above related issue:

@Praveen Kumar in the future please ask a question only in one channel at a time

k, got it and hence forth putting my queries only in this channel.

I can't get os version from hosts windows. But if I use query to get os_verion, it's ok. Anything problem ? Fleet: 4.19 Osquery: 5.4 I created policy to get os_version. Status get back Yes. But I still can't get that information

For people located in the Bay Area, osquery@scale 2022 is coming up next week (Sept 14-15) at The Exploratorium in San Francisco! We have a great line-up of speakers from Stripe, Netflix, HashiCorp, FleetDM, and more. Tickets are still available! https://www.osqueryatscale.com/

What I believe to be a stock build and deb install on ubuntu 22.04 of the orbit and osqueryd has ~100 zombie sudo processes as children of the orbit process. I'm wondering what the cause of this is?

👋 Hi everyone! Wondering can perform yara rule scan using Fleet ?

I guess I’m going to hit up the information booth and tell Eventbrite the event wasn't where it was advertised and I need a refund if they still don't know about the event :(

did someone tried OSquery on EulerOS ?

Hey all! is there a way to query logd with osquery? my use case is the following, I want to collect launchd logs from an endpoint and send it to a centralized log management server, however, I want to enrich the launchd events with the username, by using the UID in the launchd event. any thoughts around this? may be a far stretch

Hello everyone! I was wondering: what should I exactly do for osquery to “recognise” a new publisher? I will explain: I have created a new publisher on the “model” of the auditeventpublisher. I have declared and registered it with

DECLARE_PUBLISHER

and`REGISTER` macros. Overridden all the virtual methods etc. Set it to return a failure status from

setUp()

so that I could see the “wiring” succeeding. I was expecting this to be enough but I don’t see it registered or even failing as expected. headdesk Nothing seems working. Any suggestion ?

Hi, I am a bit confused which is the latest stable version of osquery??? Github says 5.5.1 is the latest since 18th August. Website says 5.4 Chocolatey package was recently updated to 5.4 My linux servers are sourcing 5.5.1 from the repo

@Mystery Incorporated the latest stable is always the one marked as such on Github. The website is often updated later (due to a slightly separate process).

ok thanks