hello osquery team, i have a question in setup.py file. The host where i am trying to deploy this doesn't have internet. while running

sudo python setup.py install

its contacting internet to fetch these packages and just gets stuck. these packages are already in the host. how do i avoid fetching these packages from outside? currently my install stops at

Searching for argparse>=1.1
Reading <https://pypi.python.org/simple/argparse/>

install_requires=[
          "thrift>=0.10",
          "argparse>=1.1",
          "future",
      ],

I want to change the yara.cpp source code, and I want to use the curl library, and for that I need to include some libraries, and I'm new to cmake. so should add the libs to the cmake.txt yara folder or to the the main cmake.txt?

hello could someone please help with this error

>>> import osquery
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "build/bdist.linux-x86_64/egg/osquery/__init__.py", line 33, in <module>
  File "build/bdist.linux-x86_64/egg/osquery/config_plugin.py", line 16, in <module>
  File "build/bdist.linux-x86_64/egg/osquery/extensions/ttypes.py", line 9, in <module>
ImportError: No module named thrift.Thrift
>>>

Hello team, I am new to OSQuery, I wanted to check if there are OSQuery APIs which can be invoked from a .net application. I am looking to get the process performance metrics such as CPU/memory etc... using OSQuery via an existing .net application.

facing this error. help appreciated

(osqueryvenv) python3 ./osquery_lldp_extension.py --socket /export/home/njamal/.osquery/shell.em
Traceback (most recent call last):
  File "./osquery_lldp_extension.py", line 25, in <module>
    @osquery.register_plugin
AttributeError: module 'osquery' has no attribute 'register_plugin'

Hi Team, We currently run Osquery 4.8.0 and planning for an upgrade. Wants to know the best stable build. We are looking to go for 5.5.1, any feedbacks here w.r.t 5.5.1?

Hey all, I saw that 5.6.0 released! will we update the schema on the site soon too? https://github.com/osquery/osquery-site/tree/source/src/data/osquery_schema_versions

Hi, Is there a way I can query for file-modification events which also gives the name of the process (or pid) which modified it ? I want this on windows platform. Thanks

Hi. How can I check if a password has been set for a system in windows or macOS client with osquery?? I would appreciate it if someone can help me find a related query.

Hi osquery team, could u help to explain what does watchdog_latency_limit mean?

Hey 👋, It seems I have an issue with the

systemd_units

table. I'm currently leveraging this table to make sure some services are running and be alerted otherwise. One of the use case is to monitor that we are

wazuh-agent

running. However, on a couple of machines, Osquery results is not reliable: Example: Wazuh is running on this machine (using systemctl):

systemctl status wazuh-agent
● wazuh-agent.service - Wazuh agent
   Loaded: loaded (/usr/lib/systemd/system/wazuh-agent.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2022-12-07 09:22:20 UTC; 19min ago
  Process: 19921 ExecStop=/usr/bin/env /var/ossec/bin/wazuh-control stop (code=exited, status=0/SUCCESS)
  Process: 19991 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=0/SUCCESS)
   Memory: 11.3M
   CGroup: /system.slice/wazuh-agent.service
           ├─20022 /var/ossec/bin/wazuh-execd
           ├─20075 /var/ossec/bin/wazuh-agentd
           ├─20094 /var/ossec/bin/wazuh-syscheckd
           ├─20119 /var/ossec/bin/wazuh-logcollector
           └─20138 /var/ossec/bin/wazuh-modulesd

However, Osquery does not see at all this service on the box:

osquery> SELECT id, description, active_state, sub_state, fragment_path, user FROM systemd_units WHERE id LIKE 'wazuh%';
osquery>

This behaviour is just present on few machines - on all others, it 's working as expected. Would someone know how can I debug this? Is there a solution? Thank you.

Hi! I just installed fleet server in a testing k8s cluster and on-boarded a couple of hosts using a generated .deb package for linux (orbit). The hosts report their basic details (disk, cpu, OS etc) just fine but additional info is not available and I see the following types of errors in the fleet server log:

level=error ts=2022-12-07T10:10:15.110183011Z query=fleet_detail_query_network_interface_unix message="distributed query is denylisted" hostID=1
...
level=error ts=2022-12-07T10:10:35.499363345Z component=http method=POST uri=/api/v1/osquery/distributed/write took=3.131795221s ip_addr=10.244.3.87 x_for_ip_addr=10.244.3.87 ingestion-err="ingesting query software_linux: update host software: get software: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" ingestion-err="ingest detail query: selecting app config: context canceled" err="error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || error in query ingestion || getting app config: selecting app config: context canceled"

For the first type of error, in osquery docs it states:

If the watchdog stops the daemon while a distributed query was running then such query will be denylisted from running for 24 hours.

However the host config using query shell

.show

offers the following:

Non-default flags/options:
  database_path: /opt/orbit/shell/osquery.db
  disable_events: true
  disable_logging: true
  disable_watchdog: true

So how can I prevent the NIC distributed query from being "denylisted"? For the second error, I really don't know where to start for help resolving software packages being available for the hosts in fleet server 🤷

Is there an easy way to test distributed queries locally? I'd rather not go through the process of connecting my dev build to a local fleet.

Hi 👋 , We are seeing a trend across our macos machines where the schedule counter for shell_history resets to 0 own its own. As a result, we keep getting duplicates old events into our logging endpoint. Can someone provide a guidance on how to start troubleshooting this? We havent been able to pinpoint the exact timestamp of the reset, and to guess what might caused this. In case it’s necessary, we are still running the older version of osquery - 4.x Thanks.

Related https://github.com/osquery/osquery/issues/6582 "Duplicate Events"

I have build my own osquery with new table, when I run she shell it works well also the new table. but when I run the service and I run query on him the service getting stopped and but gets the result from that query, and this problem happening from any query. when see at the logs I get the next error message: osquery extention "{my path of extention}" (-1) stopping Cannot find process. when I delete him from flag file it works well. but the thing that is strange that the extension did not make any errors to my old osquery version (4.8). @Kathy Satterlee

Hi. We occasionally have a problem when running the osquery shell on Windows. Normally, the queries we run take a fraction of a second. Occasionally (like 1 in 100 times) , they take a very long time (more than two minutes). Perhaps the only 'interesting' thing is that the osquery.exe is invoked from a service running as 'local system account'. We had at least one case where we had to reboot the Windows machine for the queries to take a normal amount of time. The queries (sent to

osquery --json

via stdin) were

select sha1 from certificates where store_location = "LocalMachine" and upper(sha1) = '0C40F468D84B158856FFD52406378E397C016EF2' ;
select key from registry where key = 'HKEY_LOCAL_MACHINE\SOFTWARE\xxxxx' and name = 'yyyyy' and data like '0' ;
select name from windows_security_products where type = 'Antivirus' and state = 'On';

Is there any known issue that might cause this to happen ? Is there a way I can debug this? This is with osquery 5.4.0 Thanks

any help to build mannualy osquery 4.8? how can I clone from github the source code

Hi folks, A question, we're trying to query certain additional event log books on Windows machines, to be specific a logbook section named VHDMP. Is this possible? If so, how would we do that? So far we tried to run queries against both "windows_eventlog" and "windows_events" tables but these seem to include only the primary logs such as system, application and security events.

👋 Hello, team! I am new to osquery. Tried osquery python extension to execute osqueryi commands and stuck on this error.

Could not connect to any of ['/tmp/pyosqsockndnbir6z']

My code was :

import osquery
 instance = osquery.SpawnInstance()
 instance.open()
 result = instance.client.query("SELECT interface FROM interface_details;")

Is the correct way or I am doing something wrong ?

On Windows Server 2022 Server the windows_security_products table is not showing anything. I took a quick look at the source code ... it seems that windows_security_products.cpp dynamically loads wscapi.dll ... I cannot find this file anywhere on the Server 2022 (though perhaps I misunderstand the code) According to the documentation WscGetSecurityProviderHealth is not present on a server operating system Is there a known limitation that windows_security_products does not work on server operating systems ?

Hi folks, I am using Wazuh to ship osquery results to my Wazuh cloud console but the Wazuh agent seems to get flooded with too many logs. When I investigate it looks as if the interval for the osquery packs run at the same time and might be the reason the Wazuh agent gets flooded with too many events per second. Can someone explain to me what "schedule_splay_percent": 10 would do to potentially fix this problem? The docs seem to suggest that it would not allow all the pack queries to run at the same time. Source - https://osquery.readthedocs.io/en/stable/installation/cli-flags/ and https://osquery.readthedocs.io/en/3.4.0/deployment/configuration/

Hello

Hi Everyone, Im builiding installers on a M1 mac and am unable to generate a msi. Getting the following error message

Generating your osquery installer...
Windows Installer XML Toolset Toolset Harvester version 
Copyright (c) .NET Foundation and contributors. All rights reserved.


=================================================================
	Native Crash Reporting
=================================================================
Got a UNKNOWN while executing native code. This usually indicates
a fatal error in the mono runtime or one of the native libraries 
used by your application.
=================================================================
wine client error:2a: 
=================================================================
	Managed Stacktrace:
=================================================================
=================================================================
write: Bad file descriptor
Error: package root files: heat failed: exit status 1

Another user had this issue earlier this spring and following the recommendations found here https://github.com/fleetdm/fleet/issues/5713 I tried

docker buildx build --platform=linux/amd64

but got the following error any suggestions?

ERROR: "docker buildx build" requires exactly 1 argument.

Hey all, anyone know if there's a way to monitor/identify file ownership changes? using the file_events table currently, which logs an entry as "attributes modified" for the given file object, however, this could be permission mode change, ownership, etc. Looking for something that would explicitly indicate ownership change

This message was deleted.

sorry can i use osquery to build an agent forwarding pod "software" for forwarding logs? emphasises on the "software" and if yes how can i go about it

hello, i need small help to setup osquery, i am unable to setup him .. getting error: osqueryd Pidfile check failed: Pidfile:Error:Busy i am trying to setup him with wazuh ...

Hi osquery team, is there anyway to track memory consuming of osquery?

you havent been on in some time but hoping you might see this and check back if you worked around this. i have the same problem