or are you guys deploying it to internal infrastructure with the intention of eventually making it a full release once it has been validated as stable?

Maybe someone knows when will be release 3.3.0 ?

Good afternoon. I have a question around auditd and osquery. At my org they run qualys and on Linux qualys relays on auditd for its FIM capabilities. If I understand correctly osquery requires exclusive use of the audit netlink socket which is what qualys also uses for FIM. Is there a way for these two things to live happily on Linux. Yes we can use osquery for FIM and disable it in qualys but that is not the direction the powers that be choose. Instead if we use qualys FIM I fear we lose all the event tables.

Any idea why?

Good morning, relatively new Kolide Fleet user. I have been testing it out in my organization and it's awesome. However, I do have one question. Just onboarded my Mac and it connected initially but is now always showing up offline. Would anyone have any guidance/suggestions as to why it's offline?

Morning all, I'm seeing lots of file events that seem identical for a path I'm trying to exclude. Where's a good place to ask this kind of question?

curious if folks here are only using osquery as virus detection for macs, or if other solutions are in place, too

True, no I agree there. So maybe a good approach would be get a good tool in place to actively listen for threats, and then use osquery on top of that

I'm sorry but is there anything I can help with https://github.com/facebook/osquery/pull/4982 ? We'd like to have it landed before rolling out a new version in our company 🙂

I was wondering if anyone has used osquery to verify that a component/software has been digitally signed using a recognized certificate that is recognized and approved (in linux ubuntu servers)...

Does anyone know how to do a conditional query on 1 table if data exists in another? I created 2 tables, location and speedtest. if you run a query against speedtest it will run the test so I don't want to query against it unless certain conditions are met. IE if (select location = 'somewhere') Then (select * from speedtest). The location and speedtest tables do not share any common attributes, and there will be a lot of other conditions added in the future so I don't want to have to modify the speedtest table to include additional common attributes down the road. I can make it work using a case statement, but it will only work for 1 attribute in the speedtest table. I need to be able to pull all values. Example: SELECT location, CASE location WHEN 'Building R (Wireless)' THEN (SELECT download FROM speedtest) ELSE 'skipped' END download FROM location Will return hostname | download | location <host> | 601.34Mbit/s | Building R (Wireless) But I need all the attributes out of speedtest, which include latency, upload, etc. Using the case statement I would have to create an additional case for every other attribute which would mean the speedtest would run multiple times. Any ideas?

@clong Recently ran across your detect-responder ext (https://github.com/clong/detect-responder). Outside of this extension, have you/anyone else found any other way to pickup LLMNR-poisoning artifacts with osquery?

is it possible to run a query everytime an endpoint changes the ip address? is there a sort of this kind of event?

I have a question for the group about OSQuery timestamps, in particular Im trying to understand the timestamps for respective command line entries in the shell_history table Sometimes I get data back that has an empty string for the

time

value. If 0 is the default why would this show as empty?

""

This is causing problems for us because we are receiving alerts on command line events that realistically occurred more than 1 year ago and have already been worked and triaged, but we can't make that determination just by looking at the shell_history table. We have thought about using file integrity monitoring on shell_history files in order to get access to the file_events table data and combine the two tables to give an idea about the last time the shell_history file actually modified, but this seems like overkill and I was hoping someone might have a more elegant solution.

this needs to be merged for the dl link to be fixed https://github.com/facebook/osquery/pull/5099

I'm using tls logger and I receive a lot of logs with "log_type": "status" in its JSON (with one scheduled query, each 5 seconds I receive one message) . I have tried to avoid sent status logs with --logger_min_status=10 or --logger_min_status=1 as @theopolis said in several messages. I have enrollment disabled. I want to receive results and snapshot logs only. I don't know how to disable status logs only. Any idea?

I'm using tls logger and I'm reciving tons of logs like this

@fmanco @thor any updates around a stable release that addresses the extension issue in 3.3.0?

afternoon all. does anyone know the best way to get results from snapshot logs to show in kibana as seperate fields? this isn’t an issue when you do differential logging as the results are logged as columns and show as individual fields in kibana. Unfortunately, when using snapshot logging the results are logged as an array

Thanks man, I'll try and take a look today when I get some time

I’ve been using env vars to configure extensions, even though I know that flag to parse the extra options is now in the json

I can't speak for the content of the course, but I've signed up to offer to review it :-)

“severity”:“1",“filename”:“events.cpp”,“line”:“311",“message”:“Expiring events for subscriber: windows_events (overflowed limit 50000)“,”version”:“3.3.0”

im pretty sure linux deps are installed with linuxbrew: http://linuxbrew.sh/

Hello, Has anybody figured out a solution for this issue: Also: https://github.com/facebook/osquery/issues/4729 and : https://github.com/facebook/osquery/issues/4854 My specs: OS: Windows Server 2008 I'll also attach the C:\ProgramData\chocolatey\logs\chocolatey.log here Thanks!

Hey @Evgeny Sidorov, Will try and get you a review today!

AFAIK, capsule8 has ebpf input on linux so probably more efficient and larger coverage than osquery but with more hands-on work. they had nice blog posts about spectre/meltdown discussion based on cache miss

I am excited to announce that Kolide is offering osquery training courses this Fall (I will be the lead instructor 🤓). The trainings are two days, with one located in NYC in October (17-18), and the other located in SF in November (13-14). Check out our event for details: https://www.eventbrite.com/e/kolide-osquery-workshop-tickets-50401038864

@stefanmaerz check the read the docs (https://osquery.readthedocs.io/en/stable/installation/cli-flags/) they have a bit more detail, but the short of it is that there's a time element associated as well