terracatta
07/22/2022, 6:08 PMwindows_eventlog
and windows_events
.
Let’s start with windows_eventlog
. So we have disabled querying windows_eventlog
in Kolide because there seems to be a bug in osquery that on many devices causes it to freeze and not recover until the system is rebooted. See issue https://github.com/kolide/launcher/issues/670. It’s possible this is no longer an issue and we can unblock this table, we will look into it!
For the other table windows_events
. Querying tables ending in _events
in Live Query can lead to unexpected results. Sometimes by querying events this way you actually clear them out from the local agent. You can read more about the evented architecture in osquery here. https://osquery.readthedocs.io/en/stable/development/pubsub-framework/
Generally for evented tables, you want to use the Log Pipeline so that when the events table is queried, the results are captured and sent to a log destination.
We wrote a post about this topic but for Windows file events. https://www.kolide.com/blog/how-to-set-up-windows-file-integrity-monitoring-using-osquery-and-kolide. The steps should be similar!maxwhite
07/22/2022, 6:13 PMEsteban
08/02/2022, 4:48 PM{"caller":"launcher.go:133","err":"launching osquery instance: starting instance: could not calculate osquery file paths: extension path does not exist: C:\\Program Files\\Kolide\\Launcher-launcher\\bin\\osquery-extension.exe: CreateFile C:\\Program Files\\Kolide\\Launcher-launcher\\bin\\osquery-extension.exe: El sistema no puede encontrar el archivo especificado.","level":"info","msg":"interrupted","ts":"2022-08-02T16:42:40.1333351Z"}
Here's my build command
.\build\package-builder.exe make --hostname <http://osquery.dpsit.gba.gob.ar:443|osquery.dpsit.gba.gob.ar:443> --enroll_secret ******** --targets windows-service-msi --insecure --output_dir .
oneiroi
09/02/2022, 2:38 PM~Library/Logs/DiagnosticReports
), then an augeas lense to parse the json values to catch these reports ?
I've been currently solution engineering something similar, appreciate may not be something you wish to comment on however 😅Ryan
09/21/2022, 1:39 PMThomas Stromberg
10/17/2022, 3:02 PMThomas Stromberg
10/20/2022, 4:06 PMsocket_events
and process_events
tables are populated on half of our Linux machines running Kolide, but not the other. It sort of follows Linux distribution boundaries:
• Ubuntu: Yes!
• Fedora: No
• Arch: Mixed
• NixOS: Mixed. One machine has data in process_events
, the other doesn't. Both seem to only record systemd-timesyncd
bind calls in socket_events
One of the ones where none of the tables are populated is my personal machine, so I'm happy to investigate. Is it possible that the auditd rules installed by osquery could conflict with previously written configurations? I did check the output of sudo journalctl -t launcher
but it didn't seem to give any indications.terracatta
10/27/2022, 3:28 PMThomas Stromberg
11/04/2022, 12:41 PMprocess_events.env_size
from being populated? I have a query to find short-lived setuid overflow attempts but the field is always NULL. I suspect it's a bug relating to env whitelisting, but wanted to save the osquery maintainers some hassle if it was a known Kolide-specific issue.Konstantin
12/08/2022, 8:19 PMrss
01/18/2023, 3:04 PMSoxIn4
01/23/2023, 8:24 PMrss
02/01/2023, 3:03 PMrss
02/03/2023, 7:03 PMAdam Connor
02/07/2023, 12:56 AMrss
02/07/2023, 5:13 PMrss
02/13/2023, 5:13 PMrss
02/14/2023, 5:53 PMBrandon Kurtz
02/23/2023, 11:12 PMrss
02/24/2023, 8:43 PMmaxwhite
02/28/2023, 10:56 PMrss
03/07/2023, 3:33 PMrss
03/13/2023, 6:23 PMrss
03/21/2023, 8:43 PMrss
03/24/2023, 9:13 PMrss
03/27/2023, 2:23 PMrss
04/19/2023, 1:13 PMrss
04/24/2023, 6:03 PMrss
05/10/2023, 5:53 PMrss
05/23/2023, 3:13 PM