@Daniel Bretón Suárez you're the best for shipping the long-anticipated unified log table! 👌 Thank you!

Hi there

I am facing the issue: Extension socket not available: /var/osquery/osquery.em when try to execute below cpp program!..

int main(int argc, char* argv[]) { osquery::Initializer runner(argc, argv, ToolType::EXTENSION); auto status = startExtension("example", "0.0.1"); if (!status.ok()) { LOG(ERROR) << status.getMessage(); runner.requestShutdown(status.getCode()); }}

requesting a help here

for ur ref: https://osquery.readthedocs.io/en/stable/development/osquery-sdk/

Hi team

Another Query !...

How to write the C++ Query to get fetch the list of users from the system ? like select uid from users;

require a help for even the above issue.

These questions are not macos-specific

k, got it

I am getting empty pid list when invoked the code: osquery:tables:pidsFromContext(pidsContext, false); Could someone suggest a way to proceed ?

auto sw_vers = SQL::selectAllFrom("plist", "path", EQUALS, kVersionPath); kVersionPath = '/System/Library/CoreServices/SystemVersion.plist' fetchs the empty data. please look into this. this is specific to macosx

please find the screenshot from the xcode for above related issue

Hello in github releases there is osquery-macos-x86-64 and there is osqueryd-macos-bare what is the difference?

ok how do I make the magical mdfind table do my bidding, this is the complement from the CLI that works:

mdfind -name pip- info

but no matter what iteration I try (kMDItemFSName, kMDItemDisplayName, glob's, spaces) I can't seem to get any results from mdfind.query, using @fritz's file table join syntax, e.g.:

> SELECT f.path FROM file AS f JOIN mdfind ON mdfind.path = f.path AND mdfind.query = "kMDItemFSName == 'pip-*info'";
> SELECT f.path FROM file AS f JOIN mdfind ON mdfind.path = f.path AND mdfind.query = "kMDItemDisplayName == 'pip- info'";

@allister it appears the infix

*

is contributing to the problem, you could maybe overcome this with an `&&`'ed argument:

SELECT * FROM mdfind WHERE query = "kMDItemFSName == '*pip*'c && kMDItemFSName == '*info'c";

The "simple syntax" no longer appears to be supported by the osquery

mdfind

table but works still in victor's earlier launcher implementation `kolide_spotlight`:

osquery> SELECT COUNT(*) FROM kolide_spotlight WHERE query = "-name pip- info";
+----------+
| COUNT(*) |
+----------+
| 10       |
+----------+

Ah, it was right under my nose! Thanks as always 🙇

Maybe I am misremembering, it is possible the simple syntax was never supported by

mdfind

and it was only in @groob’s

kolide_spotlight

table..., I can't find any changes since the initial introduction of

mdfind

that would have impacted it

perhaps it is something worth filing an issue to add support for

though i never wind up using the simple syntax because it is just a bit too magical for my tastes, I never really know how it will behave

what does the

'c

kindof-suffix represent?

👋 Anyone have experience with the new unified-log table? https://osquery.slack.com/archives/C08V7KTJB/p1664587105586999

@Brandon Kurtz what kind of experience are you looking for? What are you looking to accomplish?

I have been looking at the unified_log table and capabilities in version 5.5.1 and I have seen all queries get denylisted pretty quickly. I have the following query looking for xprotect actions in unified_logs:

select timestamp as time, datetime(timestamp, 'unixepoch') AS utc_time, storage, message, actiity, process, pid, sender, tid, category, subsystem FROM unified_log WHERE (sender = 'AppleSystemPolicy' AND message like '%ASP: Security policy%') and timestamp > -1;

This tends to either get denylisted on first run or on the second. Any thoughts on how to collect this and other data from unified_log without being denylisted would be appreciated.

Also, I’ve noticed that the cursor in the logs doesn’t seem to move forward, it always returns the first 100 rows (be it via shell or daemon)

@Guillaume Tagging you since you originally wrote this query 🙂 https://fleetdm.com/queries/antivirus-healthy-mac-os Do you know of an easy way to find out what the latest versions are?

wasn't there a feed at one point? I'm assuming you've seen the Howard Oakley/EclecticLight blog posts on the topic?