i wrote a guide to installing osquery and go-audit in this mode here: https://medium.com/@clong/building-a-testbed-for-go-audit-osquery-ea4c0271b0c

@clippy good news is i got process_events to work on ubuntu (so faith restored in the tool!) Will need to continue to work on issues with Centos as that is where I intend to use it. Thanks again

@jaredl can you paste the output of --verbose? (you can just append that flag to your osquery.flags)

I am trying to bring process and socket events together. Socket audit (i.e. socket_events) already report the pid, so I thought I can easily match it with process audit (i.e. process_events). Although this works well in case doing a ping, it does not work in case of curling. From the curl example you can see that there was the pid 12425 being able to make a connect call to google on port 80. However, this pid does not appear in the process_events. Any idea what the reason is?

Executes and exits too quickly?

the TL;DR is that i can only semi-reproduce the issue on a VM. It seems to only affect osquery installs that have gone through a long upgrade chain. The good news is that downgrading seems to be a workaround that doesnt involve nuking the DB: https://github.com/facebook/osquery/issues/4615

anyone here ever use cgroups for osquery on linux? @8p8c i think possibly you mentioned this at some point?

As i understand it, process auditing only logs

execve

syscalls, is that correct? If so, is osquery not a good fit then if we want to log other syscalls (

sethostname

,

settimeofday

etc)? in our case we're trying to follow CIS standards and the benchmarks for audit require more than

execve

.

Osquery isn't behaving the way I (naively?) expected it to. I'm testing this command: wget -q -O- https://gist.githubusercontent.com/keepwatch/758bdc149bd9e96930ff167a94a02850/raw/e891e9c7e84052e2cb1df03b84202cc316c71407/logb.txt | base64 -d | /bin/bash I was hoping to have some way to relate the initial and piped processes - wget, base64, and the second bash shell (executes the script). However, the process auditing events I received all have the same parent (the original bash shell where I ran this command), and I don't see any fields containing my pipe-separated command line (just the cmdline for each process). Are there any other ways (beyond time correlation) to determine that these processes are intimately related?

When I add "- -a never,exit -F exe=/usr/bin/osqueryd -S all" in goaudit.yaml and start process

Hi All below is my Flag file, for some reason I do not receive any event to my tls server. For some reason I am getting

Event publisher not enabled: syslog: Publisher disabled via configuration"

Any idea someone ? Flag File:

--watchdog_level=0
--watchdog_memory_limit=300
--host_identifier=uuid
--tls_hostname=kolide-server:443
--tls_server_certs=/etc/osquery/ca.crt
--config_plugin=tls
--distributed_plugin=tls
--logger_plugin=tls
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_tls_endpoint=/api/v1/osquery/config
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
--logger_tls_endpoint=/api/v1/logger
--config_refresh=300
--config_tls_max_attempts=20
--enroll_always=true
--disable_distributed=false
--distributed_interval=0
--enroll_secret_path=/etc/osquery/enroll
--database_path=/var/osquery/osquery.db
--pidfile=/var/run/osqueryd.pid
--logger_path=/var/log/osquery
--audit_allow_config=true
--audit_allow_fim_events=true
--audit_allow_process_events=true
--audit_allow_sockets=true
--audit_allow_user_events=true
--audit_force_reconfigure=true
--audit_persist=false
--disable_audit=false
--enable_dns_lookups=true
--logger_tls_event_types="user_events|process_events|process_file_events|socket_events|dns_lookup_events|file_events|http_events"
--events_max=1000
--disable_events_staging=false
--windows_event_channels=Security,System,Application,Setup
--win_enable_dns_lookups=true
--win_allow_sockets=true
--win_allow_process_events=true
--win_allow_logon_events=true
--win_allow_fim_events=true
--win_allow_drive_events=true
--win_allow_reg_events=true
--enable_windows_kernel_events=true
--allow_inotify_file_events=false
--audit_records_rate=10000
--logger_tls_compress=true
--enable_wmi=true
--enable_http_lookups=true
--process_ancestor_list=true
--audit_force_unconfigure=true
--audit_source_dispatcher=true
--watchdog_utilization_limit=21
--generate_process_hash_in_process_event=true

We are facing issue on MAC with OSQuery agent 4.x, It is not returning any values for cmdline. I saw a open issue for windows, where windows agent is not able to grasp cmdline from PPL. Is this issue exists in MAC agent too? could please let me know the root cause of this issue Is there any workaround to fix this issue?

osquery> select pid, name, start_time, cmdline from processes Limit 15;
+-----+----------------+------------+---------+
| pid | name           | start_time | cmdline |
+-----+----------------+------------+---------+
| 0   | kernel_task    | 1584971117 |         |
| 1   | launchd        | 1584971117 |         |
| 42  | syslogd        | 1584971127 |         |
| 43  | UserEventAgent | 1584971127 |         |
| 45  | sh             | 1584971127 |         |
| 47  | uninstalled    | 1584971127 |         |
| 48  | kextd          | 1584971127 |         |
| 49  | fseventsd      | 1584971127 |         |
| 51  | jamf           | 1584971127 |         |
| 52  | vpnagentd      | 1584971127 |         |
| 57  | appleeventsd   | 1584971127 |         |
| 58  | systemstats    | 1584971127 |         |
| 60  | configd        | 1584971127 |         |
| 62  | ciscod         | 1584971127 |         |
| 63  | powerd         | 1584971127 |         |
+-----+----------------+------------+---------+

but yeah, as teddy mentioned:

sudo osqueryi --verbose 'SELECT * FROM processes;'

I am pretty new to the osquery world. we are running our Kubernetes cluster in our data center, and osquery agent has been installed at the worker node host level, which is able to fill the virtual table as well as the event table. everything works perfectly. Currently, we are moving our system into AWS as well as GCP, we will not able to install osquery agent at the worker node level, we need to install it as daemonset, once osquery agent in daemonset, we are not able to get the host audit event. how could we solve this problem? any help will be appreciated.

hello every body, i am using CentOS 7. The process_event not working

osqueryi --nodisable_audit --nodisable_events --audit_allow_config=true --audit_persist=true --audit_allow_sockets --logger_plugin=filesystem --events_expiry=1

what kind of system calls would you like to trace?

Hi all, Trying to include parent process path (ppath) in the output of process_events table. The query below works great via osqueryi, but ppath field is always empty in scheduled query. The issue is in the events_optimize flag that limits the time column.

SELECT time, pid, path, parent AS ppid, (SELECT path FROM process_events AS pp WHERE pp.pid=p.parent) ppath FROM process_events AS p WHERE syscall='execve';

Does anybody know any workaround or fix to have ppath included? I would really appreciate any help 🙂

@SoxIn4 has left the channel