clong
11/10/2017, 7:27 PMmdunten
12/07/2017, 3:35 PMalessandrogario
steffen
05/11/2018, 8:59 AMmaestretti
05/11/2018, 5:45 PMclong
06/21/2018, 3:29 AMclong
08/27/2018, 5:58 PMpirxthepilot
09/25/2018, 5:59 PMexecve
syscalls, is that correct? If so, is osquery not a good fit then if we want to log other syscalls (sethostname
, settimeofday
etc)? in our case we're trying to follow CIS standards and the benchmarks for audit require more than execve
.keepwatch
07/10/2019, 6:48 PMPrash
08/27/2019, 7:24 AMAvi Apelbaum
03/19/2020, 8:39 AMEvent publisher not enabled: syslog: Publisher disabled via configuration"
Any idea someone ?
Flag File:
--watchdog_level=0
--watchdog_memory_limit=300
--host_identifier=uuid
--tls_hostname=kolide-server:443
--tls_server_certs=/etc/osquery/ca.crt
--config_plugin=tls
--distributed_plugin=tls
--logger_plugin=tls
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_tls_endpoint=/api/v1/osquery/config
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
--logger_tls_endpoint=/api/v1/logger
--config_refresh=300
--config_tls_max_attempts=20
--enroll_always=true
--disable_distributed=false
--distributed_interval=0
--enroll_secret_path=/etc/osquery/enroll
--database_path=/var/osquery/osquery.db
--pidfile=/var/run/osqueryd.pid
--logger_path=/var/log/osquery
--audit_allow_config=true
--audit_allow_fim_events=true
--audit_allow_process_events=true
--audit_allow_sockets=true
--audit_allow_user_events=true
--audit_force_reconfigure=true
--audit_persist=false
--disable_audit=false
--enable_dns_lookups=true
--logger_tls_event_types="user_events|process_events|process_file_events|socket_events|dns_lookup_events|file_events|http_events"
--events_max=1000
--disable_events_staging=false
--windows_event_channels=Security,System,Application,Setup
--win_enable_dns_lookups=true
--win_allow_sockets=true
--win_allow_process_events=true
--win_allow_logon_events=true
--win_allow_fim_events=true
--win_allow_drive_events=true
--win_allow_reg_events=true
--enable_windows_kernel_events=true
--allow_inotify_file_events=false
--audit_records_rate=10000
--logger_tls_compress=true
--enable_wmi=true
--enable_http_lookups=true
--process_ancestor_list=true
--audit_force_unconfigure=true
--audit_source_dispatcher=true
--watchdog_utilization_limit=21
--generate_process_hash_in_process_event=true
Premkumar R
03/26/2020, 1:14 PMosquery> select pid, name, start_time, cmdline from processes Limit 15;
+-----+----------------+------------+---------+
| pid | name | start_time | cmdline |
+-----+----------------+------------+---------+
| 0 | kernel_task | 1584971117 | |
| 1 | launchd | 1584971117 | |
| 42 | syslogd | 1584971127 | |
| 43 | UserEventAgent | 1584971127 | |
| 45 | sh | 1584971127 | |
| 47 | uninstalled | 1584971127 | |
| 48 | kextd | 1584971127 | |
| 49 | fseventsd | 1584971127 | |
| 51 | jamf | 1584971127 | |
| 52 | vpnagentd | 1584971127 | |
| 57 | appleeventsd | 1584971127 | |
| 58 | systemstats | 1584971127 | |
| 60 | configd | 1584971127 | |
| 62 | ciscod | 1584971127 | |
| 63 | powerd | 1584971127 | |
+-----+----------------+------------+---------+
alessandrogario
sudo osqueryi --verbose 'SELECT * FROM processes;'
Henry Xu
04/28/2020, 6:36 AMpoisonous97
06/07/2020, 4:37 PMosqueryi --nodisable_audit --nodisable_events --audit_allow_config=true --audit_persist=true --audit_allow_sockets --logger_plugin=filesystem --events_expiry=1
alessandrogario
Maksym Varnakov
10/31/2022, 4:45 PMSELECT time, pid, path, parent AS ppid, (SELECT path FROM process_events AS pp WHERE pp.pid=p.parent) ppath FROM process_events AS p WHERE syscall='execve';
Does anybody know any workaround or fix to have ppath included? I would really appreciate any help 🙂SoxIn4
01/23/2023, 8:24 PM