This is a test tbh to see how wel logging of osquery looks at scale. We write to file and ingest from there typically, we are evaluating the wel logger now to streamline our pipelines.

@b0l I publish osquery to WEL but at this time I cannot subscribe to the channel. I have been able to in the past but have not been able to recently.

pretty sure i have that fixed on a branch. i'll double check.

is there a particular reason on why osquery doesn't support firefox_addos on windows?

any configuration available for powershell_events enable via config i am using below one --windows_event_channels=Microsoft-Windows-PowerShell/Operational

@thor Has there been any further decisions/work on c++ extensions with buck? The extension I am looking at doing is going to use some c++ libs and it's obviously easier to link them into c++ than Go (or rewrite the functionality in Go)

(Cross posting from #general and ccing @fmanco and @akindyakov) Does anybody know how to generate the precompiled dependency tarballs for Windows on the

experimental

branch? I’m trying to bump Boost to 1.69.0 (from 1.66.0) because OSquery is failing to compile on current Debian testing due to an update to libstdc++ headers

@cbarcenas https://github.com/facebook/osquery/blob/experimental/tools/provision/chocolatey/boost-msvc14.ps1 contains some build information about how boost was built for the chocolatey package. Someone should probably confirm that it's the same builds/process for the experimental branch but it's a good place to start.

@jsanchez if you want to package the new experimental branch of osquery, you can look at #osql as we recently added support for that! You can create RPM, DEB, MSI and PKG for macOS

Has anyone seen an issue where windows just stops sending osQ results to AWS Kinesis from some machines? I seem to have at least 2 machines in this state currently. Any pointers would be appreciated

sure

It looks like the process_open_sockets joined with processes query is the biggest contributor. When does osquery dump the results to the db when there is a join? Given https://github.com/facebook/osquery/issues/5379 the tables may end up being called a large number of times (~170 processes and ~80 sockets). Would osquery write entries for each call to the table?

I am getting below error after running osquery on windows, can anyone help me plz?? I0529 143921.008002 15420 rocksdb.cpp:151] Rocksdb open failed (5:0) IO error: Failed to create lock file: \ProgramData\osquery\osquery.db/LOCK: The process cannot access the file because it is being used by another process. I0529 143921.226740 15420 rocksdb.cpp:151] Rocksdb open failed (5:0) IO error: Failed to create lock file: \ProgramData\osquery\osquery.db/LOCK: The process cannot access the file because it is being used by another process. I0529 143921.445477 15420 rocksdb.cpp:151] Rocksdb open failed (5:0) IO error: Failed to create lock file: \ProgramData\osquery\osquery.db/LOCK: The process cannot access the file because it is being used by another process. I0529 143921.664213 15420 rocksdb.cpp:151] Rocksdb open failed (5:0) IO error: Failed to create lock file: \ProgramData\osquery\osquery.db/LOCK: The process cannot access the file because it is being used by another process. E0529 143921.664213 15420 init.cpp:627] [Ref #1629] osqueryd initialize failed: Could not initialize database

FYI because i don’t think this is being widely posted: https://www.facebook.com/security/advisories/cve-2019-3567

https://github.com/facebook/osquery/releases/download/3.4.0/osquery-3.4.0.msi still installs osquery to 'ProgramData' folder

@ihor, it has always been ProgramData

@TonyC I'm having the same problem as you - seeing all the

Failed to open handle to process

but only with the Polylogyx extension running. You guys have any idea how to solve this? @OpenPlgx

In 3.3.2 it seems to work just fine

Hey Folks! I made an error with the osquery 3.4.0 MSI that was released on github. The error has been fixed, I'm updating the binaries in the GH release page as well as those hosted in our S3 bucket, but wanted to drop the MSI here as well for folks who use that. Sorry about the mess up! osquery should now be installed in Program Files for all package deployments.

anyone ever add tables to osquery as described in this https://osquery.readthedocs.io/en/stable/development/creating-tables/

we’ve had to comment out the doxygen part of the powershell build script

When will TUF be updated with osqueryd 3.4.0? Its still serving up 3.3.2 afaict

Hey Folks! Binaries have been updated in the release notes and the S3 bucket. I'm also dropping them here for use. I checked and double checked that nothing is being installed into ProgramData for both the chocolatey package and the MSI 🙂 I'll be working on getting the package hosted by chocolatey fixed up also, lemme know if y'all hit any issues, thanks.

@binu do you have script block logging configured on yer system?

@A Conno how are you doing it? just like

osqueryi "select * from windows_events" > my_file.txt"

?

Probably obvious but, if I'm using the Launcher do I need to create a firewall rule to allow it? The default windows firewall that is

Let's start with something very basic. How did you install the osquery agent? Msi? Choco? Something else?

@Tarun Chinmai Sekar is Python2 accessible via the system path? And inside of the tools/buckconfigs/windows/toolchains/vs.. configuration file, is the Python3 path set correctly?

the usb devices table isn't compatible with windows unfortunately, If you check https://osquery.io/schema/3.3.2, it'll list which platforms each table works on

Has anyone seen these issues before with buck on windows?

PS C:\Users\IEUser\Downloads\osquery> buck build @mode/windows-x86_64/debug //osquery:osqueryd
Not using buckd because watchman isn't installed.
Parsing buck files: finished in 4.3 sec
Creating action graph: finished in 1.6 sec
Building: finished in 03:47.8 min (100%) 226/1148 jobs, 10 updated
  Total time: 03:53.7 min
Command failed with exit code 1.
stderr: Traceback (most recent call last):
  File ".bootstrap\_pex\pex.py", line 328, in execute
  File ".bootstrap\_pex\pex.py", line 261, in _wrap_coverage
  File ".bootstrap\_pex\pex.py", line 293, in _wrap_profiling
  File ".bootstrap\_pex\pex.py", line 371, in _execute
  File ".bootstrap\_pex\pex.py", line 429, in execute_entry
  File ".bootstrap\_pex\pex.py", line 434, in execute_module
  File "C:\ProgramData\chocolatey\lib\mingw\tools\install\mingw64\opt\lib\python2.7/runpy.py", line 180, in run_module
    fname, loader, pkg_name)
  File "C:\ProgramData\chocolatey\lib\mingw\tools\install\mingw64\opt\lib\python2.7/runpy.py", line 72, in _run_code
    exec code in run_globals
  File "src\com\facebook\buck\features\python\make_pex.py", line 184, in <module>
  File "src\com\facebook\buck\features\python\make_pex.py", line 153, in main
  File "src\com\facebook\buck\features\python\make_pex.py", line 78, in copy_package
  File ".bootstrap\pkg_resources\__init__.py", line 1162, in resource_isdir
  File ".bootstrap\pkg_resources\__init__.py", line 1643, in resource_isdir
  File ".bootstrap\pkg_resources\__init__.py", line 1987, in _isdir
  File ".bootstrap\pkg_resources\__init__.py", line 1849, in _zipinfo_name
AssertionError: C:/Users/IEUser/Downloads/osquery/.buckd/resources/2019.06.17.01/buck-modules-resources/python/pex.pex/.bootstrap/pkg_resources is not a subpath of C:/Users/IEUser/Downloads/osquery/.buckd/resources/2019.06.17.01/buck-modules-resources/python/pex.pex\

    When running <pex>.
    When building rule //tools/codegen:gentable.