https://github.com/osquery/osquery logo
Join Slack
Powered by
I recall that `osquery_schedule` is really only su...
# general
h
I recall that 
osquery_schedule
is really only supposed to keep track of stats on schedule queries for the life of the osqueryd daemon. Even given that, we only see three fields filled out--name, query, interval--and everything else is 0 across tens of thousands of machines.
Is tracking this incompatible with certain configurations, possibly? Yes, I do have schedule queries looking at this table, and I've also used 
--connect /var/osquery/osquery.em
in order to acces stats from osqueryd. Mostly zeroes.
j
The values you see are the defaults in the source. https://github.com/osquery/osquery/blob/master/osquery/tables/utility/osquery.cpp#L240 so it looks like no scheduled queries have run to change those values. That seems unlikely, I'm sure. But what 
interval
values are you seeing?
h
I didn't check them against the files, but at quick glance, the interval values seem correct.
We're outputting to kafka, and there's tons of results in there. I've never once seen a non-zero in that table, but for the three fields I mentioned above.
s
Is this a stock osquery, or something weird? I wonder if this one of the areas that fragile to being renamed.
h
Stock. I mean, we have configuration, but we installed from RPM distribution.
And been like this forever, least a couple years.
s
Assuming it’s an osquery RPM, that sounds pretty stock to me
h
If you can think of anything I can test, please let me know. Maybe on a test machine I'll try stopping it, wiping its database state clean, and seeing how minimal a configuration I can start it up with to see if it'll behave differently?
Would you like me to file a bug report in gitlab?
8 Views
Open in Slack
PreviousNext
Powered by