Hi We have Enabled events and file events in the osquery but osquery #general

Hi, We have Enabled events and file events in the ...

Benedict lawrence

06/06/2023, 7:37 AM

Hi, We have Enabled events and file events in the osquery but I can't get any logs or tables from there. How to solve it?

John Speno

06/06/2023, 10:47 AM

I think in order to see events in osqueryi, you need to connect to the osqueryd socket first. Once done, you should be able to see the state of events in the

osquery_events

table https://osquery.readthedocs.io/en/stable/deployment/debugging/#inspecting-daemon-state-using-the-shell

👍 1

Benedict lawrence

06/06/2023, 11:36 AM

@John Speno Can you help with this? I can't open osqueryd, in terminal "osqueryctl" and "osqueryi" are only shown.

John Speno

06/06/2023, 12:01 PM

You'll need to know the socket path that

osqueryd

is using, then use the

.connect /path/to/socket

command in

osqueryi

to connect to it.

seph

06/06/2023, 12:35 PM

There’s a couple things here that are confusing. osquery looks like sql, but it’s not really a database. It’s closer to an API translation layer. osqueryd (the daemon) and osqueryi don’t really share data. Eg, if you run osqueryd, and then you run osqueryi, the latter does not connect to the former (*mostly) it runs as it’s own version of everything. This is commonly quite confusing. There is an exception. Osqueryd can run with a socket, this is used by extensions. If osqueryi is invoked with the

--connect

argument, and you have appropriate file system permissions, you can connect to the running osqueryd

Benedict lawrence

06/06/2023, 1:00 PM

I found osqueryd in Mac and the thing is I just need to know how to get the user and file events, Do we need to add anything in osquery.conf or in osquery.flags file

Stefano Bonicatti

06/06/2023, 1:12 PM

You might want to have a look at the documentation: https://osquery.readthedocs.io/en/latest/deployment/file-integrity-monitoring/ The flags seem correct, but what about the configuration for the paths to watch?

Benedict lawrence

06/08/2023, 5:43 AM

Hi @Stefano Bonicatti My Configuration file path is /etc/osquery/osquery.conf. I am connecting the osqueryd with osqueryi, but it shows "zsh: segmentation fault osqueryi" and a system error report like this.

Stefano Bonicatti

06/08/2023, 11:28 AM

I’m not sure to what it actually connected there, but the crash shouldn’t have happened. Nonetheless, what I meant is that inside the configuration file, you should configure which filesystem paths you want to be watched for changes. So I was wondering how that configuration looked currently

Stefano Bonicatti

06/08/2023, 11:29 AM

If you check the link I gave you it explains it

4 Views

Open in Slack

Previous Next