qq for fleetctl and package command plus flag file I don t j osquery #fleet

qq for fleetctl ... and package command plus flag ...

Vlad Previn

06/07/2023, 11:24 AM

qq for fleetctl ... and package command plus flag file - I don't just add the extra flags and pass the file as an arg correct?

Vlad Previn

06/07/2023, 11:25 AM

let's say osq.flags is

Copy code

--enable_windows_events_subscriber=true
--enable_windows_events_publisher=true
--enable_powershell_events_subscriber=true
--events_optimize=true
--events_max=200000
--events_expiry=86400
--disable_events=false
--windows_event_channels=System,Application,Setup,Security.....

Vlad Previn

06/07/2023, 11:43 AM

then

Copy code

fleetctl package type=msi ... --osquery-flagfile osq.flags

Vlad Previn

06/07/2023, 11:49 AM

can someone also elaborate on the 3 subscriber and publisher flags 😕 please

Vlad Previn

06/07/2023, 12:50 PM

and how does the event optimization work for flushing events ... let's say i query a specific event id in a specific channel - would it flush the entire windows_events table on the agent side?

Vlad Previn

06/07/2023, 12:50 PM

also final question - if I just need specific low volume events and don't mind duplicates - i could probably use this instead

windows_eventlog

with xpath constraints for the channel, event id and time ?

Copy code

SELECT * FROM windows_eventlog WHERE xpath='<QueryList><Query Id="0" Path="Application"><Select Path="Application">*[System[(Level=2) and (EventID=123) and TimeCreated[timediff(@SystemTime) <= 86400000]]]</Select></Query></QueryList>'

Vlad Previn

06/07/2023, 12:57 PM

https://osquery.slack.com/archives/C01DXJL16D8/p1686142230344739?thread_ts=1686137059.448519&cid=C01DXJL16D8

Copy code

select * from windows_events

or is the intention with this querying all of it for the all events in channels it tracks and flushes each scheduled query call?

Vlad Previn

06/07/2023, 1:05 PM

and for ^ windows_events when turned on when it flushes on event query, does it flush it per channel 😄 or all

Vlad Previn

06/08/2023, 5:41 AM

😅

Lucas Rodriguez

06/08/2023, 2:48 PM

Hi @Vlad Previn!

fleetctl package --type=msi ... --osquery-flagfile osq.flags

This looks correct. When it comes to flushing of logged events in osquery, there's the

--events_expiry

flag:

Copy code

The buffered events will eventually expire! The --events_expiry flag controls the lifetime of buffered events. This is set to 1 day by default, this expiration occurs when events are selected from their subscriber table. For example: the process_events subscriber will buffer process starts until a query selects from this table. At that point all results will be returned and immediately after, any event that happened time-86400 seconds ago will be deleted. If you select from this table every second you will constantly see a window of 1 day's worth of process events.

Source: https://osquery.readthedocs.io/en/stable/development/pubsub-framework/

Lucas Rodriguez

06/08/2023, 2:50 PM

And from the same page, here's the info about

--events_optimize=true

when using

*_events

table in scheduled queries:

Copy code

When scheduling queries that include _events (subscriber-based) tables, additional optimizations are invoked. These optimization can be disabled using --events_optimize=false. The subscriber tables can detect they are responding to a schedule and may keep track of the last time the scheduled query has executed. This allows each subscriber to return the exact window of the schedule and delete buffered events immediately. This saves the most memory and disk usage possible while still allowing flexible scheduling.

Lucas Rodriguez

06/08/2023, 2:50 PM

Let me know if it makes sense.

Vlad Previn

06/08/2023, 2:59 PM

🤔 what if we use pack query schedules (not scheduled queries). and i know the topic is a bit taboo and i respect you guys not disabling it completely. hopefully not err any time soon in the future. unfortunately we can't afford premium

2 Views

Open in Slack

Previous Next