I have a few basic schedules set for my environmen...
# fleetb
benbass
06/09/2023, 2:44 PMI have a few basic schedules set for my environment, and unfortunately they are not running on the one active computer that I have enrolled. The device is checking in and is able to run packs that are assigned to it, however any of the Scheduled items are not working. I am not seeing them listed on the host screen, or being written to the logs on the end point.
benbass
06/09/2023, 2:44 PMFleet version 4.32.0 and osquery (vanilla) version 5.6.0 on macOS.
k
Kathy Satterlee
06/09/2023, 5:47 PMHey @benbass! Can you share your osquery flags?
What do you see if you run this query against that host:
SELECT name, query, denylisted, executions from osquery_scheduleb
benbass
06/09/2023, 5:58 PMHi Kathy! I am seeing the 3 queries that I have scheduled from the pack that I have working on that mac, and I am not seeing any of the ‘Scheduled’ queries.
benbass
06/09/2023, 6:01 PMI sent you a DM of the flaf file.
k
Kathy Satterlee
06/09/2023, 6:13 PMEverything looks good there at a glance. Are you seeing any errors in the osquery status logs on the host?
b
benbass
06/09/2023, 6:20 PMThe only error I am seeing is in regards to fleet asking about the mdm table - which I know I don’t have with the vanilla osquery.
k
Kathy Satterlee
06/09/2023, 7:02 PMCan your run osquery in verbose mode for a couple of hours (add the
--verboseb
benbass
06/09/2023, 7:12 PMDo you want --tls_dump as well?
k
Kathy Satterlee
06/09/2023, 7:14 PMCan't hurt 🙂
b
benbass
06/09/2023, 7:22 PMWhich logs would you like? When you run it in --verbose it rights to std out - is that what you would like?
benbass
06/09/2023, 8:15 PM@Kathy Satterlee Do you want what is sent to standard out (aka the terminal) when I launch osquery with --verbose and --dump_tls?
k
Kathy Satterlee
06/09/2023, 8:20 PM--verboseINFO--tls_dumpKathy Satterlee
06/09/2023, 8:21 PMYou're welcome to redact anything you share publically, or send me a DM.
If you do DM me, I may post some snippets here, but I'll sanitize them first :)
b
benbass
06/09/2023, 8:23 PMSounds good. I have been running in --verbose and --tls_dump for about an hour. I am starting to wrap up my day, so I’ll PM you the std out and info logs.
k
Kathy Satterlee
06/12/2023, 3:06 PMI skipped right past this earlier, but I'm seeing now that you've got logging set to local filesystem:
Copy code
--logger_plugin=filesystemb
benbass
06/12/2023, 3:07 PMI am seeing the assigned pack results, not anything from the schedule. This was where I initially discovered this. We have our logs shipped to our SIEM and I was not seeing the results there.
k
Kathy Satterlee
06/12/2023, 3:34 PMTaking a look at the config that's being passed from Fleet, I'm not seeing any scheduled queries coming through there. Just to be sure, did you schedule these queries on the Fleet side, or as part of a local osquery configuration?
Kathy Satterlee
06/12/2023, 3:35 PMI don't see anything in the flags you shared to indicate that, but better safe than sorry 🙂
b
benbass
06/12/2023, 3:37 PMI went into the fleet GUI and scheduled them - from there - here is the advanced info from one of them.
k
Kathy Satterlee
06/12/2023, 3:47 PMWhat happens if you run one of those queries as a live query?
b
benbass
06/12/2023, 4:22 PMthe live queries run just fine. I just ran that etc_hosts and got a reply back in seconds.
k
Kathy Satterlee
06/12/2023, 4:26 PMThanks! I've reached out to the team for some ideas.
b
benbass
06/13/2023, 12:52 PMAnother point of data - the ‘policies’ from the policies tab are running and working as expected.
k
Kathy Satterlee
06/13/2023, 3:04 PMThanks for that additional info!
l
Lucas Rodriguez
06/14/2023, 5:44 PMHi @benbass! Could you share the osquery flags you are using? (What's the value for
--config_plugintlsk
Kathy Satterlee
06/14/2023, 6:33 PMHey @Lucas Rodriguez, I've confirmed the tls config endpoint is set up, and the config is coming down from Fleet, but there isn't a Global schedule coming through. I'll send you those logs.
l
Lucas Rodriguez
06/14/2023, 6:43 PMTaking a look.
k
Kathy Satterlee
06/14/2023, 7:45 PM@benbass Are you able to query the Fleet database? I’d love to see what you get back for
select * from packsb
benbass
06/14/2023, 7:48 PMYup, I should be able to.
benbass
06/14/2023, 7:50 PMsending output via DM.
k
Kathy Satterlee
06/14/2023, 8:06 PMThank you! I am noticing that the Global pack has been disabled, which is… odd.
Kathy Satterlee
06/14/2023, 8:08 PMRunning this should solve the issue:
Copy code
UPDATE packs SET disabled = 0 WHERE pack_type = 'global';Kathy Satterlee
06/14/2023, 8:09 PMHow it got in that state is concerning. Do you know if someone may have modified the database to disable all packs at some point in the past?
b
benbass
06/14/2023, 8:11 PMNot that I am aware of. I did disable all of the packs at one point via the GUI, as this is a dev/testing box.
benbass
06/14/2023, 8:13 PMI just ran that query. Could the global pack being disabled disable the ‘scheduled’ queries?
k
Kathy Satterlee
06/14/2023, 8:13 PMYes, 100%.
b
benbass
06/14/2023, 8:13 PMVery interesting. I will keep an eye on that when I upgrade my prod environment next week.
k
Kathy Satterlee
06/14/2023, 8:26 PMSounds good! Things have tightened up quite a bit, but it looks like in versions prior to 4.2.0, it was possible to disable that through the REST API. That could be the culprit depending on your version/how long this has been happening. Otherwise, my gut instinct tells me that the database was likely modified manually at some point. I'll keep an ear to the ground in case this comes up again.
b
benbass
06/14/2023, 8:28 PMI doubt the DB was altered, as I am the only one who really has access to it, and I think these were the first queries I have run on that DB. 🙂. This is a very old install, as the DB goes back to 1.06 I think and has been upgraded through most, and had a rather large jump recently from 4.9.1 to 4.30 then to 4.32.
k
Kathy Satterlee
06/14/2023, 8:30 PMHad schedule been working recently, or might this be something that goes back that far?
b
benbass
06/14/2023, 8:31 PMThis was the first version that schedule had been in, we jumped from an older version that pre-dated schedule.
benbass
06/15/2023, 2:56 PMSadly it looks like the ‘schedules’ are still not running on the endopoint.
k
Kathy Satterlee
06/15/2023, 3:25 PMCan you try adding a new scheduled query?
b
benbass
06/15/2023, 6:53 PMI created a new scheduled query about an hour ago and no dice. The data had been refetched from the endpoint about 7 minutes ago, so that info is up to date.
k
Kathy Satterlee
06/15/2023, 7:23 PMCan you send over a new batch of logs for me?
l
Lucas Rodriguez
06/15/2023, 7:25 PMAnd make sure to double check the value of
disabled1b
benbass
06/15/2023, 8:23 PMHere is the output from the mysql db.
I manually disabled the packs originally via the GUI, and if you note, the Global Pack is enabled.
Copy code
mysql> select * from packs \G;
*************************** 1. row ***************************
id: 3
created_at: 2018-07-27 16:43:26
updated_at: 2020-11-19 13:38:34
disabled: 1
name: hardware-monitoring
description:
platform:
pack_type: NULL
*************************** 2. row ***************************
id: 5
created_at: 2018-07-27 16:51:34
updated_at: 2020-11-19 13:38:34
disabled: 1
name: incident-response
description:
platform:
pack_type: NULL
*************************** 3. row ***************************
id: 6
created_at: 2018-07-27 16:55:59
updated_at: 2020-11-19 13:38:34
disabled: 1
name: it-compliance
description:
platform:
pack_type: NULL
*************************** 4. row ***************************
id: 7
created_at: 2018-07-27 16:56:08
updated_at: 2020-11-19 13:38:34
disabled: 1
name: osquery-monitoring
description:
platform:
pack_type: NULL
*************************** 5. row ***************************
id: 8
created_at: 2018-07-27 16:56:15
updated_at: 2020-11-19 13:38:34
disabled: 1
name: ossec-rootkit
description:
platform:
pack_type: NULL
*************************** 6. row ***************************
id: 9
created_at: 2018-07-27 16:56:25
updated_at: 2020-11-19 13:38:34
disabled: 1
name: osx-attacks
description:
platform:
pack_type: NULL
*************************** 7. row ***************************
id: 10
created_at: 2018-07-27 16:56:32
updated_at: 2020-11-19 13:38:34
disabled: 1
name: unwanted-chrome-extensions
description:
platform:
pack_type: NULL
*************************** 8. row ***************************
id: 11
created_at: 2018-07-27 16:56:38
updated_at: 2020-11-19 13:38:34
disabled: 1
name: vuln-management
description:
platform:
pack_type: NULL
*************************** 9. row ***************************
id: 12
created_at: 2018-07-27 16:56:47
updated_at: 2020-11-19 13:38:34
disabled: 1
name: windows-attacks
description:
platform:
pack_type: NULL
*************************** 10. row ***************************
id: 13
created_at: 2018-07-27 16:56:54
updated_at: 2020-11-19 13:38:34
disabled: 1
name: windows-hardening
description:
platform:
pack_type: NULL
*************************** 11. row ***************************
id: 24
created_at: 2018-07-27 17:53:31
updated_at: 2020-11-19 13:38:34
disabled: 1
name: mitre_att&ck
description:
platform:
pack_type: NULL
*************************** 12. row ***************************
id: 31
created_at: 2018-09-05 15:42:11
updated_at: 2020-11-19 13:38:34
disabled: 1
name: APL_ops
description:
platform:
pack_type: NULL
*************************** 13. row ***************************
id: 32
created_at: 2018-09-05 15:48:48
updated_at: 2020-11-19 13:38:34
disabled: 1
name: APL_threats
description:
platform:
pack_type: NULL
*************************** 14. row ***************************
id: 35
created_at: 2018-09-05 16:08:40
updated_at: 2020-11-19 13:38:34
disabled: 1
name: APL_compliance
description:
platform:
pack_type: NULL
*************************** 15. row ***************************
id: 41
created_at: 2018-09-06 09:42:09
updated_at: 2018-09-06 10:31:07
disabled: 1
name: APL_packless
description: Pack that contains queries currently not in a pack. Making export via yaml easier.
platform:
pack_type: NULL
*************************** 16. row ***************************
id: 42
created_at: 2019-09-18 14:19:02
updated_at: 2020-11-19 13:38:34
disabled: 1
name: Nicks_Dev_Pack
description:
platform:
pack_type: NULL
*************************** 17. row ***************************
id: 43
created_at: 2019-11-23 14:36:41
updated_at: 2020-11-19 13:38:34
disabled: 1
name: Ali_Practice
description: A pack for practice queries
platform:
pack_type: NULL
*************************** 18. row ***************************
id: 44
created_at: 2020-08-04 14:42:23
updated_at: 2023-05-02 10:13:13
disabled: 0
name: Test pack
description: Pack to ensure that logs are running locally when upgrading.
platform:
pack_type: NULL
*************************** 19. row ***************************
id: 45
created_at: 2021-07-28 13:39:30
updated_at: 2023-06-14 16:12:57
disabled: 0
name: Global
description: Global pack
platform:
pack_type: global
*************************** 20. row ***************************
id: 46
created_at: 2023-03-06 15:16:03
updated_at: 2023-03-06 15:16:03
disabled: 0
name: test_es_query_pack
description:
platform:
pack_type: NULL
20 rows in set (0.00 sec)
ERROR:
No query specifiedbenbass
06/15/2023, 8:24 PMThe packs that are enabled and scoped to the machine are working properly, just the queries from “Scheduled” are not running.