OS : Amazon Linux 2 (Kernel 5.x) Latest OSquery agent Anyone having issues with bpf_socket_events and socket_events not populating or non-functional ? These tables are empty when queried using osqueryi

{

“options”:{ “config_plugin”:“filesystem”, “logger_plugin”:“filesystem”, “logger_path”:“/var/log/osquery”, “disable_logging”:“false”, “log_result_events”:“true”, “schedule_splay_percent”:“10”, “audit_persist”:“true”, “disable_audit”:“false”, “audit_allow_sockets”:“true”, “disable_events”:“false”, “pack_refresh_interval”: “3600”, “audit_allow_config”: “true” },

"bpf_socket_events":{

“query”:“SELECT * FROM bpf_socket_events;“, “interval”:10 },

when you invoke osqueryi from the cli, unless you pass those config parameters again, the agent will likely boot with the defaults. you can introspect your actual osqi environment by running something like

SELECT * FROM osquery_flags WHERE value <> default_value

or you could add in specific WHERE clause for the events related flags so you can first validate whether or not you are actually creating events or not.

Thanks for your response, FG I validated that enable_bpf_events=true and disable_events=false when I query from osqueryi I tried via .conf and .flags file and the issue remains the same

are you launching osqi with sudo/as root? im not too familiar with ASL2 internals whther or not BPF is enabled by default

Yes, I’m running Osqi as sudo/root Asper AWS ASL2 & ASL3, eBPF is supported

i haven't used this personally but looking around, is this flag still valid? i don't see it in your example

--enable_bpf_events=true

--config_plugin=filesystem

--logger_plugin=filesystem --logger_path=/var/log/osquery --disable_logging=false --log_result_events=true --schedule_splay_percent=10 --audit_persist=true --disable_audit=false --audit_allow_sockets=true --disable_events=false --pack_refresh_interval=3600 --audit_allow_config=true --enable_bpf_events=true

your original post didn't include that line which is why i asked

Sure, sorry about that

beyond my experience with osquery+bpf here then. not sure what else would be required to make it work. looks like you have this matched pretty well: https://github.com/hackertarget/osquery-ebpf-config/tree/main

I’m observing a behavior where the osquery.flags config is not persistent after service restart and server reboot

not sure, maybe you can try it with --verbose like this article suggests to see if the module is actually being loaded, scroll down to "Testing eBPF" section: https://hackertarget.com/osquery-linux-tutorial/

When I ran the below command from the article above, events are populating, But when I restart the service or run it without the explicit flag command it’s not populating seems like the flags are not persistent

sudo osqueryi --disable_events=false --enable_bpf_events=true --verbose

so it sounds like an issue with your daemon config/launching not directly running osqueryi. so the system looks to be working properly but for whatever. reason your osqueryd service is not starting up properly

Yup, seems like it

You should be seeing warnings in the logs when you are passing a flag that can't be in the config file. Osquery has CLI only flags, which can only be set via flagfile or passing them as arguments to the process and flags/options that can be configured in the config file (and by extension remotely via TLS)