Hi all!
I'm building an OSQ extension, written in ...
# generalo
Ortal Kombat
05/27/2024, 11:50 AMHi all!
I'm building an OSQ extension, written in C++.
My issue is that when the extension finishes it's action, and should return results to fleet, the results I see in fleet is an empty table.
In the extension, I've logged to a file all the values of the result row before pushing it to the result TableRows object, and everything
seems legit - but still fleet receives empty result.
I did all I can to debug and check what's wrong and I'm now completely clueless. PLS HELP!
s
seph
05/27/2024, 1:55 PM
Does it work in osqueryi?
If so, try #C01DXJL16D8
o
Ortal Kombat
05/27/2024, 1:56 PMNo, it doesn't
Ortal Kombat
05/27/2024, 1:57 PMBut thanks, I'll try there
s
seph
05/27/2024, 1:57 PM
Okay, if it’s not working in osqueryi, then something is amiss. :)
seph
05/27/2024, 1:57 PM
I’m not super familiar with how to write c++ extensions.
seph
05/27/2024, 1:58 PM
How are you starting osqueryi?
o
Ortal Kombat
05/27/2024, 2:00 PMosqueryi.exe --extension=<path_to_ext> --allow_unsafe
Ortal Kombat
05/27/2024, 2:01 PMWhen I type "PRAGMA table_info(ext_table);"
it recognizes the table and show the relevant info
s
seph
05/27/2024, 2:14 PM
Yeah. that command line looks okay.
seph
05/27/2024, 2:14 PM
It sounds like it’s being registered, but maybe it’s not returning data?
o
Ortal Kombat
05/27/2024, 2:19 PMI worked by this example - https://osquery.readthedocs.io/en/stable/development/osquery-sdk/
I declared everything just as in this example, even variable names, and the relevant part for my case is the last 2 lines in the "generate" function, which I wrote just like the example. It's really frustrating, I don't know what can possibly go wrong here
s
seph
05/27/2024, 2:26 PM
That does sound frustrating. But without seeing your code, I’m not sure I can make any cognizant suggestions.
Can you compile that example and have it work?
seph
05/27/2024, 2:33 PM
(I do most of my extension work in go)
o
Ortal Kombat
05/27/2024, 3:05 PMI can make the example work, and I can't paste code here 😞
Ortal Kombat
05/27/2024, 3:06 PMMaybe I'll give Go a shot... Thanks a lot for the help! :)
s
seph
05/27/2024, 3:07 PM
Okay, if the example works, and your code doesn’t, then there’s likely something off in your code.
seph
05/27/2024, 3:08 PM
You can certainly paste code here, though at some size slack doesn’t like. But you can also host at gist.github.com, pastebin, or whatever. 🤷
seph
05/27/2024, 3:09 PM
As for languages, it’s up to you. There’s SDK support for go (https://github.com/osquery/osquery-go) and python (https://github.com/osquery/osquery-python). I’ve build ruby extensions using the thrift socket directly. And there’s c/c++. Mostly, I’d suggest using what language your most comfortable with
14 Views