Hi All, has anyone encountered an issue with data ...
# linuxi
ihor
06/15/2024, 5:59 PMHi All, has anyone encountered an issue with data encoding in bpf events tables like that? We face the issue on rhel8.6 servers with different osquery versions
a
alessandrogario
06/17/2024, 1:14 PM
Are there many processes being started/stopped?
alessandrogario
06/17/2024, 1:15 PM
What I’m trying to understand is how many ebpf events/s is handling (across all BPF tables)
alessandrogario
06/17/2024, 1:17 PM
We have better BPF support in the experimental features (see —help), but it was last tested on ubuntu 20.04 (or 21..)
i
ihor
06/18/2024, 1:40 PMI've posted the screenshot with an example event, just to express the issue. At the moment we have installed osquery on several RHEL8.6 servers, some have more more process / network activities, some less, but all are facing the same issue with BPF tables (no cmdline, and strange encoding in path).
a
alessandrogario
06/18/2024, 1:41 PM
Would you be able to report to us which kernel version is being used on that specific version?
i
ihor
06/18/2024, 2:12 PMWe can't understand how we can include experimental table bpf_process_events_v2 in our build. Experimental branch was updated 5 years ago, so it should be built from master branch? We would be thankful for any hints.
ihor
06/18/2024, 2:24 PMkernel version: 4.18.0-372.9.1.el8.x86_64
ihor
06/18/2024, 3:24 PMoh, I've just found in #ebpf channel that it can be easily added by flag
--experiment_list=linuxeventsihor
06/18/2024, 4:52 PMit's only pity that the table doesn't have uid or username of the user who run the process
a
alessandrogario
06/18/2024, 5:00 PM
Ah yes, it’s limited 😢 it was a spare time project I did and was hoping someone would fund it
4 Views