Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
h
HarlanF
02/23/2022, 1:25 AMShould I have to do anything special to use an extension table in a discovery query for a pack?
I'm getting
Discovery query failedInteractively, with osqueryi, that table's there. And yeah, it's definitely one of the enabled tables.
a
alessandrogario
02/23/2022, 1:52 PMCan you try with --verbose to make sure the table is actually there? There are some differences in the sanity checks of osqueryd vs osqueryi
h
HarlanF
02/23/2022, 2:12 PMPut --verbose in the flags file?
a
alessandrogario
02/23/2022, 2:13 PMYes, that will print additional debugging information that could help diagnose the problem
h
HarlanF
02/23/2022, 2:52 PMOkay, so , in order (and skipping things that don't seem relevant):
1. Found autoloadable extension: <the relevant one>
2. Executing watcher
3. Created and monitoring child (13347) for the relevant extension
4. osquery worker initialized
5. Adding new service: extensionwatcher
6. Extension manager service starting
7. Discovery failed ... no such table
8. Registering extension (relevant one)
So I'm theorizing that #8 needs to come before #7. Is there a way to influence that timing?
a
alessandrogario
02/23/2022, 3:30 PMyou can use --extensions_require=plugin_name
This will cause osquery to wait for the extension to come online during startup
h
HarlanF
02/23/2022, 3:37 PMThanks so much for the help; trying that, will let you know.
Yeah, seems to have done the trick. By the way, I was trying to read up on the other extensions flags, and couldn't make sense of what they actually did in the documentation. Any ideas about
--extensions_interval--extensions_timeouta
alessandrogario
02/23/2022, 3:48 PMExtensions are processes that communicate with osquery via Thrift; the --extensions_interval is passed down to extensions when osquery starts them as
--interval valuethe
--extensions_timeouth
HarlanF
02/23/2022, 6:28 PMOh, thanks! I'm getting a "Discovery query failed", and looking at the source:
for (const auto& q : discovery_queries_) {
SQL results(q);
if (!results.ok()) {
LOG(WARNING) << "Discovery query failed (" << q
<< "): " << results.getMessageString();
discovery_cache_.second = false;
break;
}
if (results.rows().size() == 0) {
discovery_cache_.second = false;
break;
}
}
return discovery_cache_.second;Does it seem like "Discovery query failed" is indicating that there was something wrong with the execution, as opposed to "didn't return any results"?
Seems that way to me, and the second if() in the above snippet governs results being nil