https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
h

HarlanF

02/23/2022, 1:25 AM
Should I have to do anything special to use an extension table in a discovery query for a pack?
I'm getting 
Discovery query failed
Interactively, with osqueryi, that table's there. And yeah, it's definitely one of the enabled tables.
a

alessandrogario

02/23/2022, 1:52 PM
Can you try with --verbose to make sure the table is actually there? There are some differences in the sanity checks of osqueryd vs osqueryi
h

HarlanF

02/23/2022, 2:12 PM
Put --verbose in the flags file?
a

alessandrogario

02/23/2022, 2:13 PM
Yes, that will print additional debugging information that could help diagnose the problem
h

HarlanF

02/23/2022, 2:52 PM
Okay, so , in order (and skipping things that don't seem relevant): 1. Found autoloadable extension: <the relevant one> 2. Executing watcher 3. Created and monitoring child (13347) for the relevant extension 4. osquery worker initialized 5. Adding new service: extensionwatcher 6. Extension manager service starting 7. Discovery failed ... no such table 8. Registering extension (relevant one)
So I'm theorizing that #8 needs to come before #7. Is there a way to influence that timing?
a

alessandrogario

02/23/2022, 3:30 PM
you can use --extensions_require=plugin_name
This will cause osquery to wait for the extension to come online during startup
h

HarlanF

02/23/2022, 3:37 PM
Thanks so much for the help; trying that, will let you know.
Yeah, seems to have done the trick. By the way, I was trying to read up on the other extensions flags, and couldn't make sense of what they actually did in the documentation. Any ideas about 
--extensions_interval
and 
--extensions_timeout
?
a

alessandrogario

02/23/2022, 3:48 PM
Extensions are processes that communicate with osquery via Thrift; the --extensions_interval is passed down to extensions when osquery starts them as 
--interval value
, and it's a connectivity check performed client side
the 
--extensions_timeout
is consumed by osquery itself, and is used to determine how long before a client (extension) is to be considered offline
h

HarlanF

02/23/2022, 6:28 PM
Oh, thanks! I'm getting a "Discovery query failed", and looking at the source:
Copy code
for (const auto& q : discovery_queries_) {
  SQL results(q);
  if (!results.ok()) {
    LOG(WARNING) << "Discovery query failed (" << q
                 << "): " << results.getMessageString();
    discovery_cache_.second = false;
    break;
  }
  if (results.rows().size() == 0) {
    discovery_cache_.second = false;
    break;
  }
}
return discovery_cache_.second;
Does it seem like "Discovery query failed" is indicating that there was something wrong with the execution, as opposed to "didn't return any results"?
Seems that way to me, and the second if() in the above snippet governs results being nil
13 Views
Powered by