https://github.com/osquery/osquery logo
Join Slack
Powered by
Morning all, happy monday. This morning i updated...
# windows
t
Morning all, happy monday. This morning i updated osquery to 5.2.0, and saw that now the events expiration time issue seems to have been fixed:
Copy code
osquery> I0124 07:36:52.546579  8828 eventfactory.cpp:352] The minimum events expiration timeout for ntfs_journal_events has been adjusted: 240
However, after performing my same test to see if i can generate some events in the ntfs_journal_events table, i'm still not getting anything. Once again my testing procedure is: 1. In an admin shell, run 
osqueryi.exe --flagfile=osquery.flags
. The interactive shell starts without issue. 2. run `select * from osquery_events`confirming active subscribers/publishers, including ntfs_journal_events (both the event publisher and subscriber are active) 3. modify file C:\Windows\Temp\test.txt. Modifications include additional text as well as change permissions. 4. repeat step 2 in the same admin shell, observe no change to event count of ntfs_journal_events. I also confirmed this by running 
select * from ntfs_journal_events;
which returned nothing.
Another thing i've noticed since updating to 5.2.0 is that my osquery.conf file is no longer parsing correctly, and i cannot figure out why. Note: normally i'm loading config via TLS plugin, but for testing i also have a local config. The local config follows the same format as that which we have in fleetDM. my config is SUPER barebones on my test machine, and was working without issue when i was running 4.8. FYI this was
Copy code
{
  "options": {
    "host_identifier": "hostname",
    "schedule_splay_percent": 10
  },
  "schedule": {
    "windows": {
      "query": "SELECT * FROM ntfs_journal_events;",
      "interval": 300
    },
    "file_events": {
      "query": "SELECT * FROM file_events;",
      "removed": false,
      "interval": 300
    }
  },
  "file_paths": {
    "homes": [
      'C:\Users\ted\'
    ]
  },
  "exclude_paths": {
    "homes": [
      'C:\Users\ted\test'
    ]
  }
}
4 Views
Open in Slack
PreviousNext
Powered by