Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
f
Fred Koch
07/29/2021, 7:48 PMDoes anyone here have a working osquery.conf and osquery.flags setup that will allow polylogyx to be queried via fleetdm? Proven steps to get it working would be much appreciated!
I did have polylogyx working locally for the events tables the other day and now cannot even get that working. Stopping the service and using osqueryi reports back nothing for things like win_process_events or win_socket_events for example...
o
OpenPlgx
07/31/2021, 11:46 AMIs the config provided on github not working? You may have to adjust the flags file to point to the fleet dm (with appropriate certificates etc) and it should work
f
Fred Koch
08/02/2021, 7:25 PMNothing around polylogyx seems to work now. I even tried removing it with the cleanup script and also removed osquery and reinstalled from scratch to no avail. I was hoping someone here might have a set of proven steps and configs I can walk through.
c
CptOfEvilMinions
08/02/2021, 8:04 PMBlog post on setting up Windows + Polylogyx + Osquery
https://holdmybeersecurity.com/2020/06/08/poc-using-ksql-to-enrich-zeek-logs-with-osquery-and-sysmon-data/
❤️ 1
o
OpenPlgx
08/03/2021, 9:05 AMHow abt you take thru the steps you did?
Here are the steps that normally work
1. Install osquery
2. copy extension into the osquery folder
3. change the flags file and osquery.config with that is provided in github. (Make sure all the paths in the flags file are looking good)
4. Adjust the flags file for the logger to be tls and point it to your fleet DM (along with certs) but leave the config to be filesystem so that the local copy of osquery.conf comes into play (with queries for tables extended by extension)
5. restart the osquery service
At this point, osquery should load the extension and the config from osquery.conf should be read giving you the results on fleet DM
Alternatively, you could try https://github.com/polylogyx/plgx-esp (equivalent of fleetDM with in-built support for the extension)
f
Fred Koch
08/04/2021, 11:53 AMThank you! Ok so yesterday there was a turn of events. I decided to stop the Docker Desktop and somehow the polylogyx tables started working again?!?! How might that be related? I am going to work on connecting it to fleetdm today. If that doesn't work I will give plgx-esp a shot.
I believe I found the culprit but will update further if anything changes in my findings. Ok so I happen to have --events_expiry set to 0...or I did. That setting apparently prevents the polylogyx _events tables from working. As soon as I set that to the 3600 default it works fine. I was also able to get it connected with fleetdm just fine.
As for the osquery.conf file I was really hoping to manage those settings from fleetdm. Is it possible to convert that polylogyx osquert.conf into something that fleetdm can push out so I can apply configs via tls instead of from the local filesystem?
It is possible the answer might inevitably be to try out plgx-esp instead of fleetdm.
c
CptOfEvilMinions
08/04/2021, 11:51 PM@Fred Koch I would move Fleet specific questions to #fleet. But yes FleetDM can be used to push out settings to agents.