I'm using an overrides key in my yaml config, for ...
# fleett
Ted Dorosheff
02/07/2022, 8:38 PMI'm using an overrides key in my yaml config, for windows clients. On a test windows machine, i'm seeing an error line in the osqueryd --verbose stdout:
Copy code
W0207 12:30:36.535475 6440 options.cpp:101] Cannot set unknown or invalid flag: enable_file_events Copy code
I0207 12:30:47.051750 6440 eventfactory.cpp:156] Event publisher not enabled: ntfs_event_publisher: NTFS event publisher disabled via configuration
I0207 12:30:47.113627 6440 events.cpp:70] Skipping subscriber: powershell_events: Required publisher is disabled by configurationenable_file_events: truez
zwass
02/08/2022, 12:58 AM
Possibly misplaced overrides? Can you paste the config (redacted if necessary)?
t
Ted Dorosheff
02/08/2022, 1:44 AMthis is what i paste into the agent settings yaml editor:
Copy code
config:
options:
disable_events: false
enable_file_events: true
disable_distributed: false
distributed_interval: 60
decorators:
load:
- SELECT COALESCE((select instance_id FROM ec2_instance_metadata), hostname) as hostname FROM system_info;
file_paths:
etc:
- /etc/group
- /etc/passwd
- /etc/shadow
- /etc/services
- /etc/sudoers
- /etc/ld.so.preload
- /etc/ld.so.conf
- /etc/ld.so.conf.d/%%
- /etc/pam.d/%%
- /etc/resolv.conf
- /etc/modules
- /etc/hosts
- /etc/hostname
- /etc/fstab
- /etc/rsyslog.conf
ssh:
- /root/.ssh/%%
- /home/%/.ssh/%%
- /etc/ssh/%%
- /var/lib/sia/keys/
- /var/lib/sia/certs/
logs:
- /var/log/secure
docker:
- /etc/docker/%%
- /etc/default/docker
- /etc/docker/daemon.json
- /usr/bin/containerd
- /usr/sbin/runc
- /etc/sysconfig/docker
- /usr/lib/systemd/system/docker.service
- /usr/lib/systemd/system/docker.socket
osquery:
- /etc/osquery/%%
- /usr/share/osquery/packs/%%
firewalls:
- /etc/sysconfig/iptables
- /home/y/conf/yakl/%%
- /etc/yakl/conf/%%
overrides:
platforms:
windows:
options:
disable_events: false
enable_ntfs_event_publisher: true
enable_powershell_events_subscriber: true
enable_windows_events_publisher: true
enable_windows_events_subscriber: true
disable_distributed: false
distributed_interval: 60
decorators:
load:
- SELECT COALESCE((select instance_id FROM ec2_instance_metadata), hostname) as hostname FROM system_info;
file_paths:
Users:
- C:\\Users\\%\\AppData\\Roaming\\%
- C:\\Users\\%\\AppData\\Local\\%
- C:\\Users\\%\\AppData\\Local\\temp\\%
- C:\\Users\\%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\%
- C:\\Users\\%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\%
- C:\\Users\\%\\Default\\%
Windows:
- C:\\Windows\\%
- C:\\Windows\\Temp\\%
- C:\\Windows\\System32\\Drivers\\%
- C:\\Windows\\SysWOW64\\Drivers\\%
- C:\\Windows\\System32\\GroupPolicy\\Machine\\Scripts\\%
- C:\\Windows\\System32\\GroupPolicy\\User\\Scripts\\%
- C:\\Windows\\System32\\Wbem\\%
- C:\\Windows\\SysWOW64\\Wbem\\%
- C:\\Windows\\System32\\WindowsPowerShell\\%
- C:\\Windows\\SysWOW64\\WindowsPowerShell\\%
- C:\\Windows\\Tasks\\%
- C:\\Windows\\System32\\Tasks\\%
- C:\\Windows\\AppPatch\\Custom\\%
- C:\\Windows\\system32\\DriverStore\\Temp\\%
- C:\\Windows\\system32\\wbem\\Performance\\%
- C:\\Windows\\System32\\Tasks\\Adobe Acrobat Update Task\\%
- C:\\Windows\\System32\\Tasks\\Adobe Flash Player Updater\\%
- C:\\Windows\\System32\\Tasks\\OfficeSoftwareProtectionPlatform\\SvcRestartTask\\%
ProgramData:
- C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\%
- C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\%Ted Dorosheff
02/08/2022, 1:46 AMhowever once i click "update settings" , the editor moves things around, puts single quotes in place of double quotes and also adds the little ">" on lines 20, 28, 31, 53 and 60. not sure if any of that matters, but this is what the yaml looks like after i update:
Copy code
config:
options:
disable_events: false
enable_file_events: true
disable_distributed: false
distributed_interval: 60
overrides:
platforms:
windows:
options:
disable_events: false
disable_distributed: false
distributed_interval: 60
enable_ntfs_event_publisher: true
enable_windows_events_publisher: true
enable_windows_events_subscriber: true
enable_powershell_events_subscriber: true
decorators:
load:
- >-
SELECT COALESCE((select instance_id FROM ec2_instance_metadata),
hostname) as hostname FROM system_info;
file_paths:
Users:
- 'C:\\Users\\%\\AppData\\Roaming\\%'
- 'C:\\Users\\%\\AppData\\Local\\%'
- 'C:\\Users\\%\\AppData\\Local\\temp\\%'
- >-
C:\\Users\\%\\AppData\\Roaming\\Microsoft\\Windows\\Start
Menu\\Programs\\Startup\\%
- >-
C:\\Users\\%\\AppData\\Roaming\\Microsoft\\Windows\\Start
Menu\\Programs\\%
- 'C:\\Users\\%\\Default\\%'
Windows:
- 'C:\\Windows\\%'
- 'C:\\Windows\\Temp\\%'
- 'C:\\Windows\\System32\\Drivers\\%'
- 'C:\\Windows\\SysWOW64\\Drivers\\%'
- 'C:\\Windows\\System32\\GroupPolicy\\Machine\\Scripts\\%'
- 'C:\\Windows\\System32\\GroupPolicy\\User\\Scripts\\%'
- 'C:\\Windows\\System32\\Wbem\\%'
- 'C:\\Windows\\SysWOW64\\Wbem\\%'
- 'C:\\Windows\\System32\\WindowsPowerShell\\%'
- 'C:\\Windows\\SysWOW64\\WindowsPowerShell\\%'
- 'C:\\Windows\\Tasks\\%'
- 'C:\\Windows\\System32\\Tasks\\%'
- 'C:\\Windows\\AppPatch\\Custom\\%'
- 'C:\\Windows\\system32\\DriverStore\\Temp\\%'
- 'C:\\Windows\\system32\\wbem\\Performance\\%'
- 'C:\\Windows\\System32\\Tasks\\Adobe Acrobat Update Task\\%'
- 'C:\\Windows\\System32\\Tasks\\Adobe Flash Player Updater\\%'
- >-
C:\\Windows\\System32\\Tasks\\OfficeSoftwareProtectionPlatform\\SvcRestartTask\\%
ProgramData:
- 'C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\%'
- 'C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\%'
decorators:
load:
- >-
SELECT COALESCE((select instance_id FROM ec2_instance_metadata),
hostname) as hostname FROM system_info;
file_paths:
etc:
- /etc/group
- /etc/passwd
- /etc/shadow
- /etc/services
- /etc/sudoers
- /etc/ld.so.preload
- /etc/ld.so.conf
- /etc/ld.so.conf.d/%%
- /etc/pam.d/%%
- /etc/resolv.conf
- /etc/modules
- /etc/hosts
- /etc/hostname
- /etc/fstab
- /etc/rsyslog.conf
ssh:
- /root/.ssh/%%
- /home/%/.ssh/%%
- /etc/ssh/%%
- /var/lib/sia/keys/
- /var/lib/sia/certs/
logs:
- /var/log/secure
docker:
- /etc/docker/%%
- /etc/default/docker
- /etc/docker/daemon.json
- /usr/bin/containerd
- /usr/sbin/runc
- /etc/sysconfig/docker
- /usr/lib/systemd/system/docker.service
- /usr/lib/systemd/system/docker.socket
osquery:
- /etc/osquery/%%
- /usr/share/osquery/packs/%%
firewalls:
- /etc/sysconfig/iptables
- /home/y/conf/yakl/%%
- /etc/yakl/conf/%%z
zwass
02/08/2022, 1:47 AM
overridesconfig🙌 1
t
Ted Dorosheff
02/08/2022, 1:49 AMahhhh okay
Ted Dorosheff
02/08/2022, 1:51 AMand then everything within overrides follows suit from that indent? So like "platform" is 1 indent from overrides, "windows" would be 1 over from platform, etc etc?
z
zwass
02/08/2022, 1:55 AM
Yes that's right
t
Ted Dorosheff
02/08/2022, 2:06 AM🥇 for you man
Ted Dorosheff
02/08/2022, 2:07 AMthat fixed it
z
zwass
02/08/2022, 2:13 AM
🍻
15 Views