Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
s
slevchenko
01/30/2022, 2:55 PMHi everyone. Does anybody know how this message affects osqueryd ? I see couple dozens of such messages right after daemon start:
osqueryd[36060]: I0130 16:44:32.672724 36192 systemstatetracker.cpp:294] Created empty process context for pid 38689. Fields will show up empty
osqueryd[36060]: I0130 16:44:32.673085 36192 systemstatetracker.cpp:294] Created empty process context for pid 38691. Fields will show up emptya
alessandrogario
01/30/2022, 5:09 PMWhen a new process event is handled, it will look for the parent process inside the internal cache.
The internal cache may not have the parent process, this could be due to lost events or discrepancies in the cache. This cache is created on startup and reset once in a while by scanning /proc, and there's a chance for race conditions. It's more common for processes that start/stop in rapid succession, like for example an http server handling connections by forking
s
slevchenko
01/31/2022, 8:14 AMThanks alot