Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
s
slevchenko
01/30/2022, 2:55 PMHi everyone. Does anybody know how this message affects osqueryd ? I see couple dozens of such messages right after daemon start:
osqueryd[36060]: I0130 16:44:32.672724 36192 systemstatetracker.cpp:294] Created empty process context for pid 38689. Fields will show up empty
osqueryd[36060]: I0130 16:44:32.673085 36192 systemstatetracker.cpp:294] Created empty process context for pid 38691. Fields will show up emptya
alessandrogario
01/30/2022, 5:09 PMWhen a new process event is handled, it will look for the parent process inside the internal cache.
The internal cache may not have the parent process, this could be due to lost events or discrepancies in the cache. This cache is created on startup and reset once in a while by scanning /proc, and there's a chance for race conditions. It's more common for processes that start/stop in rapid succession, like for example an http server handling connections by forking
s
slevchenko
01/31/2022, 8:14 AMThanks alot