Channels
#general
Title
# general
t
Ted Dorosheff
01/24/2022, 9:04 PMhey folks, asked about this in #windows but i'll ask here as well.
Just updated osquery to 5.2.0 on windows, from 4.8, and my osquery.conf file is failing to parse. Just as a sanity check for myself, i took the FIM config example from the online docs, and modified it very minimally, and even that very basic config failed to parse:
Copy code
{
"schedule": {
"file_events": {
"query": "SELECT * FROM ntfs_journal_events;"
"removed": false,
"interval": 300
}
},
"file_paths": {
"windows": [
'C:\Windows\Temp\'
'C:\Windows\Tasks\'
],
"Users": [
'C:\Users\%\'
],
"osquery": [
'C:\Program Files\osquery\'
]
},
"exclude_paths": {
"windows": [
'C:\Windows\Temp\test\'
],
"Users": [
'C:\Users\teddoro\test\'
]
}
}✅ 1
t
terracatta
01/24/2022, 9:21 PM
missing comma after
"query": "SELECT * FROM ntfs_journal_events;" Copy code
{
"schedule": {
"file_events": {
"query": "SELECT * FROM ntfs_journal_events;",
"removed": false,
"interval": 300
}
},
"file_paths": {
"windows": [
"C:\\Windows\\Temp\\",
"C:\\Windows\\Tasks\\"
],
"Users": [
"C:\\Users\\%\\"
],
"osquery": [
"C:\\Program Files\\osquery\\"
]
},
"exclude_paths": {
"windows": [
"C:\\Windows\\Temp\\test\\"
],
"Users": [
"C:Users\\teddoro\\test\\"
]
}
}That's all the problems fixed
missing commas, and there is no such thing as single quotes in true strict JSON
so you need to switch to double quotes and then escape the slashes
I think osquery changed to a mucher stricter JSON parsing standard at some point
hope that helps @Ted Dorosheff
t
Ted Dorosheff
01/24/2022, 9:33 PMthanks so much!
@terracatta is it just the backslashes that need escaping (ie for windows file paths) or do forward slashes also need to be escaped (ie linux file paths) ?
t
terracatta
01/24/2022, 9:46 PM
Just backslashes
t
Ted Dorosheff
01/24/2022, 9:46 PMman that explains a lot
@terracatta potentially last question: what about spaces?
t
terracatta
01/24/2022, 9:49 PM
Spaces in double quotes are fine
t
Ted Dorosheff
01/24/2022, 9:49 PM👍
3 Views