hey folks, asked about this in <#C0FHNQ2N6|> but i...
# generalt
Ted Dorosheff
01/24/2022, 9:04 PMhey folks, asked about this in #C0FHNQ2N6 but i'll ask here as well.
Just updated osquery to 5.2.0 on windows, from 4.8, and my osquery.conf file is failing to parse. Just as a sanity check for myself, i took the FIM config example from the online docs, and modified it very minimally, and even that very basic config failed to parse:
Copy code
{
"schedule": {
"file_events": {
"query": "SELECT * FROM ntfs_journal_events;"
"removed": false,
"interval": 300
}
},
"file_paths": {
"windows": [
'C:\Windows\Temp\'
'C:\Windows\Tasks\'
],
"Users": [
'C:\Users\%\'
],
"osquery": [
'C:\Program Files\osquery\'
]
},
"exclude_paths": {
"windows": [
'C:\Windows\Temp\test\'
],
"Users": [
'C:\Users\teddoro\test\'
]
}
}✅ 1
t
terracatta
01/24/2022, 9:21 PM
missing comma after
"query": "SELECT * FROM ntfs_journal_events;"terracatta
01/24/2022, 9:23 PM
Copy code
{
"schedule": {
"file_events": {
"query": "SELECT * FROM ntfs_journal_events;",
"removed": false,
"interval": 300
}
},
"file_paths": {
"windows": [
"C:\\Windows\\Temp\\",
"C:\\Windows\\Tasks\\"
],
"Users": [
"C:\\Users\\%\\"
],
"osquery": [
"C:\\Program Files\\osquery\\"
]
},
"exclude_paths": {
"windows": [
"C:\\Windows\\Temp\\test\\"
],
"Users": [
"C:Users\\teddoro\\test\\"
]
}
}terracatta
01/24/2022, 9:23 PM
That's all the problems fixed
terracatta
01/24/2022, 9:24 PM
missing commas, and there is no such thing as single quotes in true strict JSON
terracatta
01/24/2022, 9:24 PM
so you need to switch to double quotes and then escape the slashes
terracatta
01/24/2022, 9:24 PM
I think osquery changed to a mucher stricter JSON parsing standard at some point
terracatta
01/24/2022, 9:24 PM
hope that helps @Ted Dorosheff
t
Ted Dorosheff
01/24/2022, 9:33 PMthanks so much!
Ted Dorosheff
01/24/2022, 9:45 PM@terracatta is it just the backslashes that need escaping (ie for windows file paths) or do forward slashes also need to be escaped (ie linux file paths) ?
t
terracatta
01/24/2022, 9:46 PM
Just backslashes
t
Ted Dorosheff
01/24/2022, 9:46 PMman that explains a lot
Ted Dorosheff
01/24/2022, 9:48 PM@terracatta potentially last question: what about spaces?
t
terracatta
01/24/2022, 9:49 PM
Spaces in double quotes are fine
t
Ted Dorosheff
01/24/2022, 9:49 PM👍
5 Views