hey folks asked about this in < C0FHNQ2N6|windows> but i ll osquery #general

hey folks, asked about this in <#C0FHNQ2N6|windows...

Ted Dorosheff

01/24/2022, 9:04 PM

hey folks, asked about this in #windows but i'll ask here as well. Just updated osquery to 5.2.0 on windows, from 4.8, and my osquery.conf file is failing to parse. Just as a sanity check for myself, i took the FIM config example from the online docs, and modified it very minimally, and even that very basic config failed to parse:

Copy code

{
  "schedule": {
    "file_events": {
      "query": "SELECT * FROM ntfs_journal_events;"
      "removed": false,
      "interval": 300
    }
  },
  "file_paths": {
    "windows": [
      'C:\Windows\Temp\'
      'C:\Windows\Tasks\'
    ],
    "Users": [
      'C:\Users\%\'
    ],
    "osquery": [
      'C:\Program Files\osquery\'
    ]
  },
  "exclude_paths": {
    "windows": [
      'C:\Windows\Temp\test\'
    ],
    "Users": [
      'C:\Users\teddoro\test\'
    ]
  }
}

✅ 1

terracatta

01/24/2022, 9:21 PM

missing comma after

"query": "SELECT * FROM ntfs_journal_events;"

terracatta

01/24/2022, 9:23 PM

Copy code

{
  "schedule": {
    "file_events": {
      "query": "SELECT * FROM ntfs_journal_events;",
      "removed": false,
      "interval": 300
    }
  },
  "file_paths": {
    "windows": [
      "C:\\Windows\\Temp\\",
      "C:\\Windows\\Tasks\\"
    ],
    "Users": [
      "C:\\Users\\%\\"
    ],
    "osquery": [
      "C:\\Program Files\\osquery\\"
    ]
  },
  "exclude_paths": {
    "windows": [
      "C:\\Windows\\Temp\\test\\"
    ],
    "Users": [
      "C:Users\\teddoro\\test\\"
    ]
  }
}

terracatta

01/24/2022, 9:23 PM

That's all the problems fixed

terracatta

01/24/2022, 9:24 PM

missing commas, and there is no such thing as single quotes in true strict JSON

terracatta

01/24/2022, 9:24 PM

so you need to switch to double quotes and then escape the slashes

terracatta

01/24/2022, 9:24 PM

I think osquery changed to a mucher stricter JSON parsing standard at some point

terracatta

01/24/2022, 9:24 PM

hope that helps @Ted Dorosheff

Ted Dorosheff

01/24/2022, 9:33 PM

thanks so much!

Ted Dorosheff

01/24/2022, 9:45 PM

@terracatta is it just the backslashes that need escaping (ie for windows file paths) or do forward slashes also need to be escaped (ie linux file paths) ?

terracatta

01/24/2022, 9:46 PM

Just backslashes

Ted Dorosheff

01/24/2022, 9:46 PM

man that explains a lot

Ted Dorosheff

01/24/2022, 9:48 PM

@terracatta potentially last question: what about spaces?

terracatta

01/24/2022, 9:49 PM

Spaces in double quotes are fine

Ted Dorosheff

01/24/2022, 9:49 PM

👍

3 Views

Open in Slack

Previous Next