Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
t
Ted Dorosheff
01/24/2022, 9:04 PMhey folks, asked about this in #windows but i'll ask here as well.
Just updated osquery to 5.2.0 on windows, from 4.8, and my osquery.conf file is failing to parse. Just as a sanity check for myself, i took the FIM config example from the online docs, and modified it very minimally, and even that very basic config failed to parse:
{
"schedule": {
"file_events": {
"query": "SELECT * FROM ntfs_journal_events;"
"removed": false,
"interval": 300
}
},
"file_paths": {
"windows": [
'C:\Windows\Temp\'
'C:\Windows\Tasks\'
],
"Users": [
'C:\Users\%\'
],
"osquery": [
'C:\Program Files\osquery\'
]
},
"exclude_paths": {
"windows": [
'C:\Windows\Temp\test\'
],
"Users": [
'C:\Users\teddoro\test\'
]
}
}✅ 1
t
terracatta
01/24/2022, 9:21 PMmissing comma after
"query": "SELECT * FROM ntfs_journal_events;"{
"schedule": {
"file_events": {
"query": "SELECT * FROM ntfs_journal_events;",
"removed": false,
"interval": 300
}
},
"file_paths": {
"windows": [
"C:\\Windows\\Temp\\",
"C:\\Windows\\Tasks\\"
],
"Users": [
"C:\\Users\\%\\"
],
"osquery": [
"C:\\Program Files\\osquery\\"
]
},
"exclude_paths": {
"windows": [
"C:\\Windows\\Temp\\test\\"
],
"Users": [
"C:Users\\teddoro\\test\\"
]
}
}That's all the problems fixed
missing commas, and there is no such thing as single quotes in true strict JSON
so you need to switch to double quotes and then escape the slashes
I think osquery changed to a mucher stricter JSON parsing standard at some point
hope that helps @Ted Dorosheff
t
Ted Dorosheff
01/24/2022, 9:33 PMthanks so much!
@terracatta is it just the backslashes that need escaping (ie for windows file paths) or do forward slashes also need to be escaped (ie linux file paths) ?
t
terracatta
01/24/2022, 9:46 PMJust backslashes
t
Ted Dorosheff
01/24/2022, 9:46 PMman that explains a lot
@terracatta potentially last question: what about spaces?
t
terracatta
01/24/2022, 9:49 PMSpaces in double quotes are fine
t
Ted Dorosheff
01/24/2022, 9:49 PM👍