Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
c
cssmason
01/07/2022, 9:10 AMI have several questions about osquery.
1. I found the schema of time will query the time zone=UTC, not the actual system time in Windows environment. Is there any method to query actual time in Windows environment?
2. If I set the logger_plugin=tls and some schedule query in osquery.flags. Where is the result of query being stored in local before the result is upload tls server? And is there any probability that result of query being delete before uploading to tls server?
3. And how does osquery decide when to reset the rocksdb? Any flags can control?
4. And I have open one issue in osquery-go on github. https://github.com/osquery/osquery-go/issues/93
Please help me to clarify these questions. Thanks a lot.
f
fritz
01/07/2022, 4:20 PMAre you looking to get the local time of the device?
s
seph
01/07/2022, 5:49 PM1. It's the machine's time, but it's reported in UTC
2. results would be in the local rocks db somewhere. They shouldn't be deleted aside from catastrophes.
3. I don't think it ever resets the rocks db. Not sure what you mean.
4. osquery is a volunteer organization. This means that requests like that would get implemented if someone decides to do it. You're welcome to submit a PR, I don't know if one of the go developers will.
c
cssmason
01/10/2022, 4:22 PM3. The below content is the log of my osqueyd and osquey.flags
The rock db was reset about 1 time/hour. I thought there is something weird. Please help to clarify this problem. Thanks.
log:
0107 06:04:56.367833 18200 tls.cpp:255] TLS/HTTPS POST request to URI: https://TEST/tls-logging/api/v1/osquery/log
{"data":[{"hostIdentifier":"TEST","calendarTime":"Thu Jan 6 21:54:56 2022 UTC","unixTime":"1641506096","severity":"0","filename":"tls.cpp","line":"255","message":"TLS/HTTPS POST request to URI: https://TEST/tls-logging/api/v1/osquery/log","version":"5.1.0"},{"hostIdentifier":"TEST","calendarTime":"Thu Jan 6 21:54:56 2022 UTC","unixTime":"1641506096","severity":"0","filename":"tls.cpp","line":"255","message":"TLS/HTTPS POST request to URI: https://TEST/tls-logging/api/v1/osquery/log","version":"5.1.0"}],"log_type":"status","node_key":"TEST"}
I0107 06:06:13.025902 28024 database.cpp:130] Resetting the database plugin: rocksdb
I0107 06:06:13.030591 28024 rocksdb.cpp:132] Opening RocksDB handle: \Program Files\osquery\osquery.db
I0107 06:14:56.424681 18200 tls.cpp:255] TLS/HTTPS POST request to URI: https://TEST/tls-logging/api/v1/osquery/log
{"data":[{"hostIdentifier":"TEST","calendarTime":"Thu Jan 6 22:04:56 2022 UTC","unixTime":"1641506696","severity":"0","filename":"tls.cpp","line":"255","message":"TLS/HTTPS POST request to URI: https://TEST/tls-logging/api/v1/osquery/log","version":"5.1.0"},{"hostIdentifier":"TEST","calendarTime":"Thu Jan 6 22:06:13 2022 UTC","unixTime":"1641506773","severity":"0","filename":"database.cpp","line":"130","message":"Resetting the database plugin: rocksdb","version":"5.1.0"},{"hostIdentifier":"TEST","calendarTime":"Thu Jan 6 22:06:13 2022 UTC","unixTime":"1641506773","severity":"0","filename":"rocksdb.cpp","line":"132","message":"Opening RocksDB handle: \\Program Files\\osquery\\osquery.db","version":"5.1.0"}],"log_type":"status","node_key":"TEST"}
I0107 06:24:56.505218 18200 tls.cpp:255] TLS/HTTPS POST request to URI: https://TEST/tls-logging/api/v1/osquery/log
{"data":[{"hostIdentifier":"TEST","calendarTime":"Thu Jan 6 22:14:56 2022 UTC","unixTime":"1641507296","severity":"0","filename":"tls.cpp","line":"255","message":"TLS/HTTPS POST request to URI: https://TEST/tls-logging/api/v1/osquery/log","version":"5.1.0"}],"log_type":"status","node_key":"TEST"}
osquery.flags:
--force=true
--pack_refresh_interval=3600
--verbose=true
--debug=true
--tls_hostname=TEST
--tls_server_certs=C:\Program Files\osquery\TEST-CA.pem
--enroll_always
--enroll_secret_path=C:\Program Files\osquery\secret.txt
--enroll_tls_endpoint=/tls/api/v1/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/tls/api/v1/osquery/config
--config_refresh=3600
--logger_plugin=tls
--logger_tls_endpoint=/tls-logging/api/v1/osquery/log
--logger_tls_period=60
--logger_snapshot_event_type
--logger_event_type
--host_identifier=specified
--specified_identifier=TEST
--tls_dump=true
--disable_logging=false
s
seph
01/10/2022, 7:08 PMWhat do you think that means? I'm not sure, but it looks like it might be a generic startup message about osquery reopening the rocksdb, not something about zeroing it. Have you tested this? Is there a problem you're having, or are you asking what log message mean?
c
cssmason
01/11/2022, 12:28 AMI have check the directory of osquery.db. I found when the message of resetting rock db show up, the file name under the osquery.db was changed. So I want to confirm if the rock db reset, is there any probability that data is deleted before it upload to TLS server.
s
seph
01/11/2022, 1:40 AMI would not assume file names to be at all stable. That's some internal rocksdb packed representation of the data.
c
cssmason
01/11/2022, 3:39 PMokay, got it. Thanks a lot