I have several questions about osquery. 1. I found the schema of time will query the time zone=UTC, not the actual system time in Windows environment. Is there any method to query actual time in Windows environment? 2. If I set the logger_plugin=tls and some schedule query in osquery.flags. Where is the result of query being stored in local before the result is upload tls server? And is there any probability that result of query being delete before uploading to tls server? 3. And how does osquery decide when to reset the rocksdb? Any flags can control? 4. And I have open one issue in osquery-go on github. https://github.com/osquery/osquery-go/issues/93 Please help me to clarify these questions. Thanks a lot.

Are you looking to get the local time of the device?

1. It's the machine's time, but it's reported in UTC 2. results would be in the local rocks db somewhere. They shouldn't be deleted aside from catastrophes. 3. I don't think it ever resets the rocks db. Not sure what you mean. 4. osquery is a volunteer organization. This means that requests like that would get implemented if someone decides to do it. You're welcome to submit a PR, I don't know if one of the go developers will.

3. The below content is the log of my osqueyd and osquey.flags The rock db was reset about 1 time/hour. I thought there is something weird. Please help to clarify this problem. Thanks. log: 0107 060456.367833 18200 tls.cpp:255] TLS/HTTPS POST request to URI: https://TEST/tls-logging/api/v1/osquery/log {"data":[{"hostIdentifier":"TEST","calendarTime":"Thu Jan 6 215456 2022 UTC","unixTime":"1641506096","severity":"0","filename":"tls.cpp","line":"255","message":"TLS/HTTPS POST request to URI: https://TEST/tls-logging/api/v1/osquery/log","version":"5.1.0"},{"hostIdentifier":"TEST","calendarTime":"Thu Jan 6 215456 2022 UTC","unixTime":"1641506096","severity":"0","filename":"tls.cpp","line":"255","message":"TLS/HTTPS POST request to URI: https://TEST/tls-logging/api/v1/osquery/log","version":"5.1.0"}],"log_type":"status","node_key":"TEST"} I0107 060613.025902 28024 database.cpp:130] Resetting the database plugin: rocksdb I0107 060613.030591 28024 rocksdb.cpp:132] Opening RocksDB handle: \Program Files\osquery\osquery.db I0107 061456.424681 18200 tls.cpp:255] TLS/HTTPS POST request to URI: https://TEST/tls-logging/api/v1/osquery/log {"data":[{"hostIdentifier":"TEST","calendarTime":"Thu Jan 6 220456 2022 UTC","unixTime":"1641506696","severity":"0","filename":"tls.cpp","line":"255","message":"TLS/HTTPS POST request to URI: https://TEST/tls-logging/api/v1/osquery/log","version":"5.1.0"},{"hostIdentifier":"TEST","calendarTime":"Thu Jan 6 220613 2022 UTC","unixTime":"1641506773","severity":"0","filename":"database.cpp","line":"130","message":"Resetting the database plugin: rocksdb","version":"5.1.0"},{"hostIdentifier":"TEST","calendarTime":"Thu Jan 6 220613 2022 UTC","unixTime":"1641506773","severity":"0","filename":"rocksdb.cpp","line":"132","message":"Opening RocksDB handle: \\Program Files\\osquery\\osquery.db","version":"5.1.0"}],"log_type":"status","node_key":"TEST"} I0107 062456.505218 18200 tls.cpp:255] TLS/HTTPS POST request to URI: https://TEST/tls-logging/api/v1/osquery/log {"data":[{"hostIdentifier":"TEST","calendarTime":"Thu Jan 6 221456 2022 UTC","unixTime":"1641507296","severity":"0","filename":"tls.cpp","line":"255","message":"TLS/HTTPS POST request to URI: https://TEST/tls-logging/api/v1/osquery/log","version":"5.1.0"}],"log_type":"status","node_key":"TEST"} osquery.flags: --force=true --pack_refresh_interval=3600 --verbose=true --debug=true --tls_hostname=TEST --tls_server_certs=C:\Program Files\osquery\TEST-CA.pem --enroll_always --enroll_secret_path=C:\Program Files\osquery\secret.txt --enroll_tls_endpoint=/tls/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/tls/api/v1/osquery/config --config_refresh=3600 --logger_plugin=tls --logger_tls_endpoint=/tls-logging/api/v1/osquery/log --logger_tls_period=60 --logger_snapshot_event_type --logger_event_type --host_identifier=specified --specified_identifier=TEST --tls_dump=true --disable_logging=false

What do you think that means? I'm not sure, but it looks like it might be a generic startup message about osquery reopening the rocksdb, not something about zeroing it. Have you tested this? Is there a problem you're having, or are you asking what log message mean?

I have check the directory of osquery.db. I found when the message of resetting rock db show up, the file name under the osquery.db was changed. So I want to confirm if the rock db reset, is there any probability that data is deleted before it upload to TLS server.

I would not assume file names to be at all stable. That's some internal rocksdb packed representation of the data.

okay, got it. Thanks a lot