Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
s
slevchenko
12/06/2021, 1:52 PMHi everyone. Did anybody had any issues with syslog\syslog_events tables being empty on Ubuntu 20.04? No matter what I'm doing
syslogsyslog_events/var/osquery/syslog_pipeSELECT name, value FROM osquery_flags WHERE name LIKE '%syslog%';
+---------------------------+--------------------------+
| name | value |
+---------------------------+--------------------------+
| enable_syslog | true |
| logger_syslog_facility | 19 |
| logger_syslog_prepend_cee | false |
| syslog_events_expiry | 2592000 |
| syslog_events_max | 100000 |
| syslog_pipe_path | /var/osquery/syslog_pipe |
| syslog_rate_limit | 100 |
+---------------------------+--------------------------+/var/osquery/syslog_pipesudo cat /var/osquery/syslog_pipe
[sudo] password for test:
"2021-12-06T15:38:48.459938+02:00","test-pc","5","authpriv","sudo:"," test : TTY=pts/1 ; PWD=/home/test ; USER=root ; COMMAND=/usr/bin/cat /var/osquery/syslog_pipe"
"2021-12-06T15:38:48.461863+02:00","test-pc","6","authpriv","sudo:"," pam_unix(sudo:session): session opened for user root by (uid=0)"s
seph
12/06/2021, 1:59 PMI’m not totally sure about you’re setup. But I wonder….
Is the syslog config (and socket) in osqueryd, and are you using osqueryi? Because osqueryi doesn’t normally connect to the running osqueryd — instead it creates it’s own state
s
slevchenko
12/06/2021, 2:01 PMYes, config is in osqueryd and I'm using osquueryi and when I'm trying
SELECT * from syslogs
seph
12/06/2021, 2:04 PMIt’s not the same database. Unlike postgres, osqueryi isn’t really a client of osqueryd. It’s a completely separate osquery instance, but based around an interactive shell.
s
slevchenko
12/06/2021, 2:04 PMOh
s
seph
12/06/2021, 2:04 PMIf you want to connect to a running osqueryd, you can either use the distributed queries. or look at the newish
--connects
slevchenko
12/06/2021, 2:05 PMwill it work if I'll point osqueryi to the same config and flag file ?
or if I'll stop osqueryd and then start osqueryi with same flag and config
s
seph
12/06/2021, 2:06 PM“that’s complicated”
1. Maybe. I think you should be able to do something like that, though osqueryi won’t send the logs anywhere. But it can be used for testing stuff.
1. You’d need to stop osqueryd first, as only one thing can manage the syslog pipe.
s
slevchenko
12/06/2021, 2:07 PMI want to consume logs, not produce
I want osquery to filter for certain types of events, like user logins, or ptrace attachment attempts
@seph Thanks now I see how it works and I was finally able to verify result, using
--connect