Hi osquery team,
I'm encountering an issue with os...
# windowsh
Hussainsab Gurgunni
03/25/2025, 2:40 PMHi osquery team,
I'm encountering an issue with osquery where it is not working as expected. Below are the details of the issue:
Problem Description:
if we run osquery with extension on windows socket it works for few minutes and then we get the error "Extension socket not available: \\.\pipe\osquery.em.7065"
E0322 195053.988317 2444 scheduler.cpp:128] Error executing scheduled query foobar_win: vtable constructor failed: foobar
What i did?
• this is a fresh installation of osquery which i have downloaded from the offficial site https://pkg.osquery.io/windows/osquery-5.16.0.msi
• after successfully installing the osquery i have created simple extension with foobar
• created a new folder named "extention" inside c:\program files\osquery and moved the extension inside this folder then i have followed this document to change the permission https://osquery.readthedocs.io/en/stable/deployment/extensions/
• created a new file called extensions.load in c:\program files\osquery and added the extension path inside this
• in osquery.conf file i have added schedule which will query and get the data for every 60 sec
• then from windows service manager i have started the osqueryd service
• in c:\program files\osquery\logs i was able to see the logs and also the result ("snapshots")
Copy code
{
"schedule": {
"foobar_win": {
"query": "SELECT * FROM foobar;",
"interval": 10,
"snapshot": true
}
}
} Copy code
{
"snapshot": [
{
"baz": "baz",
"foo": "bar"
},
{
"baz": "baz",
"foo": "bar"
}
],
"action": "snapshot",
"name": "foobar_win",
"hostIdentifier": "DESKTOP-CLKS76M",
"calendarTime": "Sat Mar 22 14:09:26 2025 UTC",
"unixTime": 1742652566,
"epoch": 0,
"counter": 0,
"numerics": false
}5 Views