https://github.com/osquery/osquery logo
Join Slack
Powered by
<@UF63BUA3A> :smile:
# general
m
@Stefano Bonicatti 😄
As discussed, extracted osqueryd.exe from the .msi installer. Renamed, and then use 
sc.exe create jamesbobd binpath= "C:\ProgramData\MyCustomFolder\jamesbobd.exe --flagfile=\"C:\ProgramData\MyCustomFolder\osquery.flags\""
Connects to fleet, enrols the dies tho, need to work out why that happens
Just dies, doesn't write any logs to fleet (that I can see), doesn't write any logs on. the windows side, just connects to fleet, enrols, dies.
I even removed the logger_plugin=tls and set it as logger_pugin=filesystem and set the path for log files but it doesn't generate any logs just dies. 😞 😞 😞 😞
If I run it from command line all it says is
Copy code
jamesbobd.exe --flagfile="osquery.flags"


Using a [1mvirtual database[0m. Need help, type '.help'
and appears to work I can send queries and get responses so unsure why it dies as a service?
*queries are only working from prompt, it refuses to get ditributed or answer to distributed queries from fleet, it dies as soon as it enrols for fleet purpose, but fleet says it is online still.
s
I think watcher looks for worker process called osquery. This is hardcoded in code unless it was changed recently
m
Oh dang 😞, I thought that there must have been something like that because I tried before and it didn't work
s
Does it work if you disable the watch dog?
(It might not. No idea)
m
@seph heh that would have been a good idea to try, however I want the watchdog anyway to guard the mem usage especially so I think for now I am going to abandon this pursuit.
s
Might be worth trying. Less as a long term answer, more as an experiment.
m
@seph true I will try it once I get my nginx config for fleet sorted
s
The watchdog, as far as checking CPU and memory, is not impacted by the change of name, because since the worker is a fork of the watchdog, it knows its pid, and uses that to filter down the process. One of the problems that there is and that I was referring to during the office hours though, is that we use a pidfile to track the watcher (only, to be fixed to track the worker too) and that is done because we don't want to have two instances of osquery running (for various reasons, mainly the RocksDB database). To identify that the pid corresponds to an osquery process, we use the process name, so if we change that, then we are not able to prevent that anymore. There might be various reasons why a previous osquery instance is still running, beyond actively launching osquery two times, but mainly revolve around bugs/hangs or long running queries and osquery asked to restart, but not acting fast enough, due to the long running query.
There are also other logic that depend on the name, like osquery being launched as a daemon or a shell https://github.com/osquery/osquery/blob/08736648aacaefbdfc90bc2b87acc4414fd6c9ec/osquery/core/init.cpp#L223-L236
For Windows, the service name is expected to be 
osqueryd
Because it's registering the function that controls the service status
m
can you please explain how to do this on a mac and also how to extract 
osqueryd.exe
from `.ms`i installer(like did you mean that you installed the osqueryd and then went to 
osuqery/osqueryd
folder and then renamed it to 
sc.exe
?
I am trying it on Windows and it shows 
Error:Incomplete input
and my main issue is the Mac/Linux.
m
@Madhur Jodhwani if you've renamed osqueryd.exe to sc.exe then I reckon you should cease at this point.
m
Did I do something wrong?
2 Views
Open in Slack
PreviousNext
Powered by