https://github.com/osquery/osquery logo
Join Slack
Powered by
Hi, I’m trying to use the schedule_epoch flag but ...
# general
b
Hi, I’m trying to use the schedule_epoch flag but it doesn’t work as I expect. First of all, does the value passed by schedule_epoch flag to osquey represent the time (expressed in seconds) between an epoch to the next one or is it like an identifier of a specific epoch? scheduling a differential query with 
interval: 10
What I would like to achieve: • A first query to store initial results for the new scheduled query (some rows with 
action: "added"
  ) • if the query detects some changes every 10 seconds (the field 
counter
is increased each time a query is executed in this epoch) • After 600 seconds (10 minutes) the epoch changes, counter is reseted to 0 and a new “first” query to store initial results (the rows with 
action: "added"
mentioned before) is executed
s
The schedule epoch is an arbitrary string that is used to reset the counter and diff results,
First diff results is, inherently, a full set. Subsequent diffs are based off that.
Changing the epoch causes a new set of diffs.
Note that it’s an arbitrary string, not an increment or decrement. Also that the epoch is for the entire device, not a specific query
I think that’s the behavior of counter — it is incremented when there are results to send. Not when the query is executed. (this was a change sometime in 4.x)
osquery does not have functionality to change the epoch. That’s the responsibility of the TLS server. Note that as its host-wide, changing it every 10 minuntes may not be desired.
Depending on your needs, another approach is to schedule both snapshot and diff queries. They’re good for different things. (but exist apart from eachother)
b
Perfect, thank you for your explanation. I confirm your thought the counter is increased only when there are results to send (I’ve just tried it with osquery 4.8.0)
11 Views
Open in Slack
PreviousNext
Powered by