Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
j
Jacob Kitchel
07/15/2021, 10:23 PMWhere's the best place to discuss troubleshooting why an additional pack .conf is not loading for me?
s
Stefano Bonicatti
07/15/2021, 10:29 PMWelcome! Here it's fine, normally we suggest to move the discussion on another channel if it's specific to a platform or maybe some specific feature like bpf or fim.
Have you had the change to check what the logs say starting osquery with the
--verbosej
Jacob Kitchel
07/15/2021, 11:33 PMyeah, restarted osqueryd with --verbose and i have some output that i can share
I0715 17:20:25.228919 3022 init.cpp:357] osquery initialized [version=4.9.0]
I0715 17:20:25.229351 3022 system.cpp:375] Writing osqueryd pid (3022) to /var/run/osqueryd.pidfile
I0715 17:20:25.229488 3022 extensions.cpp:453] Could not autoload extensions: Cannot open file for reading: /etc/osquery/extensions.load
I0715 17:20:25.229720 3022 dispatcher.cpp:78] Adding new service: WatcherRunner (0x55ede8f91868) to thread: 140492825478912 (0x55ede8f79630) in process 3022
I0715 17:20:25.231575 3023 watcher.cpp:615] osqueryd watcher (3022) executing worker (3024)
I0715 17:20:25.249591 3024 init.cpp:354] osquery worker initialized [watcher=3022]
I0715 17:20:25.249827 3024 dispatcher.cpp:78] Adding new service: WatcherWatcherRunner (0x559fe8f4c598) to thread: 139894756615936 (0x559fe8f4cbd0) in process 3024
I0715 17:20:25.249964 3024 rocksdb.cpp:132] Opening RocksDB handle: /var/osquery/osquery.db
I0715 17:20:25.350992 3024 dispatcher.cpp:78] Adding new service: ExtensionWatcher (0x559fe8fd9658) to thread: 139894215120640 (0x559fe9060a70) in process 3024
I0715 17:20:25.351110 3024 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (0x559fe8fdbaa8) to thread: 139894223513344 (0x559fe8f64970) in process 3024
I0715 17:20:25.351162 3024 auto_constructed_tables.cpp:97] Removing stale ATC entries
I0715 17:20:25.351182 3123 interface.cpp:299] Extension manager service starting: /var/osquery/osquery.em
I0715 17:20:25.384059 3024 eventfactory.cpp:156] Event publisher not enabled: BPFEventPublisher: Publisher disabled via configuration
I0715 17:20:25.384328 3024 eventfactory.cpp:156] Event publisher not enabled: auditeventpublisher: Publisher disabled via configuration
I0715 17:20:25.384372 3024 eventfactory.cpp:156] Event publisher not enabled: inotify: Publisher disabled via configuration
I0715 17:20:25.384435 3024 eventfactory.cpp:156] Event publisher not enabled: syslog: Publisher disabled via configuration
I0715 17:20:25.384634 3024 events.cpp:36] Skipping subscriber: apparmor_events: Subscriber disabled via configuration
I0715 17:20:25.384781 3024 events.cpp:36] Skipping subscriber: process_file_events: Subscriber disabled via configuration
I0715 17:20:25.384855 3024 events.cpp:36] Skipping subscriber: seccomp_events: Seccomp subscriber disabled via configuration
I0715 17:20:25.384888 3024 events.cpp:36] Skipping subscriber: selinux_events: Subscriber disabled via configuration
I0715 17:20:25.384968 3024 events.cpp:36] Skipping subscriber: socket_events: Subscriber disabled via configuration
I0715 17:20:25.385524 3024 main.cpp:104] Not starting the distributed query service: Distributed query service not enabled.
I0715 17:20:25.385572 3124 eventfactory.cpp:390] Starting event publisher run loop: udev
I0715 17:20:25.385628 3024 dispatcher.cpp:78] Adding new service: SchedulerRunner (0x559fe9058ef8) to thread: 139894634559232 (0x559fe8fdebb0) in process 3024
I0715 17:44:24.995820 3125 scheduler.cpp:110] Executing scheduled query system_info: SELECT hostname, cpu_brand, physical_memory FROM system_info;i am not at present using any flags to start it by default, only leveraging that it will look for the default config in /etc/osquery/osquery.conf and (presumably /etc/osquery/osquery.conf.d/ )
a possibly related issue is that osqueryctl config-check throws a ton of RocksDB access errors as [WARN] level of errors, but otherwise seems to be fine
osqueryctl status shows it's running with a pid, so i'm pretty sure that means it's loading /etc/osquery/osquery.conf with no issues
osquery> select * from osquery_packs;
+------+----------+---------+-------+----------------------+----------------------+--------+
| name | platform | version | shard | discovery_cache_hits | discovery_executions | active |
+------+----------+---------+-------+----------------------+----------------------+--------+
| main | | | 0 | 1 | 1 | 1 |
+------+----------+---------+-------+----------------------+----------------------+--------+to me that indicates that it's only grabbing the main/default config
but should it be concerning that no platform or version data populates?
something else which may be presenting challenges is:
Linux DESKTOP-1CHO67D 5.4.72-microsoft-standard-WSL2 #1 SMP Wed Oct 28 23:40:43 UTC 2020 x86_64 x86_64 x86_64 GNU/Linuxso, any pointers or places to start would be appreciated
s
Stefano Bonicatti
07/16/2021, 8:25 AMThe platform and the version are properties of the query pack that you can put, if they aren’t set they won’t be shown.
How is the query pack file under the conf.d directory named?
What are its contents?
Normally if osquery sees the file should attempt to load it, and if it’s not valid, it should complain in the logs
but I don’t see errors, so it really seems that somehow it doesn’t find it.
You should just make sure that the file ends with
.confj
Jacob Kitchel
07/16/2021, 2:11 PMtester@DESKTOP-1CHO67D:/mnt/c/Users/jacob$ ls -al /etc/osquery/
total 32
drwxr-xr-x 3 root root 4096 Jul 15 15:18 .
drwxr-xr-x 96 root root 4096 Jul 14 20:44 ..
-rw-r--r-- 1 root root 6381 Jul 12 20:29 osquery.conf
-rw-r--r-- 1 root root 6381 Jul 14 22:37 osquery.conf.bak
-rw-r--r-- 1 root root 64 Jul 14 22:04 osquery.conf.bak.hash
drwxr-xr-x 2 root root 4096 Jul 15 15:18 osquery.conf.d
tester@DESKTOP-1CHO67D:/mnt/c/Users/jacob$ ls -al /etc/osquery/osquery.conf.d/
total 28
drwxr-xr-x 2 root root 4096 Jul 15 15:18 .
drwxr-xr-x 3 root root 4096 Jul 15 15:18 ..
-rw-r--r-- 1 root root 17756 Jul 15 15:18 ossec-rootkit.confthe ossec-rootkit.conf is the stock one from /usr/share/osquery/packs/ossec-rootkit.con
s
Stefano Bonicatti
07/16/2021, 2:28 PMSo you copied that file as is under osquery.conf.d? Because those are query pack files, they are not configuration files. They are a part of the pack configuration. You would reference them as the
pack_name_1the difference is very minimal, in that specific case to be a configuration file it would also need
{
"packs": {
[...] // packs from the ossec-rootkit.conf
}
}j
Jacob Kitchel
07/16/2021, 2:45 PMok, what i think you're saying is:
• for a pack to get loaded, it has to be in the main/default config and have the comment lines removed so that the default config knows to try and load it
then that specific pack line has a file patch from which to load the pack that you want to enable
and yeah, i guess i was reading the pack.conf and thinking "ok, this is a full on conf file so it should 'just load' " but taking a look back at it, it doesn't have all of the structure that the main default conf has
i'll give this a shot, thank you
s
Stefano Bonicatti
07/16/2021, 2:46 PMYou don’t need to have the packs listed in the main config file
j
Jacob Kitchel
07/16/2021, 2:47 PMoh oh oh oh, what you're saying in that code snippet is to wrap the internals of the ossec-rootkit.conf inside of { "packs": {} }
s
Stefano Bonicatti
07/16/2021, 2:48 PMso, lets say this is the main conf file:
{
"packs": {
"pack_name_2": {
"queries": {},
"shard": 10,
"version": "1.7.0",
"platform": "linux"
}
}
}{
"packs": {
"pack_name_3": {
"queries": {},
"shard": 10,
"version": "1.7.0",
"platform": "linux"
}
}
}👍 1
But you don’t need to wrap it necessarily
this example is to clarify the difference from a configuration file that happens to have a pack configured inline in it and a query pack file
but as I was saying you can also reference the query pack file from the configuration
taking the example from the wiki:
{
"packs": {
"pack_name_1": "/path/to/pack.json",
"pack_name_2": {
"queries": {},
"shard": 10,
"version": "1.7.0",
"platform": "linux",
"discovery": [
"SELECT * FROM processes WHERE name = 'osqueryi';"
]
}
}
}pack_name_1So you can specify a query pack inline in a configuration file or its queries on the side and then load the file in the configuration file.
j
Jacob Kitchel
07/16/2021, 2:56 PMok tyvm uncommenting the line in the main osquery.conf (and removing the trailing comma 😄 ) worked and it's now showing as loaded when i query the db directly via osqueryi with a select * from osquery_packs; 👍
🎉 1