Hi , When I query the process_file_events table in...
# generalh
Himani Amrute
06/16/2021, 6:59 AMHi , When I query the process_file_events table in osquery 4.7 and 4.8 I see the following error displayed E0611 210245.777830 4057 eventsubscriberplugin.cpp:700] Found 9 invalid events (9 have been successfully erased) This was working in osquery 4.6. Anyone know the root cause and is there any workaround?
Himani Amrute
06/16/2021, 7:43 AMOn debugging , found out that the entries are being added to the database properly. When we used the getDatabaseValues API we were able to see the entries , however when we execute a query which calls the genTable implementation we saw that the key used was wrong.
t
theopolis
06/17/2021, 1:38 AM
@alessandrogario any thoughts?
a
alessandrogario
06/17/2021, 12:45 PM
That should only happen when the value from the database is either empty or contains data that can't be deserialized
alessandrogario
06/17/2021, 12:47 PM
Uhm we should add the reason the rows were invalid in the log
h
Himani Amrute
06/22/2021, 8:58 AMAfter adding some logs could find out the following : Value of the key for process_file_events table is - data..0000000015
Value of the key for process_events_table which also uses audit and the same flow is hit -
data.auditeventpublisher.process_events.0000000002
The key is fetched in the following manner in generateRows() function :
auto key = databaseKeyForEventId(context, event_identifier);
Himani Amrute
06/22/2021, 9:24 AMI was able to print the values in the DB in the addBatch function after the rows are added using the getDatabaseValue function and I was able to see the events. Output is below : {"auid":"1000","cwd":"","egid":"1000","eid":"0000000009","euid":"1000","executable":"/usr/bin/vim.basic","fsgid":"1000","fsuid":"1000","gid":"1000","operation":"close","partial":"false","path":"/home/appsadm/EDR/hello1","pid":"19074","ppid":"19021","sgid":"1000","suid":"1000","time":"1624353375","uid":"1000","uptime":"4762944"}
4 Views