Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
q
q_no_a
06/02/2021, 5:10 PMYet:
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"logger_path": "/var/log/osquery",
"disable_logging": "false",
"log_result_events": "true",
"pidfile": "/var/osquery/osquery.pidfile",
"events_expiry": "3600",
"verbose": "false",
"worker_threads": "2",
"enable_monitor": "true",
"disable_events": "false",
"disable_audit": "false",
"audit_allow_config": "true",
"host_identifier": "hakase-labs",
"enable_syslog": "true",
"syslog_pipe_path": "/var/osquery/syslog_pipe",
"force": "true",
"audit_allow_sockets": "true",
"schedule_default_interval": "3600",
"schedule_splay_percent": "10",
"database_path": "/var/osquery/osquery.db",
"utc": "true"
},
s
seph
06/02/2021, 5:16 PMAs your errors say, there are unknown flags.
q
q_no_a
06/02/2021, 5:41 PMcorrect, but those flags aren't unknown.... Even the system documentation mentions using them.
Seems like it is a bug rather than a misconfig?
s
seph
06/02/2021, 5:43 PMosquery is clearly saying they’re unknown.
Where do you see documentation about them? I would generally consider
osqueryd --helpq
q_no_a
06/02/2021, 5:43 PMLet me find you the docu, one sec
So perhaps it used to be there, but is no longer.https://github.com/kolide/docker-osquery/blob/master/centos7-osquery/osquery.example.conf
Anyways, I'll try and remove them to see what happens
s
seph
06/02/2021, 5:52 PMYes, probably something very old.
Note that that repo’s last commit is from 2017, it’s probably not a good example of anything.
And coincidentally, since I work for Kolide, I’ll just flag that repo as archived.
osquery’s main documentation is https://osquery.readthedocs.io/
q
q_no_a
06/02/2021, 5:54 PMI'll check it out @seph -- Thank you very much.
auditbeat cant do Docker FIM, so osquery is kind of my last ditch effort.
s
seph
06/02/2021, 5:55 PMIm not really familiar with auditbeat. What are you trying to do?
q
q_no_a
06/02/2021, 6:34 PMMonitor FIM within a Docker container not managed by Kubernetes
So I managed to get file_events to work it seems, but the table is not populating
I0602 14:33:24.233469 8265 scheduler.cpp:176] Found results for query: file_events
[root@CentOS7_Filebeat_Auditbeat packs]# osqueryi
Using a virtual database. Need help, type '.help'
osquery> select * FROM file_events;
osquery>
I've turned selinux to Permissive to rule it out, but can't seem to populate the DB.
Whenever I echo into a given dir that is monitored, the "Found results for query" works... I wonder if its purging as it goes.
s
seph
06/02/2021, 9:00 PMosqueryi creates an ephemeral database, and works with it. It does not talk to the a running osqueryd (well, unless you’re invoking it with
.connectBut stepping back, I don’t know if you want to run osquery inside the docker container, or on the docker server.
And you probably want to start a new set of questions . I suspect most people aren’t reading this thread.