Yet:
"options": {
"config_plugin": "filesyst...
# generalq
q_no_a
06/02/2021, 5:10 PMYet:
"options": {
"config_plugin": "filesystem",
"logger_plugin": "filesystem",
"logger_path": "/var/log/osquery",
"disable_logging": "false",
"log_result_events": "true",
"pidfile": "/var/osquery/osquery.pidfile",
"events_expiry": "3600",
"verbose": "false",
"worker_threads": "2",
"enable_monitor": "true",
"disable_events": "false",
"disable_audit": "false",
"audit_allow_config": "true",
"host_identifier": "hakase-labs",
"enable_syslog": "true",
"syslog_pipe_path": "/var/osquery/syslog_pipe",
"force": "true",
"audit_allow_sockets": "true",
"schedule_default_interval": "3600",
"schedule_splay_percent": "10",
"database_path": "/var/osquery/osquery.db",
"utc": "true"
},
s
seph
06/02/2021, 5:16 PM
As your errors say, there are unknown flags.
q
q_no_a
06/02/2021, 5:41 PMcorrect, but those flags aren't unknown.... Even the system documentation mentions using them.
Seems like it is a bug rather than a misconfig?
s
seph
06/02/2021, 5:43 PM
osquery is clearly saying they’re unknown.
Where do you see documentation about them? I would generally consider
osqueryd --helpq
q_no_a
06/02/2021, 5:43 PMLet me find you the docu, one sec
q_no_a
06/02/2021, 5:51 PMSo perhaps it used to be there, but is no longer.https://github.com/kolide/docker-osquery/blob/master/centos7-osquery/osquery.example.conf
q_no_a
06/02/2021, 5:51 PMAnyways, I'll try and remove them to see what happens
s
seph
06/02/2021, 5:52 PM
Yes, probably something very old.
seph
06/02/2021, 5:52 PM
Note that that repo’s last commit is from 2017, it’s probably not a good example of anything.
seph
06/02/2021, 5:53 PM
And coincidentally, since I work for Kolide, I’ll just flag that repo as archived.
seph
06/02/2021, 5:54 PM
osquery’s main documentation is https://osquery.readthedocs.io/
q
q_no_a
06/02/2021, 5:54 PMI'll check it out @seph -- Thank you very much.
q_no_a
06/02/2021, 5:55 PMauditbeat cant do Docker FIM, so osquery is kind of my last ditch effort.
s
seph
06/02/2021, 5:55 PM
Im not really familiar with auditbeat. What are you trying to do?
q
q_no_a
06/02/2021, 6:34 PMMonitor FIM within a Docker container not managed by Kubernetes
q_no_a
06/02/2021, 6:36 PMSo I managed to get file_events to work it seems, but the table is not populating
q_no_a
06/02/2021, 6:36 PMI0602 143324.233469 8265 scheduler.cpp:176] Found results for query: file_events
q_no_a
06/02/2021, 6:36 PM[root@CentOS7_Filebeat_Auditbeat packs]# osqueryi
Using a virtual database. Need help, type '.help'
osquery> select * FROM file_events;
osquery>
q_no_a
06/02/2021, 6:37 PMI've turned selinux to Permissive to rule it out, but can't seem to populate the DB.
Whenever I echo into a given dir that is monitored, the "Found results for query" works... I wonder if its purging as it goes.
s
seph
06/02/2021, 9:00 PM
osqueryi creates an ephemeral database, and works with it. It does not talk to the a running osqueryd (well, unless you’re invoking it with
.connectseph
06/02/2021, 9:00 PM
But stepping back, I don’t know if you want to run osquery inside the docker container, or on the docker server.
seph
06/02/2021, 9:01 PM
And you probably want to start a new set of questions . I suspect most people aren’t reading this thread.
4 Views