Title
#general
q

q_no_a

06/02/2021, 5:10 PM
Yet: "options": { "config_plugin": "filesystem", "logger_plugin": "filesystem", "logger_path": "/var/log/osquery", "disable_logging": "false", "log_result_events": "true", "pidfile": "/var/osquery/osquery.pidfile", "events_expiry": "3600", "verbose": "false", "worker_threads": "2", "enable_monitor": "true", "disable_events": "false", "disable_audit": "false", "audit_allow_config": "true", "host_identifier": "hakase-labs", "enable_syslog": "true", "syslog_pipe_path": "/var/osquery/syslog_pipe", "force": "true", "audit_allow_sockets": "true", "schedule_default_interval": "3600", "schedule_splay_percent": "10", "database_path": "/var/osquery/osquery.db", "utc": "true" },
s

seph

06/02/2021, 5:16 PM
As your errors say, there are unknown flags.
q

q_no_a

06/02/2021, 5:41 PM
correct, but those flags aren't unknown.... Even the system documentation mentions using them. Seems like it is a bug rather than a misconfig?
s

seph

06/02/2021, 5:43 PM
osquery is clearly saying they’re unknown. Where do you see documentation about them? I would generally consider
osqueryd --help
to be authoritative.
q

q_no_a

06/02/2021, 5:43 PM
Let me find you the docu, one sec
5:51 PM
Anyways, I'll try and remove them to see what happens
s

seph

06/02/2021, 5:52 PM
Yes, probably something very old.
5:52 PM
Note that that repo’s last commit is from 2017, it’s probably not a good example of anything.
5:53 PM
And coincidentally, since I work for Kolide, I’ll just flag that repo as archived.
5:54 PM
osquery’s main documentation is https://osquery.readthedocs.io/
q

q_no_a

06/02/2021, 5:54 PM
I'll check it out @seph -- Thank you very much.
5:55 PM
auditbeat cant do Docker FIM, so osquery is kind of my last ditch effort.
s

seph

06/02/2021, 5:55 PM
Im not really familiar with auditbeat. What are you trying to do?
q

q_no_a

06/02/2021, 6:34 PM
Monitor FIM within a Docker container not managed by Kubernetes
6:36 PM
So I managed to get file_events to work it seems, but the table is not populating
6:36 PM
I0602 14:33:24.233469 8265 scheduler.cpp:176] Found results for query: file_events
6:36 PM
[root@CentOS7_Filebeat_Auditbeat packs]# osqueryi Using a virtual database. Need help, type '.help' osquery> select * FROM file_events; osquery>
6:37 PM
I've turned selinux to Permissive to rule it out, but can't seem to populate the DB. Whenever I echo into a given dir that is monitored, the "Found results for query" works... I wonder if its purging as it goes.
s

seph

06/02/2021, 9:00 PM
osqueryi creates an ephemeral database, and works with it. It does not talk to the a running osqueryd (well, unless you’re invoking it with
.connect
9:00 PM
But stepping back, I don’t know if you want to run osquery inside the docker container, or on the docker server.
9:01 PM
And you probably want to start a new set of questions . I suspect most people aren’t reading this thread.