https://github.com/osquery/osquery logo
Powered by
Title
j

Jean M

04/20/2021, 5:37 PM
Hi, I’ve some decorators configured (remote tls config), however, scheduled queries are not sending all expected decorators, the config is: 
spec:
  config:
    decorators:
      load:
        - SELECT uuid AS host_uuid FROM system_info
        - SELECT hardware_serial FROM system_info LIMIT 1
      always:
        - >-
          SELECT user AS username FROM logged_in_users WHERE user <> '' ORDER BY
          time DESC LIMIT 1
      interval:
        '3600':
          - SELECT hostname FROM system_info LIMIT 1
...
I’ve also restarted osqueryd, and tried to remove the DB before restarting, is there anything I can do to know which decorators it is considering or the cause of the issue? I may add that it is working for two other hosts and they are using the same configuration 🤔 It is only including the `hostIdentifier`in the scheduled query results (I guess it’s the default?) thanks!
s

seph

04/20/2021, 8:55 PM
I’d try testing them one at a time, and seeing if anything works or fails.
I also can’t remember it the interval stuff needs to be a number or if the string form is okay. I remember it’s a bit weird
j

Jean M

04/22/2021, 5:02 PM
OK, after a couple hours debugging.. I noticed that the hosts working OK were just Linux, could not find anything suspicious in the logs, however I suspected that the remaining configuration which has OS specific ATC definitions could be broken.. removing all this section from the config it started working.
It seems that if there’s some problem in the OS specific ATC tables (or in the config in general?) osquery will silently fail to load remote config : /
After more debugging, it seems to be a bug in fleetdm and not a problem in osquery (https://github.com/fleetdm/fleet/issues/677).
s

seph

04/23/2021, 1:16 PM
Glad you found it
5 Views
#generalJoin Slack
Powered by