Hi! When i try FIM in osquery in logs i see ```aud...
# general
Hi! When i try FIM in osquery in logs i see
Copy code
auditdnetlink.cpp:647] Failed to set the netlink owner
But, i don't have auditd in my OS. This is my conf
Copy code
"options": {
    "audit_allow_config": "true",
    "audit_allow_fim_events": "true",
    "audit_allow_sockets": "true",
    "audit_fim_show_accesses": "true",
    "enable_file_events": "true",
    "disable_events": "false",
    "audit_persist": "false",
    "disable_audit": "false",
    "audit_allow_process_events": "true",
    "pack_delimiter": "/",
    "config_plugin": "filesystem"
Whai is my error? could anyone help pls?
Could there be anything else using the Audit subsystem? Is osquery running as root?
👍 1
Yes, run as root. How can I see what other programms used Audit subsystem?
Normally it's
using it, but I don't know how to check this exactly. @alessandrogario do you know a way?
Which version of Linux is it?
also not sure if it could be related to SELinux or AppArmor
4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 153952 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
It's possible that the kernel was compiled without Audit? But if it's generic Ubuntu then that's probably not the case
can you try to add --verbose and report here the messages?
ps aux | grep audit
should only show the kernel service
It seems that osquery must've seen the Audit subsystem if it gets to this line https://github.com/osquery/osquery/blob/59500018df6d23e6c00e1def8d4aa34fc92a9d3d/osquery/events/linux/auditdnetlink.cpp#L651 (am I wrong? It would have to have called
I0414 18:51:54.292611  7985 auditdnetlink.cpp:329] Attempting to configure the audit service
I0414 185154.292675 7985 auditdnetlink.cpp:357] Enabling audit rules for the process_events (execve, execveat) table I0414 185154.292701 7985 auditdnetlink.cpp:384] Enabling audit rules for the process_file_events table
i found osqueryd daemon in backgorund, kill it and my osqueryi is worked. Process_file_events is enabled. But, when I change /etc/hosts from FIM modules, I see this error in verbose log
E0414 18:53:11.438526  7970 eventsubscriberplugin.cpp:644] Found 43 invalid events (43 have been successfully erased)
I see records in process_events tables. But process_file_events is empty, why?(((
@alessandrogario @Mike Myers Did you see such type of error?
Personally I've never seen that one but I don't use that table either
🥲 1
I don't know what makes an audit record invalid, but it seems related to retrieving it from the database
Maybe you had an old database, and it held events that could no longer be parsed in the current format?
did it keep doing that?
yes, when i restart osqueryi the number of invalid events is reset to zero
@alessandrogario Do you know why this errror appears?
can you try with a new database? i thought Mike's suggestion was likely the cause
how could i erase my database?
i clear folder osquery.db, then start osqueryi with --disable_database, but i see this error((