Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hi!
When i try FIM in osquery in logs i see
```auditdnetlink.cpp:647] Failed to set the netlink owner```
But, i don't have auditd in my OS.
This is my conf
```"options": {
    "audit_allow_config": "true",
    "audit_allow_fim_events": "true",
    "audit_allow_sockets": "true",
    "audit_fim_show_accesses": "true",
    "enable_file_events": "true",
    "disable_events": "false",
    "audit_persist": "false",
    "disable_audit": "false",
    "audit_allow_process_events": "true",
    "pack_delimiter": "/",
    "config_plugin": "filesystem"
  },```
Whai is my error? could anyone help pls?

Could there be anything else using the Audit subsystem? Is osquery running as root?

Yes, run as root. How can I see what other programms used Audit subsystem?

Normally it's `auditd` using it, but I don't know how to check this exactly. <@U6EFFT5FG> do you know a way?

also not sure if it could be related to SELinux or AppArmor

4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

It's possible that the kernel was compiled without Audit? But if it's generic Ubuntu then that's probably not the case

can you try to add --verbose and report here the messages?

also `ps aux | grep audit` should only show the kernel service

It seems that osquery must've seen the Audit subsystem if it gets to this line <https://github.com/osquery/osquery/blob/59500018df6d23e6c00e1def8d4aa34fc92a9d3d/osquery/events/linux/auditdnetlink.cpp#L651>

(am I wrong? It would have to have called `audit_open` successfully)

`I0414 18:51:54.292611  7985 auditdnetlink.cpp:329] Attempting to configure the audit service`
I0414 18:51:54.292675  7985 auditdnetlink.cpp:357] Enabling audit rules for the process_events (execve, execveat) table
I0414 18:51:54.292701  7985 auditdnetlink.cpp:384] Enabling audit rules for the process_file_events table

i found osqueryd daemon in backgorund, kill it and my osqueryi is worked.
Process_file_events is enabled. But, when I change /etc/hosts from FIM modules, I see this error in verbose log
`E0414 18:53:11.438526  7970 eventsubscriberplugin.cpp:644] Found 43 invalid events (43 have been successfully erased)`
I see records in process_events tables. But process_file_events is empty, why?(((

image.png

<@U6EFFT5FG> <@U7DT2E8B0>
Did you see such type of error?

Personally I've never seen that one but I don't use that table either

This line of code is #659 in the latest <https://github.com/osquery/osquery/blob/d07f85c908c4ba6ac80c25d182a2f3f44c2d0206/osquery/events/eventsubscriberplugin.cpp#L659>

I don't know what makes an audit record invalid, but it seems related to retrieving it from the database

Maybe you had an old database, and it held events that could no longer be parsed in the current format?

yes, when i restart osqueryi the number of invalid events is reset to zero

image (8).png

<@U6EFFT5FG> Do you know why this errror appears?

can you try with a new database? i thought Mike's suggestion was likely the cause

i clear folder osquery.db, then start osqueryi with --disable_database, but i see this error((