Hi guys In my organization there is Windows DC s servers wit osquery #general

Hi guys, In my organization there is Windows DC׳s ...

03/02/2021, 8:11 PM

Hi guys, In my organization there is Windows DC׳s servers with a lot of login users (around 50 users). When I tried to ask query from users or logged_in_users table the process was hang until I kill the process. Anyone meet this? An idea for a solution? osquery 4.3.0

Mike Myers

03/02/2021, 10:20 PM

I did put in some speedups to the

users

table since 4.3 on Windows, if that might help

👍 1

03/03/2021, 11:05 AM

Hi @Mike Myers, When I ask Users from my DC Server I got all of the users under this domain. Is this the desired behavior?

Mike Myers

03/03/2021, 4:02 PM

I don't know enough about the desired behavior on domain controllers, but, which table is it that your'e using?

03/03/2021, 4:03 PM

Copy code

select * from users

Mike Myers

03/03/2021, 4:04 PM

ah, ok.

users

picks up users from the registry and the filesystem, and differentiates between local and 'roaming' I think. Maybe there's a way to filter the ouptut.

03/03/2021, 4:04 PM

So I tell you the problem

Mike Myers

03/03/2021, 4:05 PM

maybe the

type

column is relevant for this

03/03/2021, 4:05 PM

When I run this query I have like 32K users on DC - this is include the all org users.

03/03/2021, 4:05 PM

This process hang for long time

03/03/2021, 4:06 PM

even if i add “limit 1” to the query

Mike Myers

03/03/2021, 5:59 PM

yea, that's how it was before. I believe if you try the 4.6 release you won't have that problem anymore

Mike Myers

03/03/2021, 5:59 PM

it was inefficient, before

Open in Slack

Previous Next