https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
z

zwass

02/01/2021, 6:23 PM
From @aby
We are seeing this random issue on servers having 4.6 version installed being unresponsive after a while from fleet using live queries. 4.5.1 is working fine without any issues. I went on the server and did a restart of the agent and it started back up but then it went back to being non responsive again. Verbose TLS logging on agent side wont show anything since it was restarted.
Does this happen for any live query or is it a specfic query that causes it?
a

aby

02/01/2021, 6:24 PM
Any live query
z

zwass

02/01/2021, 6:25 PM
Can you try running osqueryd with 
--verbose --tls_dump
and then triggering the issue?
👍 1
a

aby

02/01/2021, 6:26 PM
Problem here is that when we do that it basically starts fresh and becomes responsive. I can try leaving it for a while and see if issue re-occurs.
z

zwass

02/01/2021, 6:31 PM
Yeah the best thing to do would be to restart the agent with those flags and then run a live query to try to trigger the issue
t

terracatta

02/01/2021, 6:42 PM
@aby what OS?
a

aby

02/01/2021, 6:43 PM
Copy code
CentOS Linux release 7.9.2009 (Core)
t

terracatta

02/01/2021, 6:44 PM
What is an example Live Query that causes osquery to hang?
a

aby

02/01/2021, 6:46 PM
Basically any query 
SELECT * FROM osquery_info;
& it starts back up after agent restart. I have enabled verbose logging right now and it's working for far. I will keep on monitoring.
t

theopolis

02/02/2021, 3:51 PM
I would like to release 4.6 to the repos. Any confidence that this only effects 4.6?
z

zwass

02/02/2021, 8:24 PM
FWIW I'm unable to reproduce this with osquery 4.6.0 running in a centos 7.9 container. I've run a dozen or so live queries over the course of half an hour and seen no issues. @aby have you been able to reproduce it with the verbose logging?
cc @seph
Powered by