Hey everyone! Quick questions, straight to the poi...
# generals
sk4la
01/12/2021, 9:01 AMHey everyone! Quick questions, straight to the point:
ā¢ Is there a way to export the RocksDB database as a single file?
ā¢ Is it possible to add user-defined fields to the output generated by osquery?
a
alessandrogario
01/12/2021, 11:22 AM
In order to add additional custom fields, you could see if decorators are useful.
Look for "Decorator queries" in the following page: https://osquery.readthedocs.io/en/latest/deployment/configuration/
alessandrogario
01/12/2021, 11:24 AM
RocksDB: it's to be considered as an opaque, internal cache where data is temporarily stored when (mainly) events are being used
alessandrogario
01/12/2021, 11:25 AM
Its state, the data inside, could be subject to change in content and format at any time
alessandrogario
01/12/2021, 11:25 AM
that being said, there is a developer option that is useful for debugging; you can pass it to osqueryd to dump the whole database to screen
alessandrogario
01/12/2021, 11:26 AM
Do note that osquery outputs a stream of data, what you can capture by directly accessing the database is but a small view on what is the bigger picture
s
sk4la
01/12/2021, 11:48 AMThank you for taking the time to answer! Got it for the database, something stills bugs me on the decorator thing though.
I actually tried this feature before, but it does not seem to be taken into account when using the one-off osquery tool
osqueryisk4la
01/12/2021, 11:52 AMMy actual goal is being able to determine the name of the original table from outside of the "osquery context" (e.g. when using an external database that ingested data from osquery). At the moment, I have the impression that all query results are dumped into the log file without knowledge of what query or table produced these results...
I thought about doing this using a separate file for each query (but osquery does not seem to support this use case) and by adding custom fields to each event, but it does not seem to work as I want it to.
d
defensivedepth
01/12/2021, 11:55 AMYou can add arbitrary text like so: https://twitter.com/DefensiveDepth/status/1060571233153155077
šÆ 1
ā 1
s
sk4la
01/12/2021, 4:24 PMThank you @defensivedepth, this is definitely what I was looking for! I just hoped there would be a better support for this out-of-the-box
d
defensivedepth
01/12/2021, 4:31 PM@sk4la Also, different osquery managers will handle this differently - But as you can see from this screenshot #fleet adds a field to the scheduled query log that includes the pack name + query name
z
zwass
01/12/2021, 5:34 PM
IIRC it's actually osquery that adds that field to scheduled query logs, so it should work regardless of manager (if any).
š 2