Hey everyone Quick questions straight to the point Is there

Question

Hey everyone Quick questions straight to the point Is there a way to export the RocksDB database as a single file Is it possible to add user defined fields to the output generated by osquery

alessandrogario · Answer

In order to add additional custom fields you could see if decorators are useful Look for Decorator queries in the following page <https osquery readthedocs io en latest deployment configuration >

alessandrogario · Answer

RocksDB it s to be considered as an opaque internal cache where data is temporarily stored when mainly events are being used

alessandrogario · Answer

Its state the data inside could be subject to change in content and format at any time

alessandrogario · Answer

that being said there is a developer option that is useful for debugging you can pass it to osqueryd to dump the whole database to screen

alessandrogario · Answer

Do note that osquery outputs a stream of data what you can capture by directly accessing the database is but a small view on what is the bigger picture

sk4la · Answer

Thank you for taking the time to answer Got it for the database something stills bugs me on the decorator thing though I actually tried this feature before but it does not seem to be taken into account when using the one off osquery tool `osqueryi` is there a reason for this Or am I missing something

sk4la · Answer

My actual goal is being able to determine the name of the original table from outside of the osquery context e g when using an external database that ingested data from osquery At the moment I have the impression that all query results are dumped into the log file without knowledge of what query or table produced these results I thought about doing this using a separate file for each query but osquery does not seem to support this use case and by adding custom fields to each event but it does not seem to work as I want it to

defensivedepth · Answer

You can add arbitrary text like so <https twitter com DefensiveDepth status 1060571233153155077>

sk4la · Answer

Thank you < defensivedepth> this is definitely what I was looking for I just hoped there would be a better support for this out of the box

defensivedepth · Answer

< sk4la> Also different osquery managers will handle this differently But as you can see from this screenshot < C01DXJL16D8|fleet> adds a field to the scheduled query log that includes the pack name + query name

zwass · Answer

IIRC it s actually osquery that adds that field to scheduled query logs so it should work regardless of manager if any