Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
s
sk4la
01/12/2021, 9:01 AMHey everyone! Quick questions, straight to the point:
ā¢ Is there a way to export the RocksDB database as a single file?
ā¢ Is it possible to add user-defined fields to the output generated by osquery?
a
alessandrogario
01/12/2021, 11:22 AMIn order to add additional custom fields, you could see if decorators are useful.
Look for "Decorator queries" in the following page: https://osquery.readthedocs.io/en/latest/deployment/configuration/
RocksDB: it's to be considered as an opaque, internal cache where data is temporarily stored when (mainly) events are being used
Its state, the data inside, could be subject to change in content and format at any time
that being said, there is a developer option that is useful for debugging; you can pass it to osqueryd to dump the whole database to screen
Do note that osquery outputs a stream of data, what you can capture by directly accessing the database is but a small view on what is the bigger picture
s
sk4la
01/12/2021, 11:48 AMThank you for taking the time to answer! Got it for the database, something stills bugs me on the decorator thing though.
I actually tried this feature before, but it does not seem to be taken into account when using the one-off osquery tool
osqueryiMy actual goal is being able to determine the name of the original table from outside of the "osquery context" (e.g. when using an external database that ingested data from osquery). At the moment, I have the impression that all query results are dumped into the log file without knowledge of what query or table produced these results...
I thought about doing this using a separate file for each query (but osquery does not seem to support this use case) and by adding custom fields to each event, but it does not seem to work as I want it to.
d
defensivedepth
01/12/2021, 11:55 AMYou can add arbitrary text like so: https://twitter.com/DefensiveDepth/status/1060571233153155077
šÆ 1
ā 1
s
sk4la
01/12/2021, 4:24 PMThank you @defensivedepth, this is definitely what I was looking for! I just hoped there would be a better support for this out-of-the-box
d
defensivedepth
01/12/2021, 4:31 PM@sk4la Also, different osquery managers will handle this differently - But as you can see from this screenshot #fleet adds a field to the scheduled query log that includes the pack name + query name
z
zwass
01/12/2021, 5:34 PMIIRC it's actually osquery that adds that field to scheduled query logs, so it should work regardless of manager (if any).
š 2