Dan Achin
12/03/2020, 9:10 PMzwass
osquery_schedule
table and look at the denylisted
column. Though I do see you say "why they were denied" and I don't have a good answer for that.Dan Achin
12/03/2020, 11:35 PMSELECT * FROM osquery_schedule WHERE denylisted='1';
zwass
Dan Achin
12/04/2020, 12:06 AMzwass
Dan Achin
12/04/2020, 5:56 PMzwass
Dan Achin
12/04/2020, 6:04 PMzwass
Dan Achin
12/04/2020, 7:03 PMzwass
Dan Achin
12/04/2020, 8:52 PMzwass
Dan Achin
12/14/2020, 5:44 PM// Since the watchdog cannot use the logger plugin the error message
// should be logged to stderr and to the system log.
Looks like we might not be able to use tls to capture this, but I'm thinking the syslog plugin could be an option, though that's going to increase our Splunk usage a lot.