There s any performance issue un 4 5 1 I m running queries o

Question

There s any performance issue un 4 5 1 I m running queries on kolide on 4 5 1 hosts and they are not returning nothing until i restart the service on each hosts Even an osquery info Query is taking forever and not returning nothing

seph · Answer

I don t think I ve seen or heard about any issues with 4 5 1 or 4 5 0 Do you have more information How did 4 5 1 get installed If there s any of Kolide s update mechanism here this may belong on < C1XCLA5DZ|kolide>

Esteban · Answer

Via kolide launcher with autoupdate enabled

Esteban · Answer

It seems that after running a Query on windows eventlog table without where channel the subsequent queries starts to fail or take too long

alessandrogario · Answer

Hello Esteban Could you please share us the query you are using cc < Akshay Kumar>

seph · Answer

Are you using Kolide s update servers or your own I only pushed 4 5 1 to stable 3 hours ago

seph · Answer

And to clarify a bit here the nodes update Are running 4 5 1 and then a query to the eventlog table renders them unresponsive

seph · Answer

That table is new to 4 5 0 isn t it

alessandrogario · Answer

I suspect that the table doesn t play well without a WHERE clause It will pull in too much data causing the watcher to kill osquery

alessandrogario · Answer

Regardless I think the table should reject queries without a `WHERE channel = ` clause and also set a configurable limit of events that can be read from the event source

seph · Answer

Yeah that s a good guess

seph · Answer

Pretty sure I called out something like that in the PR It s one of those boil the ocean sorts of things

Esteban · Answer

I m only running select from windows eventlog After that i run any other Query like select from osquery info and everything stops working

Esteban · Answer

I m using Kolide servers i ve setup up an installer with kolide launcher and package builder with update channel on stable The thing i noticed is that i ve configure the osquery version to 4 5 0 and update channel to stable and when the package finishes installing it autoupdates to 4 5 1

seph · Answer

I think the Kolide part isn t a factor here But yes if you point launcher s autoupdate at our servers you will get what we release as stable Doesn t matter what you build the package with It will downgrade or upgrade as needed

seph · Answer

I suspect `select from windows eventlog` is the issue That attempts to read most events into ram and likely cause issues Though I thought it had a required `channel` and `xpath` Though it s a bit weird and complicated

seph · Answer

I m not sure if it got documented well You could take a look at the discussion and code in <https github com osquery osquery pull 6563> where it merged

seph · Answer

There may well be a bug in that table

Esteban · Answer

I ve just tested it with `WHERE` clause and it crashes i usually do that way and works fine but i ve never tested it with `xpath`

Esteban · Answer

Maybe quering by channel and event id

Esteban · Answer

Ok filtering by channel and eventid also kills osquery on the host apparently It s a Windows host so i don t know a proper way to debug it

Esteban · Answer

Limiting by 3 or 5 works also

seph · Answer

Hrm You said you don t have access to a machine to debug this locally

seph · Answer

I m breaking out some test cases

Esteban · Answer

No i have access indeed i don t know how to debug the service on the Windows machine

seph · Answer

What happens if you run osquery on the command line

seph · Answer

Testing in my environment I cannot replicate this If I run `select from windows eventlog` I get back an error My device is not hung

seph · Answer

Though if I query for `select from windows eventlog where channel = Security ` it s taking a long time to return these results

seph · Answer

I suspect this is not an osquery bug There may or may not be a bug somewhere in the kolide stack r this might be expected behavior around a table with this many rows Not sure yet

seph · Answer

Might be a launcher bug in how this stuff is marshalled and send over the wire Feel free to open a bug in the launcher repo though I don t know if I can prioritize it

Esteban · Answer

Yes yesterday it happened the same to me I Will try it on the host s cli is any way to Open a CLI for hosts installed with package builder Or you talking about fleetctl CLI

seph · Answer

Neither Running osquery from powershell is sometimes a good way to debug

Esteban · Answer

Understood

Esteban · Answer

The Query without Where clause it s returning something for You

Akshay Kumar · Answer

The `windows eventlog` query without WHERE clause should return error log It requires a channel or xpath to query the events Also if you are querying the events without other constraints it may take longer time depending on the number of events in the `security` or `Application` channel

Esteban · Answer

Querying with WHERE clause also hangs up subsequent queries also the Query takes too long to return something

seph · Answer

I think I replicated what you re seeing My guess is there s something weird in launcher about marshalling that much data As said feel free to open an issue in the launcher repo though I don t know if I can prioritize it

seph · Answer

Actually I ll open one

seph · Answer

Akshay Kumar · Answer

The Query with WHERE clause may take time because of large number of events log in a specific channel I am planning to add a `max windows eventlog events` flag with the query as suggested by < alessandrogario> This will reduce the query time

seph · Answer

I don t think it s query time I think it s data returned

Akshay Kumar · Answer

Is it the size of data or some specific event data is causing the problem

Esteban · Answer

For example querying with limit 3 or 5 works fine