Alejandro10/19/2020, 4:53 PM
--audit_allow_config=true --audit_persist=true --disable_audit=false --disable_distributed=false --distributed_interval=10 --distributed_plugin=tls --events_expiry=1 --events_max=500000 --logger_min_status=1 --logger_plugin=tls --schedule_splay_percent=10 --disable_watchdog=false --hash_delay=20 --pack_refresh_interval=3600 --table_delay=20 --watchdog_delay=120 --watchdog_level=1 --watchdog_memory_limit=200
theopolis10/19/2020, 8:44 PM
should have the read/write bytes. You wont know what the rate was at the time of the alert. I also do not know how accurate these will be. For example, do they include stats about the audit netlink pipe?
Alejandro10/20/2020, 11:50 AM
and now we are not getting any logs out to the tls logger (events column on the
watcher.cpp:360] osqueryd worker (194852) stopping: Memory limits exceeded: 213448000 udev.cpp:90] udev monitor returned invalid device: No buffer space available
table has zero on all rows), and
logs we got into the SIEM did not indicate any of the schedule queries were added into a denylist.
theopolis10/20/2020, 12:02 PM
Alejandro10/20/2020, 12:51 PM
theopolis10/20/2020, 5:23 PM
Alejandro10/21/2020, 9:05 AM
as 0, only comes when running it from
and is not the case when I run the same command from Kolide. I guess this would be expected?
and that fixed the issue. Might be worth adding this to the documentation, happy to open a PR with this 🙂
systemctl mask --now systemd-journald-audit.socket
nyanshak10/23/2020, 2:53 PM
theopolis10/23/2020, 3:11 PM
is regaining control of the netlink socket and not reconfiguring based on
, (3) your disk is then taxed with the verbose amount of information audit writes. I think we should update the documentation to recommend people disable the
service via systemd.
nyanshak10/23/2020, 3:15 PM
collects logging data from various sources including (from man pages):
audit records, originating from the kernel audit subsystem
should not be running when using osquery's process auditing, as it will conflict with
auditdover access to the audit netlink socket. You should also ensure
osquerydis not configured to start at boot.
Alejandro10/26/2020, 11:28 AM
theopolis10/26/2020, 10:14 PM
Alejandro10/28/2020, 3:56 PM