https://github.com/osquery/osquery logo
Powered by
Title
z

Zach Zeid

09/17/2020, 3:04 PM
should it be included in the rule packs?
t

theopolis

09/17/2020, 8:05 PM
Here is an example query to monitor 
osquery_schedule
https://github.com/osquery/osquery/blob/master/packs/osquery-monitoring.conf#L4
z

Zach Zeid

09/17/2020, 10:52 PM
Thanks! I think I'm misunderstanding how the query works, as just running it with 
osqueryi
doesn't show me much information about other queries. Does it need to be a part of a pack to get that info?
just running this from 
osqueryi
gets 
select name, interval, executions, output_size, wall_time, (user_time/executions) as avg_user_time, (system_time/executions) as avg_system_time, average_memory, last_executed from osquery_schedule;
+-------------------------------+----------+------------+-------------+-----------+---------------+-----------------+----------------+---------------+
| name                          | interval | executions | output_size | wall_time | avg_user_time | avg_system_time | average_memory | last_executed |
+-------------------------------+----------+------------+-------------+-----------+---------------+-----------------+----------------+---------------+
| installed_homebrew_packages_1 | 14400    | 0          | 0           | 0         |               |                 | 0              | 0             |
t

theopolis

09/18/2020, 2:28 AM
Correct, it would have to be a scheduled query. Since 
osqueryi
and 
osqueryd
do not talk to each other there is no way for the shell to know the current state or statistics of the daemon's schedule.
z

Zach Zeid

09/18/2020, 1:06 PM
I added this query from the example above, but all it does it report information on itself, but not other queries?
I think I understand, it'll only report something after the queries are executed.
5 Views
#generalJoin Slack
Powered by