https://github.com/osquery/osquery logo
Join Slack
Powered by
Did anyone get osquery executed command's return c...
# general
z
Did anyone get osquery executed command's return code as 78 ? On one of my machines, I am constantly getting the return code as 78. Don't know why. It is seen every time I execute a command. I tried installing the latest osquery 4.4.0, but still the return code is 78. Coming to the output, I am seeing getting the output and after that, it freezes for like 2 secs and then exists the process.
s
You're running this under python, right?
t
Can you make an issue on GitHub and give us all the details about what you are doing. Can you document it such that I can try to reproduce it myself.
z
@seph Even without python, I was able to get this issue. Just a normal execution with 
osqueryi.
@theopolis sure, I can make an issue on GitHub, but the thing is, this is not a generic use case to reproduce. Any osquery command that was run on 
a particular machine
of mine, gives the return code as 78. So, how should I report this ? I believe there is something wrong in the environment of my machine, maybe something related to some osquery dependencies on my machine?
s
So you have one machine, and it reliable causes osqueryi to exit with that code?
Does it matter what table you query? Does the osquery version effect this?
t
What do you mean by “command” can you paste your terminal output and all use the “—verbose” command line flag?
z
@seph Yes there is one single machine that causes this issue. It doesn't matter the table that I query. osquery version doesn't effect (I tried with 4.4.0 and 4.3.0 same issue is occured)
@theopolis Sure, here is the output: 
$ osqueryi --json 'select * from os_version' --verbose
I0720 00:35:51.247476 49581 init.cpp:343] osquery initialized [version=4.4.0]
I0720 00:35:51.247583 49581 extensions.cpp:383] Could not autoload extensions: Failed reading: /etc/osquery/extensions.load
I0720 00:35:51.247655 49581 init.cpp:566] An error occured during extension manager startup: Extensions disabled
I0720 00:35:51.247686 49581 auto_constructed_tables.cpp:96] Removing stale ATC entries
[
{"arch":"x86_64","build":"","codename":"","major":"7","minor":"8","name":"CentOS Linux","patch":"2003","platform":"rhel","platform_like":"rhel","version":"CentOS Linux release 7.8.2003 (Core)"}
]
$ echo $?
78
There are some queries where the output is not complete, it just ends in the middle of printing output, (suppose if I query the iptables table).
t
Maybe the extension socket is in some unexpected state on that machine? Can you set —disable_extensions and see if it exits 0?
z
@theopolis Nope, didn't work
👍 1
t
I have some other ideas on how to debug, but they are more complex. I’ll get back to you in a few hours when I’m at a computer.
👍 1
Ok, let's eliminate any configuration problems:
Copy code
--config_plugin=filesystem --config_path=/dev/null
Then database problems
Copy code
--disable_database
and to be extra sure extensions are not causing problems
Copy code
--extensions_socket=/dev/null
s
Is there anything in the hosts logs? 
dmesg | tail
may be interesting. (After the osquery command)
z
@theopolis 
--config_plugin=filesystem --config_path=/dev/null
This worked like a charm. Now, it is working fine.. Can you help me understand my issue here ? @seph Now, as it is working fine, do you want me to send you the logs ?
t
This isn’t the root cause, but it’s a step. I’ll DM you in a few hours.
👍 1
z
@theopolis What is the root cause for my issue here ? Even though this particular issue is solved by adding 
--config_plugin=filesystem --config_path=/dev/null
to all the queries, I just wanted to get some more info on the root cause.
s
This sounds like it’s going to end up being async? Might do better as a ticket. Though I don’t want to speak for teddy
z
@seph what do you mean by async here ?
4 Views
Open in Slack
PreviousNext
Powered by