Did anyone get osquery executed command s return code as 78

Question

Did anyone get osquery executed command s return code as 78 On one of my machines I am constantly getting the return code as 78 Don t know why It is seen every time I execute a command I tried installing the latest osquery 4 4 0 but still the return code is 78 Coming to the output I am seeing getting the output and after that it freezes for like 2 secs and then exists the process

seph · Answer

You re running this under python right

theopolis · Answer

Can you make an issue on GitHub and give us all the details about what you are doing Can you document it such that I can try to reproduce it myself

Zweasta · Answer

< seph> Even without python I was able to get this issue Just a normal execution with `osqueryi `

Zweasta · Answer

< theopolis> sure I can make an issue on GitHub but the thing is this is not a generic use case to reproduce Any osquery command that was run on `a particular machine` of mine gives the return code as 78 So how should I report this I believe there is something wrong in the environment of my machine maybe something related to some osquery dependencies on my machine

seph · Answer

So you have one machine and it reliable causes osqueryi to exit with that code

seph · Answer

Does it matter what table you query Does the osquery version effect this

theopolis · Answer

What do you mean by command can you paste your terminal output and all use the verbose command line flag

Zweasta · Answer

< seph> Yes there is one single machine that causes this issue It doesn t matter the table that I query osquery version doesn t effect I tried with 4 4 0 and 4 3 0 same issue is occured

Zweasta · Answer

< theopolis> Sure here is the output `$ osqueryi json select from os version verbose` `I0720 00 35 51 247476 49581 init cpp 343 osquery initialized version=4 4 0 ` `I0720 00 35 51 247583 49581 extensions cpp 383 Could not autoload extensions Failed reading etc osquery extensions load` `I0720 00 35 51 247655 49581 init cpp 566 An error occured during extension manager startup Extensions disabled` `I0720 00 35 51 247686 49581 auto constructed tables cpp 96 Removing stale ATC entries` ` ` ` arch x86 64 build codename major 7 minor 8 name CentOS Linux patch 2003 platform rhel platform like rhel version CentOS Linux release 7 8 2003 Core ` ` ` `$ echo $ ` `78`

Zweasta · Answer

There are some queries where the output is not complete it just ends in the middle of printing output suppose if I query the iptables table

theopolis · Answer

Maybe the extension socket is in some unexpected state on that machine Can you set disable extensions and see if it exits 0

Zweasta · Answer

< theopolis> Nope didn t work

theopolis · Answer

I have some other ideas on how to debug but they are more complex I ll get back to you in a few hours when I m at a computer

theopolis · Answer

Ok let s eliminate any configuration problems ``` config plugin=filesystem config path= dev null```

theopolis · Answer

Then database problems ``` disable database```

theopolis · Answer

and to be extra sure extensions are not causing problems ``` extensions socket= dev null```

seph · Answer

Is there anything in the hosts logs `dmesg | tail` may be interesting After the osquery command

Zweasta · Answer

< theopolis> ` config plugin=filesystem config path= dev null` This worked like a charm Now it is working fine Can you help me understand my issue here < seph> Now as it is working fine do you want me to send you the logs

theopolis · Answer

This isn t the root cause but it s a step I ll DM you in a few hours

Zweasta · Answer

< theopolis> What is the root cause for my issue here Even though this particular issue is solved by adding ` config plugin=filesystem config path= dev null` to all the queries I just wanted to get some more info on the root cause

seph · Answer

This sounds like it s going to end up being async Might do better as a ticket Though I don t want to speak for teddy

Zweasta · Answer

< seph> what do you mean by async here