I am making a curl request to `

Question

I am making a curl request to `<http portquiz net 1234|portquiz net 1234>` If the osquery db and osquery pid is in ` tmp ` folder I see some inconsistency in the number of record in `socket events` table Sometimes there is only 1 entry and sometimes there are 2 entries for every curl request If I change the path to a permanent location then I see only one entry per curl request

theopolis · Answer

How many tests have you run I d recommend trying 1000 to 10000 times using the permanent location first The Linux audit system that provides the data for this table is not lossless I suspect confounds in the OS and audit vs a bug in the handling of DB and pidfile placement

moulik · Answer

I have run it 3 4 times and the results are inconsistent Let me look into it

moulik · Answer

This is what I was facing on mac system osquery is managed remotely with config plugin as tls There is a query for table `socket events` named `mac sockets query` Everytime this query is changed I am getting an extra events in socket events table It started with 1 and then increased to 6 events per curl request Attached csv has data for two curl requests and 1st time count was 5 and second time it was 6

moulik · Answer

I tried with osquery 4 3 0