Any tips for debugging why events tables are not being popul

Question

Any tips for debugging why events tables are not being populated on certain Linux machines For example The `socket events` and `process events` tables are populated on half of our Linux machines running Kolide but not the other It sort of follows Linux distribution boundaries Ubuntu Yes Fedora No Arch Mixed NixOS Mixed One machine has data in `process events` the other doesn t Both seem to only record `systemd timesyncd` bind calls in `socket events` One of the ones where none of the tables are populated is my personal machine so I m happy to investigate Is it possible that the auditd rules installed by osquery could conflict with previously written configurations I did check the output of `sudo journalctl t launcher` but it didn t seem to give any indications

Thomas Stromberg · Answer

I m happy to redirect the question to < C08V7KTJB|general> or through the official support channels I just wasn t sure where to begin slightly smiling face

seph · Answer

Launcher isn t doing anything special here so whatever is up is going to be deeper in osquery We can start here though eventually you might need to land on another channel

seph · Answer

On linux osquery has two different systems for events There s the older auditd framework and the newer bpf one IIRC the bpf one is only used on the tables who s names start with bpf

seph · Answer

I know that auditd is a bit weird I think linux only allows a single consumer of audit data So I remember there s some os level configs if you have multiple things that want that data Might be info at <https osquery readthedocs io en latest deployment process auditing>

seph · Answer

I don t know if the bpf stuff makes more sense We might need to add support for that in K2 not sure