Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
c
Cameron Just
07/15/2020, 12:42 AMHi All, Also looking for some help. Trying to get FIM working and have followed the documentation but can't get it to work.
osquery.conf - https://pastebin.com/0rSc8fvw
My guess is the error is here Subscriber disabled via configuration but not sure what I'm missing in the above conf to enable it
[root@primary osquery]# osqueryi "SELECT * FROM file_events;"
I0715 10:41:40.372663 18293 options.cpp:100] Verbose logging enabled by config option
W0715 10:41:40.372741 18293 options.cpp:91] Cannot set unknown or invalid flag: enable_monitor
I0715 10:41:40.507570 18293 smbios_tables.cpp:104] Reading SMBIOS from sysfs DMI node
I0715 10:41:40.508178 18293 events.cpp:863] Event publisher not enabled: syslog: Publisher disabled via configuration
I0715 10:41:40.509068 18293 events.cpp:1122] Error registering subscriber: process_file_events: Subscriber disabled via configuration
I0715 10:41:40.509141 18293 events.cpp:1122] Error registering subscriber: selinux_events: Subscriber disabled via configuration
I0715 10:41:40.509174 18293 events.cpp:1122] Error registering subscriber: socket_events: Subscriber disabled via configuration
I0715 10:41:40.513377 18293 file_events.cpp:82] Added file event listener to: /etc/**
I0715 10:41:40.513458 18293 file_events.cpp:82] Added file event listener to: /root/.ssh/**
I0715 10:41:40.513478 18293 file_events.cpp:82] Added file event listener to: /home/*/.ssh/**
I0715 10:41:40.513536 18293 file_events.cpp:82] Added file event listener to: /tmp/**
W0715 10:41:40.526444 18293 filesystem.cpp:311] Symlink loop detected possibly involving: /etc/xdg/systemd/user/sockets.target.wants
I0715 10:41:40.548197 18293 dispatcher.cpp:77] Adding new service: AuditdNetlinkReader (0x275c6d8) to thread: 140344453695232 (0x26cc720) in process 18293
I0715 10:41:40.548367 18293 dispatcher.cpp:77] Adding new service: AuditdNetlinkParser (0x26a3448) to thread: 140344445302528 (0x26c95c0) in process 18293
I0715 10:41:40.548961 18294 auditdnetlink.cpp:623] Failed to set the netlink owner
W0715 10:41:40.560115 18293 filesystem.cpp:311] Symlink loop detected possibly involving: /etc/xdg/systemd/user/sockets.target.wants
I0715 10:41:40.565127 18296 events.cpp:784] Starting event publisher run loop: auditeventpublisher
I0715 10:41:40.565162 18297 events.cpp:784] Starting event publisher run loop: inotify
I0715 10:41:40.565232 18298 events.cpp:784] Starting event publisher run loop: udev
I0715 10:41:40.565570 18293 dispatcher.cpp:148] Thread: 140344499352960 requesting a stop
I0715 10:41:40.565644 18293 dispatcher.cpp:155] Service: 0x275c6d8 has been interrupted
I0715 10:41:40.565670 18293 dispatcher.cpp:155] Service: 0x26a3448 has been interrupted
I0715 10:41:40.565703 18293 dispatcher.cpp:121] Thread: 140344499352960 requesting a join
I0715 10:41:41.548689 18293 dispatcher.cpp:139] Service thread: 0x26c95c0 has joinedz
zwass
07/15/2020, 12:45 AMYou need to use --disable_events=false with osqueryi
c
Cameron Just
07/15/2020, 12:46 AMright so the contents of osquery.conf have no impact?
because it's in there
z
zwass
07/15/2020, 12:49 AMTry setting
--config_pathc
Cameron Just
07/15/2020, 12:52 AMStill the same sadly
[root@primary osquery]# osqueryi --disable_events=false --config_path=/etc/osquery/osquery.conf "SELECT * FROM file_events;"
I0715 10:52:12.450359 31039 options.cpp:100] Verbose logging enabled by config option
W0715 10:52:12.450438 31039 options.cpp:91] Cannot set unknown or invalid flag: enable_monitor
I0715 10:52:12.483848 31039 smbios_tables.cpp:104] Reading SMBIOS from sysfs DMI node
I0715 10:52:12.484429 31039 events.cpp:863] Event publisher not enabled: syslog: Publisher disabled via configuration
I0715 10:52:12.484817 31039 events.cpp:1122] Error registering subscriber: process_file_events: Subscriber disabled via configuration
I0715 10:52:12.484874 31039 events.cpp:1122] Error registering subscriber: selinux_events: Subscriber disabled via configuration
I0715 10:52:12.484946 31039 events.cpp:1122] Error registering subscriber: socket_events: Subscriber disabled via configuration
I0715 10:52:12.489053 31039 file_events.cpp:82] Added file event listener to: /etc/**
I0715 10:52:12.489159 31039 file_events.cpp:82] Added file event listener to: /root/.ssh/**
I0715 10:52:12.489202 31039 file_events.cpp:82] Added file event listener to: /home/*/.ssh/**
I0715 10:52:12.489254 31039 file_events.cpp:82] Added file event listener to: /tmp/**
W0715 10:52:12.499797 31039 filesystem.cpp:311] Symlink loop detected possibly involving: /etc/xdg/systemd/user/sockets.target.wants
I0715 10:52:12.520748 31039 dispatcher.cpp:77] Adding new service: AuditdNetlinkReader (0x28497d8) to thread: 140124636026624 (0x27b9820) in process 31039
I0715 10:52:12.520918 31039 dispatcher.cpp:77] Adding new service: AuditdNetlinkParser (0x2790548) to thread: 140124627633920 (0x27b66c0) in process 31039
I0715 10:52:12.520982 31040 auditdnetlink.cpp:623] Failed to set the netlink owner
W0715 10:52:12.531678 31039 filesystem.cpp:311] Symlink loop detected possibly involving: /etc/xdg/systemd/user/sockets.target.wants
I0715 10:52:12.536615 31042 events.cpp:784] Starting event publisher run loop: auditeventpublisher
I0715 10:52:12.536659 31043 events.cpp:784] Starting event publisher run loop: inotify
I0715 10:52:12.536759 31044 events.cpp:784] Starting event publisher run loop: udev
I0715 10:52:12.536909 31039 dispatcher.cpp:148] Thread: 140124681684352 requesting a stop
I0715 10:52:12.536986 31039 dispatcher.cpp:155] Service: 0x28497d8 has been interrupted
I0715 10:52:12.537045 31039 dispatcher.cpp:155] Service: 0x2790548 has been interrupted
I0715 10:52:12.537103 31039 dispatcher.cpp:121] Thread: 140124681684352 requesting a join
I0715 10:52:13.521181 31039 dispatcher.cpp:139] Service thread: 0x27b66c0 has joinedz
zwass
07/15/2020, 12:56 AMOh yeah, the problem is that no events are being generated while you are running osqueryi
It's going to use an ephemeral database, so you'll want to do the file modifications you expect to see while it is running
c
Cameron Just
07/15/2020, 1:00 AMThat makes sense.
I've also got that query running in a pack via the daemon so they would hopefully pick it up.
Just this error was throwing me off making me think I'd missed something.
Error registering subscriber: process_file_events: Subscriber disabled via configurationz
zwass
07/15/2020, 1:01 AMYeah that's a different subscriber than
file_eventsosquerydc
Cameron Just
07/15/2020, 1:02 AMgotcha thanks... I'll keep plugging away at it then and ignore those 🙂
🍻 1
t
theopolis
07/15/2020, 4:24 PMWe need to document
process_file_events