https://github.com/osquery/osquery logo
#general
Title
# general
z

Zach Zeid

06/04/2020, 1:07 PM
Oh this is exactly what I was looking for thank you!
Is there a way to get the profiling tools without having to build osquery from source?
f

fritz

06/04/2020, 1:32 PM
@Zach Zeid There is always the osqueryi
.timer ON
mode
which will tell you how long a given query took to run
z

Zach Zeid

06/04/2020, 1:33 PM
that's something I use, but I want to double-y make sure queries don't affect cpu/memory before rolling out
z

zwass

06/04/2020, 5:26 PM
IIRC you can point the profiler to an osqueryi binary? Or you can drop the binary where the profiler expects?
z

Zach Zeid

06/04/2020, 5:27 PM
I don't understand? the profiler isn't there when installed through the package manager (yum).
so I'd have to find the profiler binary and drop it on the instance itself?
z

zwass

06/04/2020, 5:31 PM
The profiler is a python script in the osquery repository https://github.com/osquery/osquery/blob/master/tools/analysis/profile.py
z

Zach Zeid

06/04/2020, 5:31 PM
May I ask why it's not a part of the osquery package?
also facepalm I can just get
tools
onto my test instance
z

zwass

06/04/2020, 5:34 PM
Good question... Maybe it should be.
z

Zach Zeid

06/04/2020, 5:40 PM
s

seph

06/04/2020, 5:49 PM
I don’t think that script is polished enough to ship
z

Zach Zeid

06/04/2020, 5:49 PM
That's fair.
s

seph

06/04/2020, 5:52 PM
A snippet from my response on github:
I think there’s also a fundamental issue where the profiler can only guess at likely cpu and memory consumption. Much depends on your fleet specifics. Things like the shard parameter, or create test groups of hosts is going to be a more real-world way to handle this.
z

Zach Zeid

06/04/2020, 5:54 PM
I see, how does
shard
work if it's distributed among 100s of servers, each with a config of
shard: 1
?
z

zwass

06/04/2020, 5:54 PM
~1% of those servers will schedule the query
z

Zach Zeid

06/04/2020, 5:55 PM
Right. if that's in
osquery.conf
how do the servers know they're a part of that 1%?
s

seph

06/04/2020, 5:55 PM
Standard distributed systems trickery. From the docs:
The shard key works by hashing the hostname then taking the quotient 255 of the first byte. This allows us to select a deterministic ‘preview’ for the query, this helps when slow-rolling or testing new queries.
2
z

zwass

06/04/2020, 5:56 PM
IIRC they use a hash of the UUID or something like that. It's looks random but it's a deterministic process.
z

Zach Zeid

06/04/2020, 5:57 PM
I got it, thanks
2 Views