I ve some decorators configured in osquery but I m not seein

Question

I ve some decorators configured in osquery but I m not seeing the corresponding fields showing in the results log of scheduled packs is this normal meaning these decorators are applied somewhere else or maybe I m doing something wrong

Jean M · Answer

``` decorators load SELECT uuid AS host uuid FROM system info SELECT hardware serial FROM system info SELECT user AS username FROM logged in users ORDER BY time DESC LIMIT 1 SELECT hostname FROM system info LIMIT 1 ```

seph · Answer

Do you intend for those to be of type `load` and not something else <https osquery readthedocs io en stable deployment configuration decorator queries>

Jean M · Answer

I ve not thought much about it yet but probably I ll use all the types as in the example makes more sense in this case I think like this ``` decorators load SELECT uuid AS host uuid FROM system info SELECT hardware serial FROM system info always SELECT user AS username FROM logged in users ORDER BY time DESC LIMIT 1 interval 3600 SELECT hostname FROM system info LIMIT 1 ``` Thanks I ll try with this new configuration

seph · Answer

Huh reading the docs there I understand `always` and `load` but I have no idea what an interval decorator query is

Jean M · Answer

gt The `interval` type uses a map of interval periods as keys and the set of decorator queries for each value Each of these intervals MUST be minute intervals Anything not divisible by 60 will generate a warning and will not run

Jean M · Answer

from what I understood these run at the defined period

seph · Answer

Yes That describes the structure of the setting but not what it does What does it mean to run an decorator on a schedule Why wouldn t you use a scheduled query for that

Jean M · Answer

Found the problem sweat smile a decorator config was left forgotten in tls endpoint and had a syntax error