Channels
#general
Title
# general
j
Jean M
04/15/2020, 6:29 PMI’ve some decorators configured in osquery, but I’m not seeing the corresponding fields showing in the results log of scheduled packs, is this normal (meaning these decorators are applied somewhere else)? or maybe I’m doing something wrong…
Copy code
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT hardware_serial FROM system_info;",
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;",
"SELECT hostname FROM system_info LIMIT 1;"
]
},s
seph
04/15/2020, 6:37 PM
Do you intend for those to be of type
loadj
Jean M
04/15/2020, 7:37 PMI’ve not thought much about it yet, but probably I’ll use all the types as in the example, makes more sense in this case I think, like this:
Copy code
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT hardware_serial FROM system_info;"
],
"always": [
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
],
"interval": {
"3600": [
"SELECT hostname FROM system_info LIMIT 1;"
]
}
},s
seph
04/15/2020, 8:15 PM
Huh. reading the docs there I understand
alwaysloadj
Jean M
04/15/2020, 8:42 PMThetype uses a map of interval ‘periods’ as keys, and the set of decorator queries for each value. Each of these intervals MUST be minute-intervals. Anything not divisible by 60 will generate a warning, and will not run.interval
from what I understood, these run at the defined period
s
seph
04/15/2020, 8:43 PM
Yes. That describes the structure of the setting, but not what it does. What does it mean to run an decorator on a schedule. Why wouldn’t you use a scheduled query for that?
j
Jean M
04/15/2020, 10:38 PMFound the problem 😅 a decorator config was left forgotten in tls endpoint and had a syntax error..
18 Views