< Jean M> Hi Each publisher contain a `run ` function that g osquery #general

<@UHWV0MEP8> Hi! Each publisher contain a `run()`...

Stefano Bonicatti

04/15/2020, 1:19 PM

@Jean M Hi! Each publisher contain a

run()

function that gets called periodically and so drives the event collection and publishing logic. Each time that function gets called, it will increase that value you see.

Jean M

04/15/2020, 1:23 PM

OK, I assume if it’s increasing fast it means the corresponding event is being triggered frequently

Jean M

04/15/2020, 1:24 PM

do you know if there’s any table/field information that store lost events information?

Stefano Bonicatti

04/15/2020, 1:30 PM

For the refreshes count, that is always increasing either if you are actually collecting and sending events or not. There's a base delay between calls which is 200ms, to avoid busy loops.

Stefano Bonicatti

04/15/2020, 1:31 PM

Well I should add, if the publisher is enabled and is not being tear down

Jean M

04/15/2020, 1:37 PM

Thanks!

alessandrogario

04/15/2020, 1:54 PM

There is no table that captures data about events that have been lost Speaking about the Audit-based publishers, it is possible to request how many events have been lost, but has not been implemented yet. This value can be manually inspected by running

auditctl status

from the shell

alessandrogario

04/15/2020, 1:55 PM

The effect of a lost event, most of the time, leads to missing records in the re-assembly phase of the full event. This is logged as an error, but is not accessible from a table.

Open in Slack

Previous Next