Title
#general
Jeff Singleton

Jeff Singleton

04/07/2020, 3:13 PM
Hello. I'm trying to collect user based events, specifically failed login attempts. My user_events table is empty and I see this when I query the table: "Table user_events is event-based but events are disabled". How do I enable events for this table?
a

alessandrogario

04/07/2020, 3:19 PM
--disable_events=false --disable_audit=false --audit_allow_config=true --audit_persist=true --audit_allow_user_events=true --verbose and systemctl disable auditd
Jeff Singleton

Jeff Singleton

04/07/2020, 3:24 PM
I have all of that in my flag file. Let me verify that auditd is disabled.
3:26 PM
Does it matter what order the flags are in?
a

alessandrogario

04/07/2020, 3:27 PM
Flag order is not important
3:27 PM
auditd will cause issues if it’s running
3:27 PM
--verbose should show what the issue is
Jeff Singleton

Jeff Singleton

04/07/2020, 3:28 PM
It is disabled. Adding --verbose.
a

alessandrogario

04/07/2020, 3:29 PM
It is also possible that no events are being generated for that table. You can temporarily turn process_events on (--audit_allow_process_events=true) to see if the audit publisher is working correctly
Jeff Singleton

Jeff Singleton

04/07/2020, 3:34 PM
Hmm. I already had that as well. I see this error when starting osqueryd: Error registering subscriber: process_file_events: Subscriber disabled via configuration
a

alessandrogario

04/07/2020, 3:35 PM
That table is disabled by default, it’s just a warning
3:35 PM
and can be safely ignored
Jeff Singleton

Jeff Singleton

04/07/2020, 3:35 PM
Ok
3:36 PM
Is this what I am looking for? Starting event publisher run loop: auditeventpublisher
a

alessandrogario

04/07/2020, 3:36 PM
yes!
3:36 PM
Is there no other error printed?
3:36 PM
is the process_events table working?
Jeff Singleton

Jeff Singleton

04/07/2020, 3:38 PM
I see this: Enabling audit rules for the process_events (execve, execveat) table
3:39 PM
No other errors.
a

alessandrogario

04/07/2020, 3:39 PM
ok so it seems like the audit publisher is working correctly
3:39 PM
can you run a “SELECT * FROM process_events” query?
3:40 PM
I haven’t used user_events much, but seem to recall that it should always record logins to the TTY
3:40 PM
maybe on SSH too
Jeff Singleton

Jeff Singleton

04/07/2020, 3:41 PM
Table process_events is event-based but events are disabled
a

alessandrogario

04/07/2020, 3:42 PM
Has the --disable_events=false flag been passed?
Jeff Singleton

Jeff Singleton

04/07/2020, 3:42 PM
yes that is in my flag file.
a

alessandrogario

04/07/2020, 3:42 PM
Has osquery been restarted?
Jeff Singleton

Jeff Singleton

04/07/2020, 3:43 PM
Yes I have restarted after each change.
a

alessandrogario

04/07/2020, 3:43 PM
or, it is possible that the flagfile is not being correctly loaded
3:43 PM
you can pass the path to it using --flagfile=/path/to/file
3:44 PM
(I think the default path is
/etc/osquery/osquery.flags.default
)
Jeff Singleton

Jeff Singleton

04/07/2020, 3:47 PM
I'm running this on the command line in two windows. One has osqueryd --flagfile /etc/osquery/osquery.flag and the other is running osqueryi.
a

alessandrogario

04/07/2020, 3:47 PM
osqueryi does not communicate with osqueryd
3:48 PM
osqueryi is osqueryd running in interactive mode
Jeff Singleton

Jeff Singleton

04/07/2020, 3:49 PM
Got that.
a

alessandrogario

04/07/2020, 3:49 PM
so if you run
osqueryi --flagfile /etc/osquery/osquery.flag
you should in theory be able to query user_events and process_events
3:50 PM
(osqueryd must be closed otherwise it will attempt to steal the audit ownership from osqueryi)
Jeff Singleton

Jeff Singleton

04/07/2020, 3:55 PM
Oh man...I think because I didn't fully understand that, I figured it out. I actually didn't have --disable-events=false and now I do and its working.
3:56 PM
I guess it just takes going through it line by line.
a

alessandrogario

04/07/2020, 3:56 PM
Nice! 😄 if you have any issue we are here to help 🙂
Jeff Singleton

Jeff Singleton

04/07/2020, 3:57 PM
Thank-you!!