Hello. I'm trying to collect user based events, sp...
# general
j
Hello. I'm trying to collect user based events, specifically failed login attempts. My user_events table is empty and I see this when I query the table: "Table user_events is event-based but events are disabled". How do I enable events for this table?
a
--disable_events=false --disable_audit=false --audit_allow_config=true --audit_persist=true --audit_allow_user_events=true --verbose and systemctl disable auditd
j
I have all of that in my flag file. Let me verify that auditd is disabled.
Does it matter what order the flags are in?
a
Flag order is not important
auditd will cause issues if it’s running
--verbose should show what the issue is
j
It is disabled. Adding --verbose.
a
It is also possible that no events are being generated for that table. You can temporarily turn process_events on (--audit_allow_process_events=true) to see if the audit publisher is working correctly
j
Hmm. I already had that as well. I see this error when starting osqueryd: Error registering subscriber: process_file_events: Subscriber disabled via configuration
a
That table is disabled by default, it’s just a warning
and can be safely ignored
j
Ok
Is this what I am looking for? Starting event publisher run loop: auditeventpublisher
a
yes!
Is there no other error printed?
is the process_events table working?
j
I see this: Enabling audit rules for the process_events (execve, execveat) table
No other errors.
a
ok so it seems like the audit publisher is working correctly
can you run a “SELECT * FROM process_events” query?
I haven’t used user_events much, but seem to recall that it should always record logins to the TTY
maybe on SSH too
j
Table process_events is event-based but events are disabled
a
Has the --disable_events=false flag been passed?
j
yes that is in my flag file.
a
Has osquery been restarted?
j
Yes I have restarted after each change.
a
or, it is possible that the flagfile is not being correctly loaded
you can pass the path to it using --flagfile=/path/to/file
(I think the default path is
/etc/osquery/osquery.flags.default
)
j
I'm running this on the command line in two windows. One has osqueryd --flagfile /etc/osquery/osquery.flag and the other is running osqueryi.
a
osqueryi does not communicate with osqueryd
osqueryi is osqueryd running in interactive mode
j
Got that.
a
so if you run
osqueryi --flagfile /etc/osquery/osquery.flag
you should in theory be able to query user_events and process_events
(osqueryd must be closed otherwise it will attempt to steal the audit ownership from osqueryi)
j
Oh man...I think because I didn't fully understand that, I figured it out. I actually didn't have --disable-events=false and now I do and its working.
I guess it just takes going through it line by line.
a
Nice! 😄 if you have any issue we are here to help 🙂
j
Thank-you!!
127 Views