https://github.com/osquery/osquery logo
Join Slack
Powered by
trying to correlate socket events to process event...
# general
c
trying to correlate socket events to process events, does anybody have a good column for doing corelation based on unique identifier in the following example query?
Copy code
select
	socket_events.remote_port,
	socket_events.remote_address,
	process_events.cmdline,
	process_events.pid
from socket_events
join process_events on process_events.pid = socket_events.pid
s
What problem are you having? I suspect that the issue is not the identifier. but that the event tables are transient. 
select * process_events
won’t return the same data twice. Maybe join against the process table instead?
c
hm, possible, the problem im having is im not sure what uniqe index to use to join them on
pid = repeats, and matching on hostname or host id doesn't solve that issue
s
pid seems correct to me.
c
whats the diff between procs and proc_events again? procs is real time? like running a ps -A and proc events is logged proc actions right?
i tried pid but again, due to pid recycling, it seems to not work
and time doesn't work because a proc could be a live for a long time before it does "socket thing"
or it might not, who knows
s
Yeah. 
processes
is the current processes. 
process_events
is closer to to an event stream. In a CEP system, you’d want windowing functions on the event streams, but I haven’t seen stuff like that for osquery.
c
so, in my case im using Uptycs, it does that
but the issue is that within my window, im lacking a uniqe identifier to join across
s
If you’re churning processes so fast that you’re hitting pid reuse. I suspect you’d do better to subscribe to the events and correlate them serverside/
#C811PUZU4 may have suggestions.
9 Views
Open in Slack
PreviousNext
Powered by