Hey everyone, I've been looking for a few hours, and I can't figure out how to use the

process_events

table - does anyone know where the documentation is?

root@ubuntu:/etc/osquery# cat osquery.flags
--audit_allow_config=true
--audit_allow_sockets
--audit_persist=true
--audit_allow_process_events=true
--disable_audit=false
--events_expiry=1
--events_max=500000
--logger_min_status=1
--logger_plugin=filesystem
--watchdog_memory_limit=350
--watchdog_utilization_limit=130

$ sudo osqueryi --flagfile /etc/osquery/osquery.flags
Using a virtual database. Need help, type '.help'
osquery> select * from process_events;
W0102 16:44:29.887578 30811 virtual_table.cpp:930] Table process_events is event-based but events are disabled
W0102 16:44:29.887630 30811 virtual_table.cpp:937] Please see the table documentation: <https://osquery.io/schema/#process_events>

I don't have auditd enabled, and osquery is running as root.

have you tried

--audit_allow_process_events=true

?

Yeah, that's in the configuration - I think that this configuration file is being read by osquery, but I'm not sure how to tell.

run

select * from osquery_flags;

to see

@João Godinho, @theopolis: do you know if there's an easy way to tell if osquery is configured to record process events?

osquery> select name, value from osquery_flags where name LIKE '%audit%process%';
+---------------------------------+-------+
| name                            | value |
+---------------------------------+-------+
| audit_allow_fork_process_events | false |
| audit_allow_process_events      | true  |
+---------------------------------+-------+
osquery> select * from process_events;
W0102 16:54:41.409562 31005 virtual_table.cpp:930] Table process_events is event-based but events are disabled
W0102 16:54:41.409584 31005 virtual_table.cpp:937] Please see the table documentation: <https://osquery.io/schema/#process_events>

have you tried

select * from osquery_events;

trigger some event on another shell, and checking this table again? if the number of events changes?

Sure, I think the relevant flags are • disable_events, should be false • disable_audit, should be false • audit_allow_process_events, should be true

TIL: there's a

disable_events

flag - I'll change that from

true

to

false

.

shouldn’t that flag be macos only?

no idea, first day trying to use it

that flag is macos and linux. (I forget if it’s windows)

@theopolis, @João Godinho: got it to work after setting

disable_events

to

false

- wasn't aware that the flag existed, thanks for your help everyone!

also check out

select * from osquery_events;

I misread the docs, although it’s not obvious you need it for linux, from this section: https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#linux-process-auditing

there is an

active

column that tells you if the publisher (the internal thing that is sending events to tables) and subscribers (the tables themselves) are working

Looks good to me, thanks!

osquery> select name, publisher, subscriptions, events, active from osquery_events where name like '%process_%events%';
+---------------------+---------------------+---------------+--------+--------+
| name                | publisher           | subscriptions | events | active |
+---------------------+---------------------+---------------+--------+--------+
| process_events      | auditeventpublisher | 1             | 14     | 1      |
| process_file_events | auditeventpublisher | 0             | 0      | 0      |
+---------------------+---------------------+---------------+--------+--------+

@seph that flag is also for windows, IIRC

Then windows needs it. I bet I’m confusing it with

disable_audit

Does anyone know if there's an osquery flag that toggles support for Thrift on/off? I was working on some Python code that retrieves process events via the Thrift API, but I'm not sure why the transport is failing after adding support for events. 🤷

I’d recommend asking new questiosn in new slack threads

Yeah, thought so, thanks.