Are you there < zwass> osquery #general

Title

Alex Woolford

10/15/2019, 12:08 AM

Are you there, @zwass?

zwass

10/15/2019, 12:10 AM

Hello

Alex Woolford

10/15/2019, 12:10 AM

Heya. 😄

Want to Zoom?

zwass

10/15/2019, 12:11 AM

No let's please text chat. Can you answer my questions from stackoverflow?

Alex Woolford

10/15/2019, 12:12 AM

OK. Sure. The data is actually getting to Kafka, just to the wrong topic.

I changed the conf a bit:

{
  "options": {
    "logger_kafka_brokers": "<http://cp01.woolford.io:9092,cp02.woolford.io:9092,cp03.woolford.io:9092|cp01.woolford.io:9092,cp02.woolford.io:9092,cp03.woolford.io:9092>",
    "logger_kafka_topic": "base_topic",
    "logger_kafka_acks": "1"
  },
  "schedule": {
    "process_port": {
      "query": "select u.username, p.pid, p.name, pos.local_address, pos.local_port, pos.remote_address, pos.remote_port from processes p join users u on u.uid = p.uid join process_open_sockets pos on pos.pid=p.pid where pos.remote_port != '0'",
      "interval": 10,
      "snapshot": false,
      "removed": true
    }
  },
  "kafka_topics": {
    "process-port": [
      "schedule-process_port"
    ]
  }
}

So, I can confirm that the Kafka bit works.

And I was getting results when the query was in snapshot mode using the config that’s on Stackoverflow.

I think it’s a bug. @zwass:

https://youtu.be/sPdlBBKgJmY▾

zwass

10/15/2019, 5:03 PM

Can you file a bug on Github please?

Alex Woolford

10/15/2019, 5:20 PM

Will do.

et voila: https://github.com/osquery/osquery/issues/5890

6 Views

#general Join Slack