Schedule a query against the `osquery_schedule` ta...
# generalz
zwass
10/15/2019, 1:37 AM
Schedule a query against the
osquery_schedule👍 1
c
Chris Ray
10/15/2019, 3:11 PMSince all of our queries are running under osqueryd, and I run this query using osqueryi....does that explain why I have all "0" for the "execution" and "last_executed" columns?
z
zwass
10/15/2019, 3:39 PM
Yes
c
Chris Ray
10/15/2019, 5:35 PMThanks @zwass!
Using this method I have discovered that of the ~100 queries we have in 3 custom packs, only one of those packs is getting executed (and of those ~25 or so queries, only 5-6 of them are running).
I have checked the config 'sanity' for each pack using the tools listed here: https://osquery.readthedocs.io/en/stable/deployment/debugging/
Chris Ray
10/15/2019, 5:38 PMIs there upper limit to how many queries can be run? Or have I simply designed a condition that makes queries compete for resources by scheduling them too frequently (600 seconds)?
z
zwass
10/15/2019, 5:41 PM
Can you share your config? Do you have a platform or discovery query set on the pack that is preventing it from executing?
c
Chris Ray
10/15/2019, 6:36 PMNo discovery queries. See attached for the osquery.conf and all active packs.
z
zwass
10/15/2019, 6:38 PM
Which work/don't work?
c
Chris Ray
10/15/2019, 6:42 PMThe majority of them don't appear to be running (see attached)
Chris Ray
10/15/2019, 6:42 PMChris Ray
10/15/2019, 6:42 PMThis is a test enviroment btw
z
zwass
10/15/2019, 6:46 PM
can you tell me which pack is executing and which are not?
c
Chris Ray
10/15/2019, 6:53 PMI can't be certain, but it looks like "SYN_threat_hunting1" and "SYN_threat_hunting2" never execute. Also, the majority of the other "windows_attacks" and "windows_hardening" don't execute, just a few from each of those are found in the logs.
6 Views