https://github.com/osquery/osquery logo
Join Slack
Powered by
What is your query config?
# general
o
What is your query config?
m
Copy code
./fleetctl get options
apiVersion: v1
kind: options
spec:
  config:
    decorators:
      load:
      - SELECT uuid AS host_uuid FROM system_info;
      - SELECT hostname AS hostname FROM system_info;
      - SELECT version AS osquery_version FROM osquery_info;
    file_paths:
      binaries:
      - /usr/bin/%%
      - /usr/sbin/%%
      - /bin/%%
      - /sbin/%%
      - /usr/local/bin/%%
      - /usr/local/sbin/%%
      configuration:
      - /etc/passwd
      - /etc/shadow
      - /etc/ld.so.conf
      - /etc/ld.so.conf.d/%%
      - /etc/pam.d/%%
      - /etc/resolv.conf
      - /etc/rc%/%%
      - /etc/my.cnf
      - /etc/modules
      - /etc/hosts
      - /etc/hostname
      - /etc/fstab
      - /etc/crontab
      - /etc/cron%/%%
      - /etc/init/%%
      - /etc/rsyslog.conf
    options:
      audit_allow_config: true
      audit_allow_sockets: true
      audit_persist: true
      config_accelerated_refresh: 300
      config_plugin: tls
      config_refresh: 3600
      config_tls_endpoint: /api/v1/osquery/config
      disable_audit: false
      disable_distributed: false
      disable_events: false
      disable_subscribers: user_events
      disable_tables: windows_events
      disable_watchdog: false
      distributed_interval: 10
      distributed_plugin: tls
      distributed_tls_max_attempts: 3
      distributed_tls_read_endpoint: /api/v1/osquery/distributed/read
      distributed_tls_write_endpoint: /api/v1/osquery/distributed/write
      enable_extensions_watchdog: true
      events_expiry: 1
      events_max: 500000
      logger_min_status: 1
      logger_plugin: tls
      logger_snapshot_event_type: true
      logger_tls_endpoint: /api/v1/osquery/log
      logger_tls_period: 10
      pack_delimiter: /
      schedule_splay_percent: 10
      watchdog_level: 1
  overrides: {}
o
well, 'disable_events' is set to false, so it seems events are enabled.. While the table is disabled, I don't know if that disables the pub-sub internally or just disables the query at the top level. You might want to set it to true and try...Additionally, the event count is 500000 [seems a bit high, although i don't know if that will play role here given that there are no queries on windows_events table]
👍 1
m
Good eye on the events max - not sure why its set so high, will tweak
19 Views
Open in Slack
PreviousNext
Powered by