Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
a
Ari Weinberg
04/20/2022, 6:25 PMHey all, I'm getting an issue where I'm getting upwards of 50% CPU usage by the osquery daemon on windows domain controllers. running the daemon in verbose, it happens right after the following messages (and hangs there while the CPU spikes):
I0420 11:22:13.001909 6160 eventsubscriberplugin.cpp:492] Found 15 events for subscriber WindowsEventLogPublisher.powershell_events
I0420 11:22:13.533206 6160 events.cpp:70] Skipping subscriber: powershell_events: Required publisher is disabled by configurationf
fritz
04/20/2022, 7:04 PM@Ari Weinberg what's your query config look like?
I know i've seen machines grind to a halt when querying seemingly innocuous tables (eg.
usersa
Ari Weinberg
04/20/2022, 7:05 PMI had that problem already, and disabled all those queries
f
fritz
04/20/2022, 7:06 PM👍 well at least i wasn't totally off the mark
a
Ari Weinberg
04/20/2022, 7:07 PMHeres the current flags file:
# Configuration
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_refresh=60
# Enable watchdog to stop queries that use too much resources
--disable_watchdog=false
--watchdog_level=1
# Live query
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=10
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
# Logging
--logger_plugin=tls,filesystem
--logger_tls_endpoint=/api/v1/osquery/log
--logger_tls_period=10
# File carving
--disable_carver=false
--carver_start_endpoint=/api/v1/osquery/carve/begin
--carver_continue_endpoint=/api/v1/osquery/carve/block
--carver_block_size=2000000
# Windows Configuration
#--enable_powershell_events_subscriber
#--enable_windows_events_publisher
#--enable_windows_events_subscriber
#--windows_event_channels=System,Application,Setup,Security
# Disable problamatic table
--disable_tables=chrome_extensions,google_chrome_profiles,mdm,munki_infof
fritz
04/20/2022, 7:08 PMi wonder if you can slowly 50:50 your way through your scheduled query config to see where it is hanging
a
Ari Weinberg
04/20/2022, 7:08 PMits getting the config from fleet:
config:
options:
disable_tables: 'munki_info,google_chrome_profiles,mdm'
pack_delimiter: _
logger_tls_period: 10
distributed_plugin: tls
disable_distributed: false
logger_tls_endpoint: /api/v1/osquery/log
distributed_interval: 10
distributed_tls_max_attempts: 3f
fritz
04/20/2022, 7:09 PMthe other option is run the queries as distributed or via osqueryi one by one and see which are not responding
a
Ari Weinberg
04/20/2022, 7:09 PMBut looking at the daemon in verbose mode, it doesnt look like its happening by a query
f
fritz
04/20/2022, 7:10 PMdo we know that the last message is related to the cause of the hang, or is it the last thing that is working successfully pre-hang
a
Ari Weinberg
04/20/2022, 7:12 PMHere's the full loop that's happening:
I0420 12:09:09.901724 6804 eventsubscriberplugin.cpp:492] Found 15 events for subscriber WindowsEventLogPublisher.powershell_events
I0420 12:09:10.429062 6804 events.cpp:70] Skipping subscriber: powershell_events: Required publisher is disabled by configuration
I0420 12:10:04.662425 6288 config.cpp:1218] Refreshing configuration state
I0420 12:10:04.662425 6288 tls.cpp:255] TLS/HTTPS POST request to URI: <https://FLEET_URL/api/v1/osquery/config>
W0420 12:10:05.193722 6532 watcher.cpp:391] osqueryd worker (6908) stopping: Maximum sustainable CPU utilization limit exceeded: 57
I0420 12:10:05.224970 6532 watcher.cpp:656] osqueryd watcher (4528) executing worker (6712)
I0420 12:10:05.307375 6104 init.cpp:354] osquery worker initialized [watcher=4528]
I0420 12:10:05.307375 6104 dispatcher.cpp:78] Adding new service: WatcherWatcherRunner (00000216390B03F0) to thread: 6152 (000002163908E400) in process 6712
I0420 12:10:05.307375 6104 rocksdb.cpp:132] Opening RocksDB handle: \Program Files\osquery\osquery.db
I0420 12:10:05.635535 6104 dispatcher.cpp:78] Adding new service: ExtensionWatcher (000002163A95DEF0) to thread: 4888 (000002163AE92B40) in process 6712
I0420 12:10:05.635535 6104 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (000002163A94B260) to thread: 5196 (000002163AE92AE0) in process 6712
I0420 12:10:05.635535 6104 auto_constructed_tables.cpp:99] Removing stale ATC entries
I0420 12:10:05.635535 5196 interface.cpp:299] Extension manager service starting: \\.\pipe\osquery.em
I0420 12:10:05.635535 6104 dispatcher.cpp:78] Adding new service: ConfigRefreshRunner (000002163904C7F0) to thread: 6188 (000002163AF02500) in process 6712
I0420 12:10:05.635535 6104 tls.cpp:255] TLS/HTTPS POST request to URI: <https://FLEET_URL/api/v1/osquery/config>
I0420 12:10:10.446698 6104 eventfactory.cpp:156] Event publisher not enabled: ntfs_event_publisher: NTFS event publisher disabled via configuration
I0420 12:10:11.479414 6104 eventsubscriberplugin.cpp:492] Found 15 events for subscriber WindowsEventLogPublisher.powershell_events
I0420 12:10:11.932579 6104 events.cpp:70] Skipping subscriber: powershell_events: Required publisher is disabled by configurationf
fritz
04/20/2022, 7:17 PMi am admittedly out of my depth in terms of the cause here and any suggestions would be blind stabs
a
Ari Weinberg
04/20/2022, 7:20 PM@fritz Really appreciate your help
f
fritz
04/20/2022, 7:21 PMsorry i couldn't be of greater assistance, the folks over in #fleet will no doubt be a good resource though if you are having fleet related trouble
s
Stefano Bonicatti
04/20/2022, 7:21 PMYeah I would maybe check how many events osquery is getting, looking at the
osquery_eventsnormally that's the second possible cause after a query that cases high CPU usage.
Either a lot of events in general, so the publisher has to work a lot, and/or the RocksDB database that has a lot of data to compact, expire and so on.
a
Ari Weinberg
04/20/2022, 7:23 PMI backed up and deleted the .db folder, and that seems to have solved it
🎉 1
Whats the long term solution then to manage the db?
s
Stefano Bonicatti
04/20/2022, 7:24 PMSeeing you have some events active, would be useful to know the interval of your queries on evented tables
normally it's better to have a low interval so that the number of keys in the RocksDB database doesn't grow too much. If they do, then there are more keys to expire when the query runs
a
Ari Weinberg
04/20/2022, 7:25 PMIn other words, you want to know how often im querying
eventss
Stefano Bonicatti
04/20/2022, 7:25 PMyeah
a
Ari Weinberg
04/20/2022, 7:25 PMIm not using the eventing framework...
This is just running on a DC, so there are a lot of logs
s
Stefano Bonicatti
04/20/2022, 7:26 PMoh my bad, I think I was a victim of word wrapping in the slim Slack thread, I see know that they are commented out.
a
Ari Weinberg
04/20/2022, 7:27 PMOh my bad on your bad, those were uncommented untill this morning, when I started troubleshooting
but this still happened for a while after I commented those out (until i just deleted the db this morning)
s
Stefano Bonicatti
04/20/2022, 7:28 PMah so, another thing to be careful about is that if you're not querying the evented tables but still receiving events, those will continuosly accumulate and then at osquery startup the expiration will start
a
Ari Weinberg
04/20/2022, 7:29 PMWhat do you mean by experation?
s
Stefano Bonicatti
04/20/2022, 7:29 PMthat been said, one thing you could check is the content of the db by starting osquery with your backed up db and pass
--database_dumpevents collected by osquery won't stay indefinitely in the database to be queried. There's an expiration that is calculated per table/subscriber and based on the interval of the scheduled queries that are done on them.
also, what version of osquery are you using?
a
Ari Weinberg
04/20/2022, 7:33 PM5.2.1.0
what was
--database_dumps
Stefano Bonicatti
04/20/2022, 7:43 PMWhat osquery was likely working on. If there are a lot of events, then it was likely working on expiring them.
There also can be a lot of logs to be sent via TLS or another method, but normally that's not cause for high cpu usage.
a
Ari Weinberg
04/20/2022, 7:44 PMSo to be clear, keeping the events disabled should solve this in the long term?
Becasue this all seems to come from the windowseventlogpublisher
s
Stefano Bonicatti
04/20/2022, 7:46 PMWell, it depends; it's not said that you can't use events, it depends on the rate of those and if your machine is capable, but most of all I would say the interval of the scheduled queries on those.
a
Ari Weinberg
04/20/2022, 7:47 PMI dont think Im querying those tables at all, but ill check.
s
Stefano Bonicatti
04/20/2022, 7:47 PMIf you're not using them, don't enable them. If you're using them, query the evented table often (less than a minute),
a
Ari Weinberg
04/20/2022, 7:47 PMDo any of the query packs that come with osquery use those tables?
s
Stefano Bonicatti
04/20/2022, 7:49 PMNope
a
Ari Weinberg
04/20/2022, 7:50 PMOkay then im not using them, and im going to disable them.
👍 1
s
Stefano Bonicatti
04/20/2022, 7:50 PMat least not Windows tables. There's one for
hardware_eventsosquery_eventsa
Ari Weinberg
04/20/2022, 7:50 PM@Stefano Bonicatti Thanks so much for your prompt help and insight!