Is there any way of logging in the results.log the...
# generalj
Jamie Windley
05/22/2019, 5:00 PMIs there any way of logging in the results.log the name of the table that the logs are from? rather than the arbitrary 'pack_xyz' identifier at the start of each result
z
zwass
05/22/2019, 5:02 PM
Logs could come from multiple tables — typically its best to provide a name for the query in the pack that would help you identify it later
d
defensivedepth
05/22/2019, 5:22 PMYou can also manually tag the log at query time (see screencap), but like @zwass said, it is common for a query to
joinz
zwass
05/22/2019, 8:06 PM
The logs include the "name" of the query as specified in the pack (see https://github.com/facebook/osquery/blob/experimental/packs/hardware-monitoring.conf#L3).
j
Jamie Windley
05/23/2019, 7:38 AMI was hoping for there to be some way of modifying a configuration parameter to include the name of the actual table in the event itself and not reliant on an arbitrary name for the query
Jamie Windley
05/23/2019, 2:23 PMPerhaps as a decorator of some sort?
z
zwass
05/23/2019, 5:29 PM
This functionality doesn’t exist, but it is definitely an interesting idea.
2 Views