npamnani
01/29/2019, 5:10 AM钢铁侠
01/29/2019, 5:17 AMI think it's why osqueryd can't expire these old logs, it just can't found the data log without records log.the osquery remove the
records.auditeventpublisher.user_events
but not data.auditeventpublisher.user_events
npamnani
01/29/2019, 5:45 AM钢铁侠
01/29/2019, 6:38 AMldb --db=<path to db> scan --column_family="events
,it returns nothing.npamnani
01/29/2019, 6:51 AM钢铁侠
01/29/2019, 6:54 AM'--column_family="queries"
,it has result.$ ./sst_dump --file=/tmp/osquery.db/000021.sst --command=scan | grep record.auditeventpublisher.process_events
$ ./sst_dump --file=/tmp/osquery.db/000021.sst --command=scan | grep data.auditeventpublisher.process_events | wc -l
4844
record.auditeventpublisher.process_events
,but it has 4844 of grep data.auditeventpublisher.process_events
,this is the 000021.sst
which is oldest sst file.npamnani
01/29/2019, 8:08 AM钢铁侠
01/29/2019, 8:11 AM-rw-r--r--. 1 user user 2136467 Jan 29 01:05 008594.sst
-rw-r--r--. 1 user user 2138352 Jan 29 01:05 008595.sst
-rw-r--r--. 1 user user 2139375 Jan 29 01:05 008596.sst
-rw-r--r--. 1 user user 2136993 Jan 29 01:05 008597.sst
-rw-r--r--. 1 user user 3278 Jan 29 01:12 008676.sst
-rw-r--r--. 1 user user 2140182 Jan 29 01:33 008923.sst
-rw-r--r--. 1 user user 2137903 Jan 29 02:05 009248.sst
-rw-r--r--. 1 user user 2139931 Jan 29 02:05 009249.sst
-rw-r--r--. 1 user user 2137200 Jan 29 02:05 009250.sst
-rw-r--r--. 1 user user 2139308 Jan 29 05:54 012010.sst
-rw-r--r--. 1 user user 2140123 Jan 29 05:54 012011.sst
-rw-r--r--. 1 user user 2137179 Jan 29 05:54 012012.sst
-rw-r--r--. 1 user user 2138895 Jan 29 05:54 012013.sst
-rw-r--r--. 1 user user 4779 Jan 29 05:54 012014.sst
-rw-r--r--. 1 user user 59646 Jan 29 07:22 012963.sst
-rw-r--r--. 1 user user 147760 Jan 29 08:33 013792.sst
-rw-r--r--. 1 user user 2136801 Jan 29 11:48 016022.sst
you can see that the the sst file has been removed between 02:05 009250.sst
and 05:54 012010.sst
npamnani
01/29/2019, 8:13 AM钢铁侠
01/29/2019, 8:14 AM$ ./sst_dump --file=/tmp/osquery.db/ --command=scan | grep data.auditeventpublisher.socket_events | wc -l
42
npamnani
01/29/2019, 8:15 AM钢铁侠
01/29/2019, 8:15 AM$ ./sst_dump --file=/tmp/osquery.db/ --command=scan | grep data.auditeventpublisher.process_events | wc -l
3433390
npamnani
01/29/2019, 8:17 AM钢铁侠
01/29/2019, 8:18 AM./ldb --db=/tmp/osquery.db scan --column_family=queries | grep process_events | wc -l
51480
./ldb --db=/tmp/osquery.db scan --column_family=queries | grep data.auditeventpublisher.process_events | wc -l
51460
npamnani
01/29/2019, 8:22 AM钢铁侠
01/29/2019, 8:24 AMrecords.auditeventpublisher.process_events
npamnani
01/29/2019, 8:24 AM钢铁侠
01/29/2019, 8:25 AMrecords.auditeventpublisher.process_events
,when I compare the process_events
result and records.auditeventpublisher.process_events
npamnani
01/29/2019, 8:29 AM钢铁侠
01/29/2019, 8:30 AM./ldb --db=/tmp/osquery.db scan --column_family=queries | grep process_events | wc -l
have more 20 records than
./ldb --db=/tmp/osquery.db scan --column_family=queries | grep data.auditeventpublisher.process_events | wc -l
npamnani
01/29/2019, 8:30 AM钢铁侠
01/29/2019, 8:32 AMrecords.auditeventpublisher.process_events
eid.auditeventpublisher.process_events : 0020739730
indexes.auditeventpublisher.process_events.60 : 25812378,25812379,25812380,25812381,25812382
optimize.process_events : 1548743012
optimize_eid.process_events : 0020728620
npamnani
01/29/2019, 8:34 AM钢铁侠
01/29/2019, 8:40 AM./ldb --db=/tmp/osquery.db scan --column_family=queries | grep data.auditeventpublisher.process_events | wc -l
51460
there are 51460 records.It is difficult to comparenpamnani
01/29/2019, 8:40 AM钢铁侠
01/29/2019, 8:42 AMgo through the logic
? did not understandnpamnani
01/29/2019, 8:43 AM钢铁侠
01/29/2019, 8:45 AMnpamnani
01/29/2019, 8:45 AM钢铁侠
01/29/2019, 8:47 AMCPP
void EventSubscriberPlugin::expireRecords(const std::string& list_type,
const std::string& index,
bool all) {
if (!executedAllQueries()) {
return;
}
auto record_key = "records." + dbNamespace();
auto data_key = "data." + dbNamespace();
// If the expirations is not removing all records, rewrite the persisting.
std::vector<std::string> persisting_records;
// Request all records within this list-size + bin offset.
auto expired_records = getRecords({list_type + '.' + index}, false);
if (all && expired_records.size() > 1) {
deleteDatabaseRange(kEvents,
data_key + '.' + expired_records.begin()->first,
data_key + '.' + expired_records.rbegin()->first);
} else {
for (const auto& record : expired_records) {
if (record.second <= expire_time_) {
deleteDatabaseValue(kEvents, data_key + '.' + record.first);
} else {
persisting_records.push_back(record.first + ':' +
std::to_string(record.second));
}
}
}
// Either drop or overwrite the record list.
// 直接设置新的rocksdb
if (all) {
deleteDatabaseValue(kEvents, record_key + "." + list_type + "." + index);
} else if (persisting_records.size() < expired_records.size()) {
auto new_records = boost::algorithm::join(persisting_records, ",");
setDatabaseValue(
kEvents, record_key + "." + list_type + "." + index, new_records);
}
}
auto expired_records = getRecords({list_type + '.' + index}, false);
to get the data.auditeventpublisher.process_events,I think the getRecords()
does not return the right records or it does not find the records which they are exist indeed,so the osquery can't delete the data.auditeventpublisher.process_events'/ldb --db=/tmp/osquery.db scan --column_family=queries | grep records.auditeventpublisher.process_events'
,and this is what I got:
https://osquery.slack.com/files/UDK4HKG9Z/FFR66929F/image.png▾
./ldb --db=/tmp/osquery.db scan --column_family=queries | grep data.auditeventpublisher.process_events
got
I find that the the eid in the fisrt 10 records.auditeventpublisher.process_events
records are all not exist in data.auditeventpublisher.process_events
results.Only this records.auditeventpublisher.process_events.60.[25812380-25812383]
,and the first item in records.auditeventpublisher.process_events.60.25812380
is 0020688271:1548742845
,I convert the 1548742845
to date which is 2019-01-29 14:20:45
npamnani
01/29/2019, 9:04 AM钢铁侠
01/29/2019, 9:08 AM$ ./ldb --db=/tmp/osquery.db scan --column_family=queries | grep data.auditeventpublisher.process_events | wc -l
51460
$ ./sst_dump --file=/tmp/osquery.db/ --command=scan | grep data.auditeventpublisher.process_events | wc -l
3433390