Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
u
钢铁侠
12/03/2018, 1:00 PMsocket_events can't get data when it left join process_events
I encountered strange things.I record my computer's some info with socket_events and process_events.here is my sql.
sql
select * from process_events
select socket_events.*,process_events.cmdline,process_events.cwd,process_events.pid as pepid from socket_events left join process_events on socket_events.pid=process_events.pid;cmdlinecwdpepidsocket_eventscmd: curl <https://osquery.io>
name": "process_events",
"@version": "1",
"columns": {
"parent": "21451",
"cwd": "\"/root\"",
"btime": "0",
"auid": "1001",
"egid": "0",
"atime": "1448209686",
"owner_gid": "0",
"owner_uid": "0",
"path": "/usr/bin/curl",
"cmdline": "curl <https://osquery.io>",
"gid": "0",
"pid": "21923",
"ctime": "1461222192",
"time": "1543840554",
"uptime": "28088276",
"mode": "0100755",
"mtime": "1448209686",
"uid": "0",
"euid": "0"
},
"name": "socket_events",
"@version": "1",
"columns": {
"pepid": "",
"local_port": "0",
"cwd": "",
"status": "unknown",
"auid": "1001",
"path": "/usr/bin/curl",
"action": "connect",
"cmdline": "",
"family": "2",
"fd": "3",
"pid": "21923",
"local_address": "",
"remote_port": "443",
"time": "1543840554",
"uptime": "28088276",
"remote_address": "54.193.126.242"
},socket_eventsprocess_eventscwdcmdlinepepidsocket_eventsanyone encounter this?
p
packetzero
12/04/2018, 4:25 PMSorry, I have not come across this. It's not a query we use. From your description, it looks like a bug in osquery.
The FB team is working on the build changes in the 'experimental' branch, which may explain the lack of response on this and other tickets. Expect a bit of a delay before any fix is realized.
u
钢铁侠
12/05/2018, 3:48 AMOK,It seems that I must wait.Do you have an clue what is the root cause?I think maybe the problem is the sqlite parser,but I can't find the sqlite parse code in osquery.
@packetzero
p
packetzero
12/05/2018, 3:02 PMI haven't had time to look. If you haven't filed an issue for this on github, I recommend you do so.
BTW, if you did not specify events_optimize=false in your config, give it a try and see if results are different. By default, events_optimize=true, which may result in queries being changed internally. Worth a try.
u
钢铁侠
12/06/2018, 11:17 AMevents_optimize=falses
seek3r
12/06/2018, 8:04 PMHey @钢铁侠 for your security related activities, are you able to parse the windows events source or just with the windows event ids is enough to address your needs
My reasoning is that the source provide further information but at least for lateral movements detection the event ids should be sufficient.
u
钢铁侠
12/07/2018, 12:21 PMwe just osquery to record the linux infos.but if we can join socket_events and process_events with pid,we can have the full info about one process.so we nedd left join.
what I wan to konw is that the left join is not effective is the bug of the osquery?or osquery doesn't afford the this function
does anybody come across this?It have been five days passed when I open the issue