I know that osqueryd and osqueryi do not interact with one a osquery #core

I know that osqueryd and osqueryi do not interact ...

Antoinette

02/12/2020, 6:50 PM

I know that osqueryd and osqueryi do not interact with one another (like watchdog can't kill osqueryi if it's running a performance heavy query). However, do the two share the RocksDB embedded database? I ask because we have

select * from osquery_schedule;

as a scheduled query and can see the results being returned in elasticsearch but if we try to do that query in

osqueryi

the fields are zeroed out.

zwass

02/12/2020, 6:55 PM

They do not share the RocksDB database. Only one process may have RocksDB open at one time.

zwass

02/12/2020, 6:56 PM

Sometimes it can be useful to stop osqueryd and connect osqueryi to the database. Then you can select against the event based tables and see what is in there.

Antoinette

02/12/2020, 6:59 PM

I figured this might be the case. We have events disabled but does osquery not store the metrics for

osquery_schedule

in the database?

Antoinette

02/12/2020, 7:05 PM

^ We connected osqueryi to the osqueryd database and still empty table. it isn't urgent but definitely making us scratch our heads a little

zwass

02/12/2020, 7:19 PM

When you start osqueryi there will be no schedule. I'm not sure there's a good way to look at the

osquery_schedule

table besides as a scheduled query or a live query against a running osqueryd.

Antoinette

02/12/2020, 7:21 PM

Yeah. I understand what it's doing now after Seph said it's keeping the metrics in memory and then I went through and read some of the code in the repo. Makes sense! Thank you!

🍻 1

8 Views

Open in Slack

Previous Next