Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
s
Stefano Bonicatti
05/26/2022, 9:57 PM@Jason Field events need to be enabled: https://osquery.readthedocs.io/en/latest/deployment/file-integrity-monitoring/
j
Jason Field
05/26/2022, 10:01 PMand that should work with "disable_events": "false", in the config right?
s
Stefano Bonicatti
05/26/2022, 10:02 PMthings like that are CLI flags. Although now you still can set them through the config file, they are really meant to be set via flagfile or as an option to the process
you can see which one are flags and which ones are cli flag via the
osqueryd --helpj
Jason Field
05/26/2022, 10:13 PMDo events need to be enabled if you are streaming to kinesis in aws as well?
s
Stefano Bonicatti
05/26/2022, 10:14 PMThey are not related. If you want to query events, you need to enable them, that’s it.
Where query results gets shipped is a different matter
👍 1
And I should add, only enable events if you have a query on an evented table, and enable only those for the table you are querying, otherwise you’ll be buffering them locally, cause the local RocksDB to grow a lot and slow down things and or cause high CPU usage.
j
Jason Field
05/27/2022, 12:06 AMI tried enabling events both from the launch and the config same results...
I0527 00:03:12.280498 11636 scheduler.cpp:110] Executing scheduled query file_events: select * from file_events;
^Z
[1]+ Stopped sudo osqueryd --verbose --config_path /etc/osquery/osquerytest.conf --disable_events=false
[ec2-user@ip-10-0-241-143 ~]$ sudo touch /etc/passwd
[ec2-user@ip-10-0-241-143 ~]$ fg
sudo osqueryd --verbose --config_path /etc/osquery/osquerytest.conf --disable_events=false
I0527 00:03:59.936616 11636 scheduler.cpp:110] Executing scheduled query file_events: select * from file_events;
I0527 00:04:31.941900 11636 scheduler.cpp:110] Executing scheduled query file_events: select * from file_events;
^Z
[1]+ Stopped sudo osqueryd --verbose --config_path /etc/osquery/osquerytest.conf --disable_events=false
[ec2-user@ip-10-0-241-143 ~]$ sudo cat /var/log/osquery/osqueryd.results.log
I am open to running other tests etc. This is just a test I found on a gitlab issue.. I have tried other but this is the one I was on last.
s
Stefano Bonicatti
05/27/2022, 2:18 PM@Jason Field please check the link I previously provided on file integrity monitoring. Have you enabled the corresponding evented table with the flags?
The “FIM basics in osquery” mentions that you need to also provide
--enable_file_events=truefile_eventsj
Jason Field
05/27/2022, 3:08 PMOK! First off thank you so far. I think we are making progress. 2 questions now. First off if I launch the process how I showed before:
sudo osqueryd --verbose --enable_file_events=true --disable_events=false --config_path /etc/osquery/osquerytest.conf"enable_file_events": "true",Ok so after some testing and troubleshooting it seems I was missing both:
"disable_events": "false","enable_file_events": "true",s
Stefano Bonicatti
06/02/2022, 2:11 PM@Jason Field yes, https://github.com/osquery/osquery/pull/6663 is what changed it
also you don’t need them to be in the config file, and actually there will be soon a change that will block those flags (at least the disable_events for now) to be set via the config file. This is a cross-platform concept; CLI only flags should be provided either as arguments to the starting process or via the flagfile