<@U03HKCFN01F> events need to be enabled: <https:/...
# generals
Stefano Bonicatti
05/26/2022, 9:57 PM@Jason Field events need to be enabled: https://osquery.readthedocs.io/en/latest/deployment/file-integrity-monitoring/
j
Jason Field
05/26/2022, 10:01 PMand that should work with "disable_events": "false", in the config right?
s
Stefano Bonicatti
05/26/2022, 10:02 PMthings like that are CLI flags. Although now you still can set them through the config file, they are really meant to be set via flagfile or as an option to the process
Stefano Bonicatti
05/26/2022, 10:02 PMyou can see which one are flags and which ones are cli flag via the
osqueryd --helpj
Jason Field
05/26/2022, 10:13 PMDo events need to be enabled if you are streaming to kinesis in aws as well?
s
Stefano Bonicatti
05/26/2022, 10:14 PMThey are not related. If you want to query events, you need to enable them, that’s it.
Where query results gets shipped is a different matter
👍 1
Stefano Bonicatti
05/26/2022, 10:18 PMAnd I should add, only enable events if you have a query on an evented table, and enable only those for the table you are querying, otherwise you’ll be buffering them locally, cause the local RocksDB to grow a lot and slow down things and or cause high CPU usage.
j
Jason Field
05/27/2022, 12:06 AMI tried enabling events both from the launch and the config same results...
I0527 000312.280498 11636 scheduler.cpp:110] Executing scheduled query file_events: select * from file_events;
^Z
[1]+ Stopped sudo osqueryd --verbose --config_path /etc/osquery/osquerytest.conf --disable_events=false
[ec2-user@ip-10-0-241-143 ~]$ sudo touch /etc/passwd
[ec2-user@ip-10-0-241-143 ~]$ fg
sudo osqueryd --verbose --config_path /etc/osquery/osquerytest.conf --disable_events=false
I0527 000359.936616 11636 scheduler.cpp:110] Executing scheduled query file_events: select * from file_events;
I0527 000431.941900 11636 scheduler.cpp:110] Executing scheduled query file_events: select * from file_events;
^Z
[1]+ Stopped sudo osqueryd --verbose --config_path /etc/osquery/osquerytest.conf --disable_events=false
[ec2-user@ip-10-0-241-143 ~]$ sudo cat /var/log/osquery/osqueryd.results.log
Jason Field
05/27/2022, 12:15 AMI am open to running other tests etc. This is just a test I found on a gitlab issue.. I have tried other but this is the one I was on last.
s
Stefano Bonicatti
05/27/2022, 2:18 PM@Jason Field please check the link I previously provided on file integrity monitoring. Have you enabled the corresponding evented table with the flags?
The “FIM basics in osquery” mentions that you need to also provide
--enable_file_events=truefile_eventsj
Jason Field
05/27/2022, 3:08 PMOK! First off thank you so far. I think we are making progress. 2 questions now. First off if I launch the process how I showed before:
sudo osqueryd --verbose --enable_file_events=true --disable_events=false --config_path /etc/osquery/osquerytest.conf"enable_file_events": "true",Jason Field
06/02/2022, 1:46 PMOk so after some testing and troubleshooting it seems I was missing both:
"disable_events": "false","enable_file_events": "true",s
Stefano Bonicatti
06/02/2022, 2:11 PM@Jason Field yes, https://github.com/osquery/osquery/pull/6663 is what changed it
Stefano Bonicatti
06/02/2022, 2:12 PMalso you don’t need them to be in the config file, and actually there will be soon a change that will block those flags (at least the disable_events for now) to be set via the config file. This is a cross-platform concept; CLI only flags should be provided either as arguments to the starting process or via the flagfile
18 Views