https://github.com/osquery/osquery logo
Title
s

Stefano Bonicatti

05/26/2022, 9:57 PM
j

Jason Field

05/26/2022, 10:01 PM
and that should work with "disable_events": "false", in the config right?
s

Stefano Bonicatti

05/26/2022, 10:02 PM
things like that are CLI flags. Although now you still can set them through the config file, they are really meant to be set via flagfile or as an option to the process
you can see which one are flags and which ones are cli flag via the
osqueryd --help
j

Jason Field

05/26/2022, 10:13 PM
Do events need to be enabled if you are streaming to kinesis in aws as well?
s

Stefano Bonicatti

05/26/2022, 10:14 PM
They are not related. If you want to query events, you need to enable them, that’s it. Where query results gets shipped is a different matter
👍 1
And I should add, only enable events if you have a query on an evented table, and enable only those for the table you are querying, otherwise you’ll be buffering them locally, cause the local RocksDB to grow a lot and slow down things and or cause high CPU usage.
j

Jason Field

05/27/2022, 12:06 AM
I tried enabling events both from the launch and the config same results... I0527 00:03:12.280498 11636 scheduler.cpp:110] Executing scheduled query file_events: select * from file_events; ^Z [1]+ Stopped sudo osqueryd --verbose --config_path /etc/osquery/osquerytest.conf --disable_events=false [ec2-user@ip-10-0-241-143 ~]$ sudo touch /etc/passwd [ec2-user@ip-10-0-241-143 ~]$ fg sudo osqueryd --verbose --config_path /etc/osquery/osquerytest.conf --disable_events=false I0527 00:03:59.936616 11636 scheduler.cpp:110] Executing scheduled query file_events: select * from file_events; I0527 00:04:31.941900 11636 scheduler.cpp:110] Executing scheduled query file_events: select * from file_events; ^Z [1]+ Stopped sudo osqueryd --verbose --config_path /etc/osquery/osquerytest.conf --disable_events=false [ec2-user@ip-10-0-241-143 ~]$ sudo cat /var/log/osquery/osqueryd.results.log
I am open to running other tests etc. This is just a test I found on a gitlab issue.. I have tried other but this is the one I was on last.
s

Stefano Bonicatti

05/27/2022, 2:18 PM
@Jason Field please check the link I previously provided on file integrity monitoring. Have you enabled the corresponding evented table with the flags? The “FIM basics in osquery” mentions that you need to also provide
--enable_file_events=true
for the
file_events
table.
j

Jason Field

05/27/2022, 3:08 PM
OK! First off thank you so far. I think we are making progress. 2 questions now. First off if I launch the process how I showed before:
sudo osqueryd --verbose --enable_file_events=true --disable_events=false --config_path /etc/osquery/osquerytest.conf
is there a way to stop that process or service? Sorry not as familiar with Linux still. Second question would be how do I add that to the config or service so that just it happens when the server starts up etc. Just add a
"enable_file_events": "true",
to the config as well?
Ok so after some testing and troubleshooting it seems I was missing both:
"disable_events": "false",
"enable_file_events": "true",
from the config file. Was that something that changed say maybe somewhere around year and a half ago? Where those would not have been needed? Sorry just trying to figure out why this stopped working.
s

Stefano Bonicatti

06/02/2022, 2:11 PM
@Jason Field yes, https://github.com/osquery/osquery/pull/6663 is what changed it
also you don’t need them to be in the config file, and actually there will be soon a change that will block those flags (at least the disable_events for now) to be set via the config file. This is a cross-platform concept; CLI only flags should be provided either as arguments to the starting process or via the flagfile