Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
m
marpaia
03/27/2018, 8:59 PMit would be nice if these strings (records in this case) things could immediately be passed to the logging subsystem. kind of like https://github.com/facebook/osquery/pull/3482 but not specific to tls.
a
alessandrogario
03/27/2018, 9:02 PMDidn’t know you could do this, I’ll look into it. Would this become something that you toggle on and off or something that is always enabled (removing the table)?
m
marpaia
03/27/2018, 9:08 PMi would love to just be able to configure a subscription to an event publisher via options and get a stream of logs to the logger plugin
maybe as a new event type
the best you can do now is
select *removed: falsebut that still has to go through the interval of the scheduler, diff logic after getting the results out of rocksdb, etc
rocksdb should still be involved for the durability of process restarts, network failure, etc but i think a lot of the rest of it can be peeled back and added to the logging subsystem directly in a plugin agnostic way
a
alessandrogario
03/27/2018, 9:13 PMuhm so each log line would be a complete row?
m
marpaia
03/27/2018, 9:13 PMeither a
RowQueryDataa
alessandrogario
03/27/2018, 9:15 PMThat would be cool, and would probably speed up a lot of simple tables
m
marpaia
03/27/2018, 9:16 PMyeah, i think it would work well for higher throughput event publishers
probably a micro-optimization for something like
usb_devicesbut for audit or ebpf, it seems like it would be a fair bit more efficient to marry these two systems together