https://github.com/osquery/osquery logo
Powered by
Title
t

Ted Dorosheff

01/15/2022, 4:01 PM
Hey folks, i think my yaml config issues have been resolved, thanks @Luke Heath. Now i'm getting the following error in the verbose output when running osqueryd 
I0115 07:56:12.120774  1844 ntfs_journal_events.cpp:323] Couldn't open C:\Users\teddoro\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\Settings\settings.dat.LOG2 while building FRN set
I0115 07:56:12.120774  1844 ntfs_journal_events.cpp:323] Couldn't open C:\Users\teddoro\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat while building FRN set
I0115 07:56:12.136206  1844 ntfs_journal_events.cpp:323] Couldn't open C:\Users\teddoro\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1 while building FRN set
I0115 07:56:12.136206  1844 ntfs_journal_events.cpp:323] Couldn't open C:\Users\teddoro\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG2 while building FRN set
I0115 07:56:12.167567  1844 ntfs_journal_events.cpp:323] Couldn't open C:\Users\teddoro\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Settings\settings.dat while building FRN set
These paths seem to correspond to what we have for 
file_paths
in yaml config, which leads me to believe that my config is working. However, i'm wondering why osquery isn't able to open these files? I've installed using chocolatey, and verified that osquery is running with the proper permissions and as a service. FWIW, those error logs were observed after running: 
C:\Program Files\osquery\osqueryd\osqueryd.exe --flagfile=osquery.flags --verbose
ie, it was running from an admin shell, and not as a "service". That being said, when i run osquery in this manner i'm able to see the host i'm running it from in FleetDM and the host appears online. However, after a system reboot and when osquery is running as a service, the host does not appear online.
🙌 1
z

zwass

01/15/2022, 5:29 PM
Your first question about the errors coming from the 
ntfs_journal_events
table might be better served in the #windows channel. For the host not coming online when run as a service... Is the service running that same command you just pasted? Perhaps it needs an absolute path to the flagfile? If you take the command line from the service and paste it in an admin powershell, does the host come online? Your best bet is to test the exact command line via powershell with absolute paths and then paste it over into the Service.
t

Ted Dorosheff

01/15/2022, 8:41 PM
How do i check to see what command the service is running with?
z

zwass

01/15/2022, 11:10 PM
Open the "Services" application, right click on the osquery service -> properties -> path to executable.
t

Ted Dorosheff

01/15/2022, 11:12 PM
Ahh okay, then yes it is running with absolute paths.
z

zwass

01/17/2022, 12:55 AM
If you copy that command and enter it in your admin powershell, does it work? Might need to add 
&
as a prefix
t

Ted Dorosheff

01/17/2022, 10:56 PM
ah ha! so the issue was that when the service was invoking the command as it was written in the "path to executable" it couldn't find 
fleet.pem
because in the flags file only the relative path was given. I changed the flags file and now it seems to be one step past that issue, however now the new error reads: 
W0117 14:55:22.073629  4404 tls_enroll.cpp:101] Failed enrollment request to <https://fleetdm-ui.ouryahoo.com/api/v1/osquery/enroll> (No node key returned from TLS enroll plugin) retrying...
ahh, probably because in the flags file, the enroll secret also doesn't have an absolute path. Changing that...
okay and now we're up
z

zwass

01/17/2022, 11:03 PM
🍾
t

Ted Dorosheff

01/17/2022, 11:04 PM
thanks man! now to see about that ntfs journal events issue. still havent heard back from anyone in the windows channel, but im not sure if its still giving an error.
z

zwass

01/17/2022, 11:05 PM
If you haven't heard from anyone, could be a good one to bring to #officehours (live meeting) tomorrow
t

Ted Dorosheff

01/17/2022, 11:05 PM
oh neat, okay thanks
okay looks like its still an issue, so what time is that meeting?
z

zwass

01/17/2022, 11:19 PM
13:00 ET
Look for the Meet link in that channel (it doesn't change week-to-week)
t

Ted Dorosheff

01/17/2022, 11:20 PM
ahh okay cool
i also keep seeing an error in verbose logs, where rocksdb tries to set a lock on osquery.db, but its unable to because of another process. Though it looks like it is able to in the next log line. 
I0117 15:15:05.984179  3348 rocksdb.cpp:149] Rocksdb open failed (5:0) IO error: Failed to create lock file: \Program Files\osquery\osquery.db/LOCK: The process cannot access the file because it is being used by another process.
I0117 15:15:06.202491  3348 rocksdb.cpp:132] Opening RocksDB handle: \Program Files\osquery\osquery.db
I0117 15:15:06.202491  3348 rocksdb.cpp:67] RocksDB: [WARN] [db\db_impl\<http://db_impl_open.cc:1846|db_impl_open.cc:1846>] Persisting Option File error: OK
not sure if that is actually an issue or not
and then finally, the process eventually kills itself 
I0117 15:15:06.421223  3348 dispatcher.cpp:149] Thread: 3348 requesting a stop
I0117 15:15:06.421223  3348 dispatcher.cpp:156] Service: 00000218214A7950 has been interrupted
I0117 15:15:06.421223  3348 dispatcher.cpp:122] Thread: 3348 requesting a join
I0117 15:15:06.421223  3348 dispatcher.cpp:140] Service thread: 0000021821579A30 has joined
I0117 15:15:06.436787  3348 dispatcher.cpp:144] Services and threads have been cleared
E0117 15:15:06.797690  3856 shutdown.cpp:79] Worker returned exit status
I0117 15:15:06.797690  1824 dispatcher.cpp:149] Thread: 1824 requesting a stop
I0117 15:15:06.797690  1824 dispatcher.cpp:122] Thread: 1824 requesting a join
I0117 15:15:06.797690  1824 dispatcher.cpp:140] Service thread: 000001048D7CBAD0 has joined
I0117 15:15:06.812259  1824 dispatcher.cpp:144] Services and threads have been cleared
z

zwass

01/17/2022, 11:30 PM
I have to go, but check that no other osquery processes are running (perhaps restart the system) and then try again.
t

Ted Dorosheff

01/17/2022, 11:30 PM
alright man, take care
Hey Zach, you on right now?
just wondering if these two configs are somehow in conflict: 
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
if i'm setting the config plugin to be 
tls
on a windows machine, and then defining my config tls endpoint to be 
/api/v1/osquery/config
is the latter config line applicable? I mean for one thing, that path looks like a linux path with those forward slashes....
z

zwass

01/21/2022, 10:56 PM
That looks right. The former is saying "get the config from the TLS plugin". The latter is saying "the path to request on the TLS server (configured in 
tls_hostname
) is /api/v1/osquery/config."
t

Ted Dorosheff

01/21/2022, 10:57 PM
ahh okay, so 
/api/v1/osquery/config
is a location on the server, where the client should expect to receive config from?
z

zwass

01/21/2022, 10:58 PM
Yeah, osquery will do a 
POST <tls_hostname>/api/v1/osquery/config
with the node key in the body and the server will respond with the config.
You can turn on 
--verbose --tls_dump
if you want to be able to see the request/response bodies -- might be helpful for understanding.
💯 1
t

Ted Dorosheff

01/21/2022, 11:00 PM
yes, i set 
--config_dump=true
in flags, and could see everything i defined in yaml config within fleetDM. So, with that being said, is it safe to assume that the client/server config exchange is working correctly?
just trying to narrow down the possibilities as to why my ntfs_journal_events table still isnt getting any events.
z

zwass

01/21/2022, 11:01 PM
Yeah if you're seeing a JSON version of that YAML in osquery then client/server communication is definitely working.
t

Ted Dorosheff

01/21/2022, 11:01 PM
ok
5 Views
#fleetJoin Slack
Powered by