I’ve got an issue w/ running a distributed query u...
# fleet
I’ve got an issue w/ running a distributed query using the 
 table. If I run a basic yara rule using the 
 column in osqueryi I get the intened results. If I run the same query via Fleet as a distributed query I get no results. The below query identifies the test file as expected in osqueryi, but nothing at all is returned via Fleet.
Copy code
select * from yara where path like "/Users/scavanaugh/Desktop/%" and sigrule = 'rule hello_world {
$a = "Hello world"
condition: $a
Fleet is version 3.3.0 In osqueryi paths are returned for files that have no match, in Fleet this doesn’t appear to be the case
Also, @sean.cavanaugh already confirmed he is not running osqueryi w/ root
Can you run osqueryd with
--verbose --tls_dump
and verify that Fleet is sending the correct query? What user is osqueryd running as?
sure thing, need to knock out a few meeting but will report back shortly
Fleet just sends osquery the data and returns the results -- usually this kind of thing is due to some permissions issue or unexpected change in the osquery configuration. That said, Fleet 3.3.0 is pretty old and there could be some bug. Your research will help us understand which is going on.
for sure
we’re on osquery 4.9.0 if that helps, working on the goods for you
👍 1
things ended up working … for an unknown reason
I wonder if killing osqueryd did something but that doesn’t seem logical
Copy code
I1115 15:20:58.064646 186163200 distributed.cpp:121] Executing distributed query: kolide_distributed_query_952: select * from yara where path like "/Users/scavanaugh/Desktop/%" and sigrule = 'rule hello_world {
$a = "Hello world"
condition: $a
and matches = 'hello_world';

I1115 15:21:00.946065 186163200 tls.cpp:255] TLS/HTTPS POST request to URI: https://<server>/api/v1/osquery/distributed/write
{"queries":{"kolide_distributed_query_952":[{"path":"/Users/scavanaugh/Desktop/hello world.txt","matches":"hello_world","count":"1","sig_group":"","sigfile":"","strings":"","tags":""}]},"statuses":{"kolide_distributed_query_952":0},"messages":{"kolide_distributed_query_952":""},"node_key":"BPxEBIaiP3N0yZmG2ope6XEVPO7z7+ub"}
Are you running osqueryd directly via CLI now? Was it running via launchd previously? I wonder if there might be some different config?
ok now I’ve got less good news
😬 1
it worked when I ran it like so:
Copy code
sudo /usr/local/bin/osqueryd --verbose \
--tls_dump \
--allow_unsafe \
--config_plugin=tls \
--config_refresh=900 \
--config_tls_refresh=900 \
--config_accelerated_refresh=300 \
--config_tls_endpoint=/api/v1/osquery/config \
--disable_distributed=false \
--disable_enrollment=false \
--disable_tables=shell_history \
--distributed_interval=10 \
--distributed_plugin=tls \
--distributed_tls_max_attempts=3 \
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read \
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write \
--enroll_secret_path=/var/osquery/kolide_secret \
--enroll_tls_endpoint=/api/v1/osquery/enroll \
--host_identifier=hostname \
--logger_min_status=1 \
--logger_plugin=tls \
--logger_snapshot_event_type=true \
--logger_tls_endpoint=/api/v1/osquery/log \
--logger_tls_period=10 \
--pack_delimiter=/ \
--tls_hostname=<server> \
--tls_server_certs=<cert> \
it stopped working I resumed via
sudo osqueryctl start
(after killing osqueryd)
really good flag, we had issues w/ that and some other fun
You could verify with
sudo osqueryi
followed by
That should "connect" to the running osqueryd process and let you try the query there -- I suspect you'll get empty.
didn’t know about
It's pretty new 🙂 Very cool feature though https://twitter.com/fleetctl/status/1387376047516053508
supported on 4.9.0 with 3.3.0? I seem to be coming up short
Copy code
-> % sudo osqueryi
Using a virtual database. Need help, type '.help'
osquery> .connect
Error: unknown command or invalid arguments:  "connect". Enter ".help" for help
Can you
select version from osquery_info
in that shell?
Ah looks like you need
.connect /var/osquery/osquery.em
"unknown command or invalid arguments" is not a very helpful error message
sorry was getting some things actioned in our env. we rolled out FDA and yara is working as intended from Fleet. I really appreciate the support @zwass 🍻
🙌 1