We are getting empty snapshots for Evented tables ...
# fleets
Sheetal Savagaonkar
05/04/2022, 10:17 AMWe are getting empty snapshots for Evented tables like process_events, file_events in Security Onion Fleetdm. Can anyone suggest some solution?
k
Kathy Satterlee
05/04/2022, 9:09 PMHi. @Sheetal Savagaonkar! What version of Fleet are you using? Can you give me an example of a query that's effected by this issue?
s
Sheetal Savagaonkar
05/17/2022, 4:56 AMSorry for the delay in responding. We are using Fleet - 4.10.0 version.
Sheetal Savagaonkar
05/17/2022, 4:57 AMSample query will be - select * from file_events;
k
Kathy Satterlee
05/17/2022, 5:29 PMThat's a fairly beefy query. What happens if you try something a little less intense like
SELECT version FROM os_versions
Sheetal Savagaonkar
05/18/2022, 6:58 AMI am able to get the results for the above query. I am facing issue only with Evented tables in Osquery.
Sheetal Savagaonkar
05/18/2022, 7:03 AMAlso, when I am trying to execute the queries from standalone Osquery with the flagfile and configuration file, I am able to get the results. But I am not able to get the results in FleetDM in SecurityOnion. Also, it is not clear from documentation if we can set the flagfile and config_file configurations.
Sheetal Savagaonkar
05/25/2022, 3:50 AMAny solution please
k
Kathy Satterlee
05/25/2022, 3:33 PMI'm so sorry about the delay in getting back to you on this!
Can you upgrade Fleet to the most current version, then test again and look for any errors in the logs? It sounds like there may be issues with timeouts somewhere along the way.
4 Views