https://github.com/osquery/osquery logo
Powered by
#fleet
Title
# fleet
s

Sheetal Savagaonkar

05/04/2022, 10:17 AM
We are getting empty snapshots for Evented tables like process_events, file_events in Security Onion Fleetdm. Can anyone suggest some solution?
k

Kathy Satterlee

05/04/2022, 9:09 PM
Hi. @Sheetal Savagaonkar! What version of Fleet are you using? Can you give me an example of a query that's effected by this issue?
s

Sheetal Savagaonkar

05/17/2022, 4:56 AM
Sorry for the delay in responding. We are using Fleet - 4.10.0 version.
Sample query will be - select * from file_events;
k

Kathy Satterlee

05/17/2022, 5:29 PM
That's a fairly beefy query. What happens if you try something a little less intense like 
SELECT version FROM os_version
? Are you seeing any errors in the Fleet logs?
s

Sheetal Savagaonkar

05/18/2022, 6:58 AM
I am able to get the results for the above query. I am facing issue only with Evented tables in Osquery.
Also, when I am trying to execute the queries from standalone Osquery with the flagfile and configuration file, I am able to get the results. But I am not able to get the results in FleetDM in SecurityOnion. Also, it is not clear from documentation if we can set the flagfile and config_file configurations.
Any solution please
k

Kathy Satterlee

05/25/2022, 3:33 PM
I'm so sorry about the delay in getting back to you on this! Can you upgrade Fleet to the most current version, then test again and look for any errors in the logs? It sounds like there may be issues with timeouts somewhere along the way.
4 Views
Powered by