Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
s
Sheetal Savagaonkar
05/04/2022, 10:17 AMWe are getting empty snapshots for Evented tables like process_events, file_events in Security Onion Fleetdm. Can anyone suggest some solution?
k
Kathy Satterlee
05/04/2022, 9:09 PMHi. @Sheetal Savagaonkar! What version of Fleet are you using? Can you give me an example of a query that's effected by this issue?
s
Sheetal Savagaonkar
05/17/2022, 4:56 AMSorry for the delay in responding. We are using Fleet - 4.10.0 version.
Sample query will be - select * from file_events;
k
Kathy Satterlee
05/17/2022, 5:29 PMThat's a fairly beefy query. What happens if you try something a little less intense like
SELECT version FROM os_versions
Sheetal Savagaonkar
05/18/2022, 6:58 AMI am able to get the results for the above query. I am facing issue only with Evented tables in Osquery.
Also, when I am trying to execute the queries from standalone Osquery with the flagfile and configuration file, I am able to get the results. But I am not able to get the results in FleetDM in SecurityOnion. Also, it is not clear from documentation if we can set the flagfile and config_file configurations.
Any solution please
k
Kathy Satterlee
05/25/2022, 3:33 PMI'm so sorry about the delay in getting back to you on this!
Can you upgrade Fleet to the most current version, then test again and look for any errors in the logs? It sounds like there may be issues with timeouts somewhere along the way.