Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
r
ryan
10/08/2021, 2:28 PMStarted getting this after 4.4.0 upgrade
"err":["failed to save host software: insert software: Error 1054: Unknown column 'bundle_identifier' in 'field list'"]t
Tomas Touceda
10/08/2021, 3:08 PMwhat version did you migrate from?
r
ryan
10/08/2021, 3:13 PM4.3.1
t
Tomas Touceda
10/08/2021, 3:16 PMcould you tell me the output of the following sql query:
select * from migration_status_tablesr
ryan
10/08/2021, 3:16 PMI don’t see a bundle_identifier column in the software table. I messed around a little and added the column
alter table software add column bundle_identifier varchar(255) NOT NULL;| 100 | 20210819143446 | 1 | 2021-09-14 07:30:59 || 101 | 20210903132338 | 1 | 2021-09-14 07:30:59 || 102 | 20210915144307 | 1 | 2021-09-27 14:49:25 || 103 | 20210920155130 | 1 | 2021-09-27 14:49:25 || 104 | 20210927143115 | 1 | 2021-10-05 00:16:55t
Tomas Touceda
10/08/2021, 3:18 PMthe migration you're missing is:
ALTER TABLE software ADD COLUMN bundle_identifier VARCHAR(255) DEFAULT ''✅ 1
r
ryan
10/08/2021, 3:32 PMAnything missing in the migration, my result/status filesystem logging stopped and I’m seeing errors like this
"filename":"distributed.cpp","line":"131","message":"Error executing distributed query: fleet_policy_query_6: no such table: sharing_preferences"t
Tomas Touceda
10/08/2021, 3:34 PMcould you share the query that you are using for policy id 6?
r
ryan
10/08/2021, 3:51 PM{"hostIdentifier":"redacted","calendarTime":"Fri Oct 8 15:04:21 2021 UTC","unixTime":"1633705461","severity":"0","filename":"distributed.cpp","line":"121","message":"Executing distributed query: fleet_policy_query_6: select 1 from sharing_preferences where remote_login = 0;","version":"5.0.1","decorations":{"host_uuid":"redacted","hostname":"redacted"}}{"hostIdentifier":"redacted","calendarTime":"Fri Oct 8 15:04:21 2021 UTC","unixTime":"1633705461","severity":"2","filename":"distributed.cpp","line":"131","message":"Error executing distributed query: fleet_policy_query_6: no such table: sharing_preferences","version":"5.0.1","decorations":{"host_uuid":"redacted","hostname":"redacted"}}{"hostIdentifier":"redacted","calendarTime":"Fri Oct 8 15:04:21 2021 UTC","unixTime":"1633705461","severity":"0","filename":"distributed.cpp","line":"121","message":"Executing distributed query: fleet_policy_query_1: SELECT * FROM apps where bundle_identifier='io.redacted.redacted'","version":"5.0.1","decorations":{"host_uuid":"redacted","hostname":"redacted"}}{"hostIdentifier":"redacted","calendarTime":"Fri Oct 8 15:04:21 2021 UTC","unixTime":"1633705461","severity":"2","filename":"distributed.cpp","line":"131","message":"Error executing distributed query: fleet_policy_query_1: no such table: apps","version":"5.0.1","decorations":{"host_uuid":"redacted","hostname":"redacted"}}its all of them
t
Tomas Touceda
10/08/2021, 3:53 PMhttps://docs.zercurity.com/osquery/schema/osquery_4.1.2/sharing_preferences.html <-- policies run in all platforms, so they will fail in the platfroms that don't support it
r
ryan
10/08/2021, 3:55 PMyah the targets are just platforms that support it and I can run the query live vs the hosts
t
Tomas Touceda
10/08/2021, 3:56 PMpolicies don't run per platform as of today, they are sent to all hosts
r
ryan
10/08/2021, 4:01 PMconfirmed they are unsupported hosts so makes sense on the policies. Any idea why the filesystem logging would have stopped?
t
Tomas Touceda
10/08/2021, 4:02 PMcould you expand a bit more on what you mean?
r
ryan
10/08/2021, 4:13 PMthe packs run and should be logging to the filesystem (per my config) and was previously working.
osquery:
status_log_plugin: filesystem
result_log_plugin: filesystem
filesystem:
status_log_file: /var/log/osquery/status.log
result_log_file: /var/log/osquery/result.log
enable_log_rotation: true
enable_log_compression: true
logging:
json: truedisregard appears a restart fixed it 🤷