https://github.com/osquery/osquery logo
Powered by
Title
b

Bacarus

09/29/2021, 2:58 PM
Hello, I’m not sure if it is related to fleet or osquery, tell me if I have to move this question into another channel. I’ve this query: 
SELECT address, mask, type, friendly_name FROM interface_addresses
scheduled by fleet with this config: 
interval(s): 30, platform: All Version: Any, Logging: +/-
And I’ve found those logs: 
hostidentifier : "4c4c4544-0051-5310-8032-cac04f595a32"
calendartime : "Mon Sep 27 07:25:53 2021 UTC"
epoch : 1632700800
counter : 0
 columns :
   mask : "255.0.0.0"
   type : "unknown"
   address : "127.0.0.1"
   friendly_name : ""
action: "added"
--------
hostidentifier : "4c4c4544-0051-5310-8032-cac04f595a32"
calendartime : "Mon Sep 27 06:15:33 2021 UTC"
epoch : 1632700800
counter : 0
 columns :
   address : "127.0.0.1"
   friendly_name : ""
   mask : "255.0.0.0"
   type : "unknown"
action: "added"
---------
How is it possible that I’ve 2 added of the same row in the same counter and epoch? This is just an example but I’ve found other logs like that, maybe I didn’t get how scheduled queries works in differential mode. Each row should have the action alternated, am I wrong? the behaviour I expected is something like this: 
epoch: 1
counter: 0
action: "added"
columns: 
  address: "10.0.0.1"
  ...
---------
epoch: 1
counter: 3
action: "removed"
columns: 
  address: "10.0.0.1"
  ...
---------
epoch: 1
counter: 5
action: "added"
columns: 
  address: 10.0.0.1"
  ...
---------
epoch: 2
counter: 0
action: "added"
columns: 
  address: "10.0.0.1"
  ...
---------
epoch: 2
counter: 10
action: "removed"
columns: 
  address: "10.0.0.1"
  ...
---------
epoch: 4
counter: 7
action: "added"
columns: 
  address: "10.0.0.1"
  ...
Additional info: I’m using fleet 3.11 and osquery 4.9.0 I also have this issue with other scheduled queries
z

zwass

09/29/2021, 4:10 PM
This is unlikely to be a Fleet issue as Fleet pretty much just forwards along the result logs from osquery exactly as they are received. I wonder if somehow osquery detected two of the same interface? Or you have two separate osquerys running (on the same or different hosts) that use the same 
hostIdentifier
?
j

Jocelyn Bothe

09/29/2021, 5:06 PM
https://osquery.readthedocs.io/en/stable/deployment/logging/#schedule-epoch
the counter should be set to 1 for the second differential in the same epoch
so those results were both from the initial query
b

Bacarus

09/29/2021, 7:23 PM
@Jocelyn Bothe I set the epoch manually from fleet but the strange thing is that I receive the duplicate logs from the same agent in the same initial query in the same epoch
@zwass Will check it tomorrow, by the way I’ve installed osquery through kolide launcher. I also noticed that if I use “distinct” in the query I don’t have the issue, can it be related to the “distinct” keyword in the query?
z

zwass

09/29/2021, 7:30 PM
Maybe osquery generates two rows with the same info? That wouldn't explain why they are half an hour apart though.
b

Bacarus

09/30/2021, 7:06 AM
@zwass I don’t think so, if I try to use a distributed query there is only one row (both with and without the distinct keyword). Anyways why should it generate duplicates? does the differential feature of osquery consider all the columns of the query or only the selected columns?
@zwass I’ve just checked the host machine and there is only one osquery/launcher instance: 
$ ps -e | grep osquery
997 ?    00:20:44 osqueryd
999 ?    00:00:00 osquery-extensi

$ ps -e | grep launcher
788 ?    00:07:04 launcher

$ systemctl --type=service | grep launcher
launcher.launcher.service     loaded active running The Kolide Launcher
what is the expected behaviour of osquery if I disable a differential query from fleet and enable it again later with the same epoch? does it restart the counter? does it continue to log from the previous “state”?
2 Views
#fleetJoin Slack
Powered by