Title
#general
b

Brandon Mesa

11/01/2022, 6:45 PM
hey all, is there a way to get the "action" field from osquery.results.log included in the "columns" key? I'm doing some log parsing and forwarding that only captures the value of the column key. In this case, as it stands, i'm not able to identify whether the application was installed or removed
s

sharvil

11/01/2022, 7:00 PM
I will have to check, but I don't think that's possible
7:02 PM
I am sure you are aware..
action
here represents the event format of the result log (https://osquery.readthedocs.io/en/stable/deployment/logging/#event-format)
b

Brandon Mesa

11/01/2022, 7:03 PM
Right… completely outside the context of the query executed… I think I’ll have to go back to the drawing board on this one.
s

sharvil

11/01/2022, 7:04 PM
perhaps a differential query might be better suited here..? you might have to experiment and play around a little bit
b

Brandon Mesa

11/01/2022, 7:06 PM
That is what this is right, a differential query: "applications": { "query": "SELECT *, 'applications' as _splkey FROM apps;", "interval": 60 }
s

sharvil

11/01/2022, 7:08 PM
hard to tell just from that..https://osquery.readthedocs.io/en/stable/deployment/logging/#batch-format this says that there needs to be a flag when starting up osquery
--logger_event_type=false
b

Brandon Mesa

11/01/2022, 7:10 PM
thanks @sharvil
Gavin

Gavin

11/01/2022, 7:33 PM
What are you using for the log parsing ?
b

Brandon Mesa

11/01/2022, 7:34 PM
Splunk
Gavin

Gavin

11/01/2022, 7:42 PM
Better question how are you extracting the column data , splunk agent and most configs by default export the whole record and expect you to just specify
columns.foo
in your query
b

Brandon Mesa

11/01/2022, 7:47 PM
A line breaker that delimits events on a static string within all scheduled queries column payloads
Gavin

Gavin

11/01/2022, 7:51 PM
Custom code ? Maybe look at json parsing and moving the field into the columns array
b

Brandon Mesa

11/01/2022, 7:52 PM
Yep, trying that now with a SEDCMD
Gavin

Gavin

11/01/2022, 7:54 PM
That sounds somewhat horrible 😦
b

Brandon Mesa

11/01/2022, 7:54 PM
That it does, I’ll have to audit the parsing pipelines & see if it’ll scale or not
Gavin

Gavin

11/01/2022, 7:54 PM
Filebeat do this natively , python is very good at this , go also
7:57 PM
I would also strongly recommend sending the full record you get context like time stamp etc which is pretty valuable
b

Brandon Mesa

11/01/2022, 8:04 PM
process creation and fim both come with a payload time field, which works. but yea, with the applications table, don't have that available after parsing
s

seph

11/01/2022, 8:28 PM
I think it does not make sense to copy actions into the columns. Columns is the data, action is the larger structure of the result. (Similarly with the unix time, host identifier, etc)
8:28 PM
I think if you want to do something weird parsing side, parse the json blob and reformat it to whatever you want
b

Brandon Mesa

11/01/2022, 8:43 PM
thanks all, great feedback
2:47 PM
FYI, i ended up scrapping the applications query and just went with FIM for all .app target paths.