Hi Fleet peeps I spotted after upgrading to Fleet 4 22 1 tha osquery #fleet

Hi Fleet peeps! I spotted after upgrading to Fleet...

Ryan

11/16/2022, 5:18 PM

Hi Fleet peeps! I spotted after upgrading to Fleet 4.22.1 that our custom osquery extension (which provides a new virtual table called

de_metadata

) stopped working, in queries where we try to use it, we get an error

vtable constructor failed: de_metadata

Is there a known issue with custom extensions for osquery? We’re using osquery 5.3.0.

Ryan

11/16/2022, 5:18 PM

message has been deleted

Kathy Satterlee

11/16/2022, 5:23 PM

Hey @Ryan! The osquery logs on your hosts might have some helpful information here about why that extension isn't loading properly. Here's a debugging guide for osquery that should be helpful: https://fleetdm.com/docs/deploying/debugging#osquery

zwass

11/16/2022, 7:38 PM

This seems unlikely to be related to the Fleet update... Nothing has changed recently about how a live query would be sent to osquery. Has anything changed about your osquery version, your extension, or how you deploy them recently?

Ryan

11/17/2022, 10:10 AM

Hi, yeah I wasn’t sure if it could be, but then I wondered if it was trying to look up metadata about the virtual table but not finding it since the table isn’t part of the normal osquery schema

Ryan

11/17/2022, 10:10 AM

Notably, it works if I run

osqueryi

locally on one of the hosts, the extension loads and I can query the contents of our new table.

Ryan

11/17/2022, 3:49 PM

Ok so further debugging - I don’t see any errors logged, but during a test on one of the hosts I restarted osqueryd and the custom table is working again now 🤔

Ryan

11/17/2022, 3:49 PM

very unusual, but seems like an osquery issue and nothing to do with Fleet at all, so sorry for the false alarm!

2 Views

Open in Slack

Previous Next