Hello I m trying to run a couple differential packs in fleet osquery #fleet

Hello, I'm trying to run a couple differential pac...

ccombs

02/12/2021, 3:40 PM

Hello, I'm trying to run a couple differential packs in fleet and one of them is always returning with epoch and counter set to 0, could anyone take a look? Details in 🧵, please let me know if there's a more appropriate place to put this (github, diff slack channel, etc).

ccombs

02/12/2021, 3:41 PM

These are the queries contained in the pack that does seem to have counter properly incrementing:

select name, publisher, type, subscriptions, events, active from osquery_events;

select i.*, p.resident_size, p.user_time, p.system_time, time.minutes as counter from osquery_info i, processes p, time where p.pid = i.pid;

select name, interval, executions, output_size, wall_time, (user_time/executions) as avg_user_time, (system_time/executions) as avg_system_time, average_memory, last_executed from osquery_schedule;

select osquery.version from osquery_info osquery;

(this one is a snapshot so no diff) The other pack always has both epoch and counter set to 0. This is the only query it contains:

SELECT * FROM crontab

My fleetdm version is 3.6.0 My osqueryd version is 3.2.6 Let me know if there are any other details I can provide that would be helpful. Sorry I've been asking so many questions lately, my goal is to start contributing to this project but I've never contributed to open source before 🙂

zwass

02/12/2021, 4:43 PM

We are here for questions 🙂 Can you run osqueryd with

--verbose --tls_dump

and see whether osquery is writing logs with values you expect? We want to try to isolate the issue to Fleet or osquery.

ccombs

02/12/2021, 7:37 PM

After testing the issue on a single machine, it does seem to be working properly. I'm going to try to isolate the issue a little better on other machines which are having issues. I'll update this thread if I find something useful

👍 1

3 Views

Open in Slack

Previous Next