https://github.com/osquery/osquery logo
Powered by
Title
c

ccombs

02/12/2021, 3:40 PM
Hello, I'm trying to run a couple differential packs in fleet and one of them is always returning with epoch and counter set to 0, could anyone take a look? Details in ๐Ÿงต, please let me know if there's a more appropriate place to put this (github, diff slack channel, etc).
These are the queries contained in the pack that does seem to have counter properly incrementing: 
select name, publisher, type, subscriptions, events, active from osquery_events;
select i.*, p.resident_size, p.user_time, p.system_time, time.minutes as counter from osquery_info i, processes p, time where p.pid = i.pid;
select name, interval, executions, output_size, wall_time, (user_time/executions) as avg_user_time, (system_time/executions) as avg_system_time, average_memory, last_executed from osquery_schedule;
select osquery.version from osquery_info osquery;
(this one is a snapshot so no diff) The other pack always has both epoch and counter set to 0. This is the only query it contains: 
SELECT * FROM crontab
My fleetdm version is 3.6.0 My osqueryd version is 3.2.6 Let me know if there are any other details I can provide that would be helpful. Sorry I've been asking so many questions lately, my goal is to start contributing to this project but I've never contributed to open source before ๐Ÿ™‚
z

zwass

02/12/2021, 4:43 PM
We are here for questions ๐Ÿ™‚ Can you run osqueryd with 
--verbose --tls_dump
and see whether osquery is writing logs with values you expect? We want to try to isolate the issue to Fleet or osquery.
c

ccombs

02/12/2021, 7:37 PM
After testing the issue on a single machine, it does seem to be working properly. I'm going to try to isolate the issue a little better on other machines which are having issues. I'll update this thread if I find something useful
๐Ÿ‘ 1
3 Views
#fleetJoin Slack
Powered by