Title
#eclecticiq-polylogyx-extension
s

Shane Sanborn

01/28/2022, 7:45 PM
Hi, just started working with this extension on osquery, I have been getting certain error logs when I start up osquery with the extensions and not sure if the extension is working properly
2022-01-28_15.38.41 INFO  plgx_win_extension.ext.cpp:601: ##### EclecticIQ Osquery Extension v3.0.0.0 #####
2022-01-28_15.38.44 INFO  plgx_win_extension.ext.cpp:699: distributed_tls_plugin is tls
2022-01-28_15.38.44 ERROR plgx_win_extension.ext.cpp:739: Failed retrieving Kernel state from osqueryd config. Error: 2 (The system cannot find the file specified.

)
2022-01-28_15.38.44 INFO  plgx_extension_watcher.cpp:41: Watcher Thread starting..
2022-01-28_15.38.44 ERROR plgx_load_unload_vast_driver.cpp:34: Driver-Init Failed: 1056
2022-01-28_15.38.44 ERROR plgx_load_unload_vast_driver.cpp:34: Driver-Init Failed: 1056
2022-01-28_15.38.44 ERROR plgx_win_extension.ext.cpp:761:  Driver Load Failed Again
2022-01-28_15.38.44 INFO  plgx_win_extension.ext.cpp:780: Polylogyx plugin not found. Creating Config thread to refresh config
2022-01-28_15.38.44 INFO  plgx_win_extension.ext.cpp:784: config_tls_plugin is filesystem
Any help would be appreciated thanks!
h

himanshu

01/29/2022, 6:42 AM
hi @Shane Sanborn i see that drivers init failed for the extension. the error code 1056 looks to be ERROR_SERVICE_ALREADY_RUNNING.. possibly the services vast and vastnw are already running from a previous instance and you need to stop them first. can you please try the following command then load the extension again? on cmd.exe do,1.
sc stop vast
2.
sc stop vastnw
then load your extension again. Please let us know if that worked for you. also i see you are running version 3.0.0.0 which is outdated. If possible, it would be great if you could try the latest extension 3.0.1 available here with new features and bug fixes:https://github.com/eclecticiq/osq-ext-bin
o

OpenPlgx

01/29/2022, 8:53 AM
@Shane Sanborn, answers to couple of other questions that will be very helpful:1. How are you installing/running the extension? osqureryi/osqueryd? Is there server you are using as well? 2. What OS is it?
8:54 AM
And to the above commands as suggested by @himanshu, maybe also add "sc delete vast/sc delete vastnw" just to make sure it start from a clean slate altogether
6:49 PM
Hi @Shane Sanborn, were these suggestions helpful?
s

Shane Sanborn

01/31/2022, 6:50 PM
was off during the weekend, planning on testing these by the end of the day
8:17 PM
@OpenPlgx it seems I'm not getting any error logs now but the customs plgx tables are all empty when I look at windows event viewer, any help?
8:18 PM
os is windowsbase16, and I'm running the extension through extension.load file that points to the exe file, also have the flags that are in the repo
8:45 PM
also this is what my log file looks like now
2022-01-31_20.25.53 INFO  plgx_win_extension.ext.cpp:632: ##### EclecticIQ Osquery Extension v3.0.1.0 #####
2022-01-31_20.25.57 INFO  plgx_win_extension.ext.cpp:730: distributed_tls_plugin is tls
2022-01-31_20.25.57 INFO  plgx_win_extension.ext.cpp:771: Kernel services state from config not found. Error: 2 (The system cannot find the file specified.

). State will be set to ENABLED.
2022-01-31_20.25.57 INFO  plgx_extension_watcher.cpp:41: Watcher Thread starting..
2022-01-31_20.25.57 INFO  plgx_win_extension.ext.cpp:816: Polylogyx plugin not found. Creating Config thread to refresh config
2022-01-31_20.25.57 INFO  plgx_win_extension.ext.cpp:820: config_tls_plugin is filesystem
2022-01-31_20.25.57 WARNING plgx_win_utils.cpp:1007: No event_filter found.
2022-01-31_20.25.57 INFO  plgx_config_parser.cpp:170: Event controls (remove) stage crossed.
2022-01-31_20.25.57 INFO  plgx_win_utils.cpp:1458: No event control (blocking) filter found in config.
2022-01-31_20.25.57 INFO  plgx_config_parser.cpp:172: Event controls (apply) stage crossed.
2022-01-31_20.25.57 INFO  plgx_config_parser.cpp:923: Config: key:: [utc] value:: [true]
2022-01-31_20.25.57 INFO  plgx_config_parser.cpp:923: Config: key:: [custom_plgx_EnableSSL] value:: [true]
2022-01-31_20.25.57 INFO  plgx_config_parser.cpp:923: Config: key:: [custom_plgx_EnableBlocking] value:: [true]
2022-01-31_20.25.57 INFO  plgx_config_parser.cpp:923: Config: key:: [custom_plgx_EnableHttp] value:: [true]
2022-01-31_20.25.57 INFO  plgx_config_parser.cpp:923: Config: key:: [custom_plgx_EnableDns] value:: [true]
2022-01-31_20.25.57 INFO  plgx_config_parser.cpp:923: Config: key:: [custom_plgx_EnableShallowSSL] value:: [true]
o

OpenPlgx

02/01/2022, 3:52 AM
Is it possible for you to upload your osquery.flags/extensions.load and osquery.config files? Feel welcome to redact any sensitive info you might have in there..
h

himanshu

02/07/2022, 4:51 AM
it turns out, sometimes, Event Log service may not have appropriate permissions on extension for event logging. hence, it shows empty in event channels when extension tries to log events.
icacls plgx_win_extension.ext.exe /grant "NT AUTHORITY\LocalService":R /Q
should resolve the issue.