https://github.com/osquery/osquery logo
Join Slack
Powered by
Does anybody know why I could be having an issue w...
# macos
l
Does anybody know why I could be having an issue where all entries in 
osquery_schedule
have a 
last_executed = 0
? I have enabled the osx-attack pack but no queries seem to be running, I left the default Intervals and I'm using filesystem logging. If this is not the right place to ask this let me know where thanks! :)
I'm also wondering what's the best way to debug this.
a
the daemon is running?
what is configuring the schedule, is it a local conf or over TLS from a server?
l
it's all in my local computer
daemon is running
Copy code
➜  ~ sudo osqueryctl status
com.facebook.osqueryd is running. pid: 10799
a
what's the interval on the attacks pack?
I'm seeing every hour for a lot of them, has it output logs multiple times?
actually these are all differentials
I saw the same thing you did the first time I did an adhoc run, but now a few weeks after scheduling some snapshots/differentials I get unix timestamps for that key
l
is it normal that in the 
osquery_schedule
table
all entries have 
last_executed = 0
?
I was expecting not to find log entries in 
osqueryd.results.log
which is fine
specially for the osx-attack pack
but I was looking for a confirmation that the queries where running
the interval is 3600 seconds in all the queries of the pack by default
I also tried to lower one of the queries' interval to 120 seconds to see if that was it
but no luck so far
a
when it has nothing to report is has nothing to report
l
of course
but should not appear somewhere that the query was executed by the scheduler?
a
I'm not sure how that field gets evaluated if it has no results, but I also don't think like a security person, I think like an inventory/auditing person - I'm mostly running snapshots
l
so my question is mostly how to find out when a certain query was executed by the scheduler, cause I thought the 
last_executed
column in the 
osquery_schedule
was doing that but not sure anymore
I do have default scheduled query in the conf which adds results on the log
system_info one
but that also shows last_executed = 0
a
has it been running for longer than ~24 hours?
I mean that shouldn't make a difference, but
l
yeah
z
Are you running 
osquery_schedule
in 
osqueryi
?
l
the query yes
SELECT * from osquery_schedule WHERE last_executed > 0 ;
running this query in 
osqueryi
gives nothing
is it because it's a virtual db?
I thought maybe it would connect to the RocksDB for this stuff
but I'm new to osquery so it's still unclear to me 🙂
z
This is a common misconception
Both processes cannot connect to the same DB, so osqueryi has no access to the schedule info
However, there is a new functionality that can be helpful with this. See https://twitter.com/fleetctl/status/1387376047516053508
l
oh nice!
thanks for the clarification @zwass!
🍻 1
plusone 1
z
(typically you want to schedule a query for the 
osquery_schedule
table, but that new 
.connect
command is a good option for ad-hoc analysis)
l
makes sense, ad-hoc is good mostly for checking quickly that the query runs as it should
💯 1
26 Views
Open in Slack
PreviousNext
Powered by