Does anybody know why I could be having an issue where all e

Question

Does anybody know why I could be having an issue where all entries in `osquery schedule` have a `last executed = 0` I have enabled the osx attack pack but no queries seem to be running I left the default Intervals and I m using filesystem logging If this is not the right place to ask this let me know where thanks

Luis Gomez · Answer

I m also wondering what s the best way to debug this

allister · Answer

the daemon is running

allister · Answer

what is configuring the schedule is it a local conf or over TLS from a server

Luis Gomez · Answer

it s all in my local computer

Luis Gomez · Answer

daemon is running

Luis Gomez · Answer

``` ~ sudo osqueryctl status com facebook osqueryd is running pid 10799```

allister · Answer

what s the interval on the attacks pack

allister · Answer

I m seeing every hour for a lot of them has it output logs multiple times

allister · Answer

actually these are all differentials

allister · Answer

I saw the same thing you did the first time I did an adhoc run but now a few weeks after scheduling some snapshots differentials I get unix timestamps for that key

Luis Gomez · Answer

is it normal that in the `osquery schedule` table

Luis Gomez · Answer

all entries have `last executed = 0`

Luis Gomez · Answer

I was expecting not to find log entries in `osqueryd results log` which is fine

Luis Gomez · Answer

specially for the osx attack pack

Luis Gomez · Answer

but I was looking for a confirmation that the queries where running

Luis Gomez · Answer

the interval is 3600 seconds in all the queries of the pack by default

Luis Gomez · Answer

I also tried to lower one of the queries interval to 120 seconds to see if that was it

Luis Gomez · Answer

but no luck so far

allister · Answer

when it has nothing to report is has nothing to report

Luis Gomez · Answer

of course

Luis Gomez · Answer

but should not appear somewhere that the query was executed by the scheduler

allister · Answer

I m not sure how that field gets evaluated if it has no results but I also don t think like a security person I think like an inventory auditing person I m mostly running snapshots

Luis Gomez · Answer

so my question is mostly how to find out when a certain query was executed by the scheduler cause I thought the `last executed` column in the `osquery schedule` was doing that but not sure anymore

Luis Gomez · Answer

I do have default scheduled query in the conf which adds results on the log

Luis Gomez · Answer

system info one

Luis Gomez · Answer

but that also shows last executed = 0

allister · Answer

has it been running for longer than ~24 hours

allister · Answer

I mean that shouldn t make a difference but

Luis Gomez · Answer

yeah

zwass · Answer

Are you running `osquery schedule` in `osqueryi`

Luis Gomez · Answer

the query yes

Luis Gomez · Answer

`SELECT from osquery schedule WHERE last executed gt 0 ` running this query in `osqueryi` gives nothing

Luis Gomez · Answer

is it because it s a virtual db

Luis Gomez · Answer

I thought maybe it would connect to the RocksDB for this stuff

Luis Gomez · Answer

but I m new to osquery so it s still unclear to me slightly smiling face

zwass · Answer

This is a common misconception

zwass · Answer

Both processes cannot connect to the same DB so osqueryi has no access to the schedule info

zwass · Answer

However there is a new functionality that can be helpful with this See <https twitter com fleetctl status 1387376047516053508>

Luis Gomez · Answer

oh nice

Luis Gomez · Answer

thanks for the clarification < zwass>

zwass · Answer

typically you want to schedule a query for the `osquery schedule` table but that new ` connect` command is a good option for ad hoc analysis

Luis Gomez · Answer

makes sense ad hoc is good mostly for checking quickly that the query runs as it should