Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
p
Pooja K
07/07/2022, 7:34 PMHi team, have a question on osquery distributed write interface. (I am a beginner, so please excuse me if this is a naive question)
so I am using following interfaces to communicate with osqeryd process, I am getting the result returned by osqueryd, and sending it to an api. whenever post to api fails, next time I read results it will accumulate previously failed results even though I am just feeding in 1 query. I want to know is it caching those results, and if yes, can I configure the caching on osqueryd side?
Thanks.
GetQueriesFunc
WriteResultsFuncs
seph
07/07/2022, 8:15 PMWhen you say you’re using those interfaces, what exactly do you mean?
p
Pooja K
07/07/2022, 8:21 PMusing GetQueriesFunc interface to send queries to osqueryd service to process, and calling WriteResultsFunc to get results back from the daemon
s
seph
07/07/2022, 8:21 PMWhat library? What SDK? What software?
Osquery itself does not really do caching. It runs a query, and returns results. Evented tables are a bit weird — they source events, and generally only run queries on data newer-than-the-last-run.
p
Pooja K
07/07/2022, 8:24 PMI am using
osquery-5.1.0_1.linux_x86_64.tar.gzcan I see the logs interacting with this interface?
s
seph
07/07/2022, 8:26 PMI have no idea what interface you’re using.
p
Pooja K
07/07/2022, 8:26 PMoh bdw I am running simple
select * time('now)s
seph
07/07/2022, 8:28 PMHow are you communicating with osquery?
p
Pooja K
07/07/2022, 8:29 PMso I am using my own extension to run with osqueryd. which basically communicates with osqueryd using extensio socket.
s
seph
07/07/2022, 8:32 PMWhat SDK was my next question.
A go extension, communicating over the extension socket is important information
Neither the go SDK, nor osquery are doing caching. When your extension triggers a distributed query, osquery will execute it, and return the results.
Rereading your question, there’s something there about how logs are handled? If osquery cannot send it’s log, they will be buffered until the configured logging destination can accept them
The distributed interface there is a bit of an odd choice. But maybe it’s what you intend.
p
Pooja K
07/07/2022, 9:12 PMThanks for explaining this Seph, let me check more on my side, ang will get back to you if needed. thanks.