Hi team, have a question on osquery distributed wr...
# generalp
Pooja K
07/07/2022, 7:34 PMHi team, have a question on osquery distributed write interface. (I am a beginner, so please excuse me if this is a naive question)
so I am using following interfaces to communicate with osqeryd process, I am getting the result returned by osqueryd, and sending it to an api. whenever post to api fails, next time I read results it will accumulate previously failed results even though I am just feeding in 1 query. I want to know is it caching those results, and if yes, can I configure the caching on osqueryd side?
Thanks.
Copy code
GetQueriesFunc
WriteResultsFuncs
seph
07/07/2022, 8:15 PM
When you say you’re using those interfaces, what exactly do you mean?
p
Pooja K
07/07/2022, 8:21 PMusing GetQueriesFunc interface to send queries to osqueryd service to process, and calling WriteResultsFunc to get results back from the daemon
s
seph
07/07/2022, 8:21 PM
What library? What SDK? What software?
seph
07/07/2022, 8:22 PM
Osquery itself does not really do caching. It runs a query, and returns results. Evented tables are a bit weird — they source events, and generally only run queries on data newer-than-the-last-run.
p
Pooja K
07/07/2022, 8:24 PMI am using
osquery-5.1.0_1.linux_x86_64.tar.gzPooja K
07/07/2022, 8:24 PMcan I see the logs interacting with this interface?
s
seph
07/07/2022, 8:26 PM
I have no idea what interface you’re using.
p
Pooja K
07/07/2022, 8:26 PMoh bdw I am running simple
select * time('now)s
seph
07/07/2022, 8:28 PM
How are you communicating with osquery?
p
Pooja K
07/07/2022, 8:29 PMso I am using my own extension to run with osqueryd. which basically communicates with osqueryd using extensio socket.
Pooja K
07/07/2022, 8:31 PMs
seph
07/07/2022, 8:32 PM
What SDK was my next question.
seph
07/07/2022, 8:32 PM
A go extension, communicating over the extension socket is important information
seph
07/07/2022, 8:33 PM
Neither the go SDK, nor osquery are doing caching. When your extension triggers a distributed query, osquery will execute it, and return the results.
seph
07/07/2022, 8:34 PM
Rereading your question, there’s something there about how logs are handled? If osquery cannot send it’s log, they will be buffered until the configured logging destination can accept them
seph
07/07/2022, 8:35 PM
The distributed interface there is a bit of an odd choice. But maybe it’s what you intend.
p
Pooja K
07/07/2022, 9:12 PMThanks for explaining this Seph, let me check more on my side, ang will get back to you if needed. thanks.
53 Views