https://github.com/osquery/osquery logo
Powered by
#macos
Title
a

alessandrogario

01/03/2020, 6:30 PM
@Jamie Windley can you try it again with a new database?
j

Jamie Windley

01/03/2020, 6:40 PM
What’s the best way of doing this?
a

alessandrogario

01/03/2020, 6:41 PM
there should be a flag to specify where the database is stored; you could pass a path to another folder so you can test this without renaming/removing the original database
I think the flag is named --database_path, but you can check with --help
If it works with a new database, then a database migration (performed when osquery was last updated) may have damaged the event-related keys in the database
j

Jamie Windley

01/03/2020, 8:20 PM
It won't let me run osqueryi with a --database_path to a folder that doesn't contain an osquery database. Can I just kill the one in /var/osquery?
a

alessandrogario

01/03/2020, 8:20 PM
yeah, you can. maybe you can rename it for now instead of deleting it
j

Jamie Windley

01/03/2020, 8:22 PM
ok, I did that and it created a new osquery.db, but when in osqueryi shell I still get no results from 
select * from process_events;
a

alessandrogario

01/03/2020, 8:25 PM
can you also paste the contents of /etc/security/audit_control ?
j

Jamie Windley

01/03/2020, 8:26 PM
Copy code
#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $
#
dir:/var/audit
flags:ex,pc,ap,aa,lo,ad
minfree:5
naflags:no
policy:cnt,argv,arge
filesz:2M
expire-after:10M
superuser-set-sflags-mask:has_authenticated,has_console_access
superuser-clear-sflags-mask:has_authenticated,has_console_access
member-set-sflags-mask:
member-clear-sflags-mask:has_authenticated
a

alessandrogario

01/03/2020, 8:58 PM
that file seems ok, can you try with sudo osqueryd -S --verbose --disable_audit=false --disable_events=false ?
j

Jamie Windley

01/04/2020, 5:13 PM
those flags are already set in my osqeury.conf file, and when I run 
osqueryi
I can run the command which shows which flags are active
t

theopolis

01/04/2020, 5:23 PM
What version of osquery are you using and has this changed in within the few months? Remember that 
osqueryi
and 
osqueryd
may not be using the same config file, so double check! When testing in the shell using 
select * from osquery_events
and looking at the 
active
column for 
process_events
will give a strong indicator if the table is working.
An OS update may have happened too, do you mind sharing your current OS version so we can help reproduce?
j

Jamie Windley

01/05/2020, 12:48 PM
I am on MacOS 10.14.6 and osquery version 3.3.2 (I have been on since May). When running `select * from osquery_events`I can see an 
active
flag for the 
process_events
Seems to be working now.. Some tinkering along the way must have kicked it back into action. I'll try and find out what the issue was
2 Views
Powered by