Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
a
alessandrogario
01/03/2020, 6:30 PM@Jamie Windley can you try it again with a new database?
j
Jamie Windley
01/03/2020, 6:40 PMWhat’s the best way of doing this?
a
alessandrogario
01/03/2020, 6:41 PMthere should be a flag to specify where the database is stored; you could pass a path to another folder so you can test this without renaming/removing the original database
I think the flag is named --database_path, but you can check with --help
If it works with a new database, then a database migration (performed when osquery was last updated) may have damaged the event-related keys in the database
j
Jamie Windley
01/03/2020, 8:20 PMIt won't let me run osqueryi with a --database_path to a folder that doesn't contain an osquery database. Can I just kill the one in /var/osquery?
a
alessandrogario
01/03/2020, 8:20 PMyeah, you can. maybe you can rename it for now instead of deleting it
j
Jamie Windley
01/03/2020, 8:22 PMok, I did that and it created a new osquery.db, but when in osqueryi shell I still get no results from
select * from process_events;a
alessandrogario
01/03/2020, 8:25 PMuhm are the osquery flags correct, according to https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-auditing ?
can you also paste the contents of /etc/security/audit_control ?
j
Jamie Windley
01/03/2020, 8:26 PM#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $
#
dir:/var/audit
flags:ex,pc,ap,aa,lo,ad
minfree:5
naflags:no
policy:cnt,argv,arge
filesz:2M
expire-after:10M
superuser-set-sflags-mask:has_authenticated,has_console_access
superuser-clear-sflags-mask:has_authenticated,has_console_access
member-set-sflags-mask:
member-clear-sflags-mask:has_authenticateda
alessandrogario
01/03/2020, 8:58 PMthat file seems ok, can you try with sudo osqueryd -S --verbose --disable_audit=false --disable_events=false ?
j
Jamie Windley
01/04/2020, 5:13 PMthose flags are already set in my osqeury.conf file, and when I run
osqueryit
theopolis
01/04/2020, 5:23 PMWhat version of osquery are you using and has this changed in within the few months?
Remember that
osqueryiosquerydselect * from osquery_eventsactiveprocess_eventsAn OS update may have happened too, do you mind sharing your current OS version so we can help reproduce?
j
Jamie Windley
01/05/2020, 12:48 PMI am on MacOS 10.14.6 and osquery version 3.3.2 (I have been on since May). When running `select * from osquery_events`I can see an
activeprocess_eventsSeems to be working now.. Some tinkering along the way must have kicked it back into action. I'll try and find out what the issue was