https://github.com/osquery/osquery logo
Join Slack
Powered by
quick question, I have a query scheduled with diff...
# fleet
t
quick question, I have a query scheduled with differential every 1 min. The result of the query are "PID, cmdline" but why it sends 1 new log every 60 seconds, shouldn't be the same everytime and only receive the first one ?
đź‘€ 1
k
Can you use the REST API to grab the schedule's information and post here with anything you're concerned about sharing redacted?
And, just so I know I've asked, are you looking at your status logs, or result logs?
t
I look at result logs
I monitor the result logs and it keeps receiving every 60 seconds
k
I figured, but had to make sure I checked!
t
this is the config for my schedule.
and this is the query I'm using select ( SELECT pr.parent from process_events as pr where pr.cmdline like "stuff" ) as ppid, pe.cmdline from process_events as pe where pe.pid = ppid limit 1
k
Just want to be certain we're looking at the right schedule there... It shows a 900 second frequency. Is there any chance you have multiple schedules set up for the same query?
t
I made it 900 seconds because it was keep sending the same result when I had it 60 seconds. But, no I don't have another schedule for the same query
âś… 1
k
Got it. Let me look into this a little bit and I'll get back to you. Since it's a little late in the day, I may not have more information for you until tomorrow.
t
Sure, thank you.
r
Hey Tarek, sometimes differential responds with a single add or remove line, can you try Differentials (ignoring removals)?https://osquery.readthedocs.io/en/stable/deployment/logging/#differential-logs
t
I can try, thank you
Same result. I keep getting result every 1 or 2 minutes depend on how I set up the time. Same log is being sent every 2 minutes. The log has only PID, and cmdLine, nothing else. Not sure how this is treated as a new log every time.
r
Hmm, what type of information are you trying to receive with running a differential query on an events table?
t
I'm getting a process id (PID) and cmdLine from it.
so I assume it should be the same PID and same cmdLine every time it runs, and I need to receive only one copy of it, as long as it's the same PID and cmdLine.
k
If you look at the data in the logs, what kind of changes are you seeing?
s
AKAIK 
differentials
don’t apply to evented tables (
process_events
) in this case — they behave the same way as snapshot
t
oh interesting
didn't know that.
so in that case, how long should I have my query scheduled for so the previous event is not returned. In another words, how long does it take for the event to be flushed from the local machine ?
s
Generally, for 
_events
tables, by default events are buffered locally for 24 hours…but that buffered is cleared when selecting from that table..The query you are using above might complicate this a bit, since there is a subquery to the same 
process_events
and there is a 
like
constraint on the table — can you try to explain what that query is trying to do, maybe there is a better way to structure that query..?
t
Hello @sharvii thanks for your reply. What I'm trying to do is finding a certain command "cmdLine" and get the parent file that executed this command. Please let me know if there is a better way of doing this. Assume a file called test.sh executed a command called "ifconfig", then I need to get the "test.sh" file by finding the command it executed "ifconfig"
4 Views
Open in Slack
PreviousNext
Powered by