Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
t
Tarek Talaat
07/18/2022, 9:01 PMquick question, I have a query scheduled with differential every 1 min. The result of the query are "PID, cmdline" but why it sends 1 new log every 60 seconds, shouldn't be the same everytime and only receive the first one ?
đź‘€ 1
k
Kathy Satterlee
07/18/2022, 9:21 PMCan you use the REST API to grab the schedule's information and post here with anything you're concerned about sharing redacted?
And, just so I know I've asked, are you looking at your status logs, or result logs?
t
Tarek Talaat
07/18/2022, 9:24 PMI look at result logs
I monitor the result logs and it keeps receiving every 60 seconds
k
Kathy Satterlee
07/18/2022, 9:25 PMI figured, but had to make sure I checked!
t
Tarek Talaat
07/18/2022, 9:34 PMthis is the config for my schedule.
and this is the query I'm using
select
(
SELECT pr.parent from process_events as pr
where
pr.cmdline like "stuff"
) as ppid, pe.cmdline from process_events as pe
where pe.pid = ppid limit 1
k
Kathy Satterlee
07/18/2022, 9:38 PMJust want to be certain we're looking at the right schedule there... It shows a 900 second frequency. Is there any chance you have multiple schedules set up for the same query?
t
Tarek Talaat
07/18/2022, 9:39 PMI made it 900 seconds because it was keep sending the same result when I had it 60 seconds. But, no I don't have another schedule for the same query
âś… 1
k
Kathy Satterlee
07/18/2022, 9:40 PMGot it. Let me look into this a little bit and I'll get back to you. Since it's a little late in the day, I may not have more information for you until tomorrow.
t
Tarek Talaat
07/18/2022, 9:41 PMSure, thank you.
r
Rachel Perkins
07/18/2022, 10:02 PMHey Tarek, sometimes differential responds with a single add or remove line, can you try Differentials (ignoring removals)?https://osquery.readthedocs.io/en/stable/deployment/logging/#differential-logs
t
Tarek Talaat
07/18/2022, 10:03 PMI can try, thank you
Same result. I keep getting result every 1 or 2 minutes depend on how I set up the time. Same log is being sent every 2 minutes. The log has only PID, and cmdLine, nothing else. Not sure how this is treated as a new log every time.
r
Rachel Perkins
07/19/2022, 3:35 PMHmm, what type of information are you trying to receive with running a differential query on an events table?
t
Tarek Talaat
07/19/2022, 3:36 PMI'm getting a process id (PID) and cmdLine from it.
so I assume it should be the same PID and same cmdLine every time it runs, and I need to receive only one copy of it, as long as it's the same PID and cmdLine.
k
Kathy Satterlee
07/19/2022, 3:52 PMIf you look at the data in the logs, what kind of changes are you seeing?
s
sharvil
07/19/2022, 5:56 PMAKAIK
differentialsprocess_eventst
Tarek Talaat
07/19/2022, 7:57 PMoh interesting
didn't know that.
so in that case, how long should I have my query scheduled for so the previous event is not returned. In another words, how long does it take for the event to be flushed from the local machine ?
s
sharvil
07/20/2022, 10:41 AMGenerally, for
_eventsprocess_eventsliket
Tarek Talaat
07/25/2022, 5:09 PMHello @sharvii thanks for your reply. What I'm trying to do is finding a certain command "cmdLine" and get the parent file that executed this command. Please let me know if there is a better way of doing this.
Assume a file called test.sh executed a command called "ifconfig", then I need to get the "test.sh" file by finding the command it executed "ifconfig"