Title
#process-auditing
s

steffen

05/11/2018, 8:59 AM
I am trying to bring process and socket events together. Socket audit (i.e. socket_events) already report the pid, so I thought I can easily match it with process audit (i.e. process_events). Although this works well in case doing a ping, it does not work in case of curling. From the curl example you can see that there was the pid 12425 being able to make a connect call to google on port 80. However, this pid does not appear in the process_events. Any idea what the reason is?
theopolis

theopolis

05/14/2018, 1:35 PM
this is an interesting case. A few things that come to mind: (1) are there any dropped messages from Audit? you would have to know audit debugging, this is a little beyond osquery. If there are dropped messages that is system-related and it means osquery did not have a chance to parse them, (2) osquery in --verbose mode might be helpful, there are some audit-parsing related verbose log lines (3) maybe we're configuring audit incorrectly and not receiving some messages