Hi everyone. I have a an issue I am running into. I am running the latest plgx-esp platform and I am using the API to perform a Live Query and pull results back from the win_socket_events table. The results are returned for a brief period of time from the endpoint, and then the Live Query just stops working and no new data is returned from the endpoint. I run a live query in the Web UI and results are returned, just not recent events from that table. I have to restart the osquery service on the endpoint and that seems to retrieve the latest data from the table. So it seems the table is updating on the endpoint, but something with the live query function that returns the latest data? I am using 4.0.2 version of osquery that comes with the platform.
05/01/2020, 12:28 PM
With the api, you are getting the data from the live query everytime but only the old results. Is this the issue?
Live query will give the results at the moment it is being queried. For new events, query has to be send again
I am hoping you are sending the live query again to the endpoint for the new results.
05/04/2020, 12:41 PM
Yes so it appears that at some point, the results from an endpoint stop updating in the endpoint platform. So for example i send a live query at 3:00 PM via the API or the web UI, the results that come back, the latest result would be from 1:00 when I know there should be much more data there. So to fix this issue, I restart the Osquery service on the endpoint and run the live query again. And that seems to pull the updated information.
I am automating some investigation when we recieve a ticket from our network devices, so that is why Im using the Live Query api to enrich the ticket with some endpoint data. The query i send to the endpoint filters on source IP, destination IP, and a timestamp.
Sometimes the results come back fine, sometimes there are no results and thats when i have to restart the service.