https://github.com/osquery/osquery logo
Powered by
#eclecticiq-polylogyx-extension
Title
# eclecticiq-polylogyx-extension
a

ASHISH TIWARI

12/21/2019, 4:02 PM
However I am not seeing any entry in result_log table.polylogyx=# select * from result_log polylogyx-#
m

moulik

12/23/2019, 7:37 AM
Are you running the server using docker containers?
I meant to say that are you trying to run the server through command line on host machine directly? We save the incoming scheduled query data using celery worker and that needs to be running
a

ASHISH TIWARI

12/23/2019, 1:03 PM
Yes, I am running server as docker container
I have seen celery worker running inside plgx-esp_plgx-esp_1 container . I have schedule a simple query "select * from processes" but no data so Not sure what else could be wrong or missing ?
o

OpenPlgx

12/23/2019, 4:45 PM
how are you adding the query?
are the default set of queries workiing?
a

ASHISH TIWARI

12/23/2019, 6:04 PM
Yes, Default set of query is working. I can see result in log file
o

OpenPlgx

12/24/2019, 6:43 AM
did you connect the newly added query and the target endpoint with a 'tag'?
a

ASHISH TIWARI

12/24/2019, 12:27 PM
Yes, I added query and target via tag
Also I updated pack/all-events-pack/ with new query Windows-Native-Logs: SELECT * from windows_events where source = 'Security' or source = 'Microsoft-Windows-Windows Defender/Operational' or source = 'microsoft-windows-powershell/operational'
I am seeing query running in status.log file but no result in result.log file
o

OpenPlgx

12/24/2019, 4:11 PM
And there are relevant events in the windows event viewer that you expect? I mean, i am wondering it's not a situation where there are no events.
a

ASHISH TIWARI

12/24/2019, 5:18 PM
yes, There is events in event viewer
also I am seeing this logs in /var/log/plgx_srv.log
2019-12-24 184810,216--E--140116265395408--append_node_information_to_result_log--'NoneType' object is not subscriptable 2019-12-24 184810,217--E--140116265395408--append_node_information_to_result_log--'NoneType' object is not subscriptable
m

moulik

12/26/2019, 7:04 AM
I don't see any tags attached to the query from the screenshot you have shared Add the same tag to a 
query
and the desired 
endpoint
a

ASHISH TIWARI

12/26/2019, 12:52 PM
Thank you @moulik. It is working
m

moulik

12/26/2019, 12:55 PM
Awesome!
a

ASHISH TIWARI

12/26/2019, 1:10 PM
Can we specify custom tag on endpoint agents using --host_identifier=specified ? [7:54 AM] Also log coming from rsyslog do not have hostname or machine name so is it possible to append hostname and specific tag in each and every logs coming from endpoint ?
m

moulik

12/26/2019, 1:21 PM
There is an attribute in this file https://github.com/polylogyx/plgx-esp/blob/master/plgx-esp/polylogyx/settings.py POLYLOGYX_ENROLL_DEFAULT_TAGS If you set this variable, these tags will be automatically applied to the newly enrolled endpoints
Can you change the line in the file (line 327) https://github.com/polylogyx/plgx-esp/blob/master/plgx-esp/polylogyx/api.py 
log_tee.handle_result(data, host_identifier=node.host_identifier)
to 
log_tee.handle_result(data, host_identifier=node.host_identifier,node=node.to_dict())
a

ASHISH TIWARI

12/26/2019, 4:46 PM
Thank you @moulik log_tee.handle_result(data, host_identifier=node.host_identifier,node=node.to_dict()) is working.
For adding a custom tag ,I am not sure what need to done here as in setting.py it is define as : POLYLOGYX_ENROLL_DEFAULT_TAGS[] I want to add tag like this in endpoint --host_identifier=specified --specified_identifier=ASHISH123 and append this information in all results coming from that endpoint.
m

moulik

12/27/2019, 6:00 AM
These are osquery specific attributes and tags are something which is server specific. You can create a list of predefined tags in this array(POLYLOGYX_ENROLL_DEFAULT_TAGS) and everytime an endpoint will register these tags will get automatically applied
Powered by