https://github.com/osquery/osquery logo
Join Slack
Powered by
However I am not seeing any entry in result_log ta...
# eclecticiq-polylogyx-extension
a
However I am not seeing any entry in result_log table.polylogyx=# select * from result_log polylogyx-#
m
Are you running the server using docker containers?
I meant to say that are you trying to run the server through command line on host machine directly? We save the incoming scheduled query data using celery worker and that needs to be running
a
Yes, I am running server as docker container
I have seen celery worker running inside plgx-esp_plgx-esp_1 container . I have schedule a simple query "select * from processes" but no data so Not sure what else could be wrong or missing ?
o
how are you adding the query?
are the default set of queries workiing?
a
Yes, Default set of query is working. I can see result in log file
o
did you connect the newly added query and the target endpoint with a 'tag'?
a
Yes, I added query and target via tag
Also I updated pack/all-events-pack/ with new query Windows-Native-Logs: SELECT * from windows_events where source = 'Security' or source = 'Microsoft-Windows-Windows Defender/Operational' or source = 'microsoft-windows-powershell/operational'
I am seeing query running in status.log file but no result in result.log file
o
And there are relevant events in the windows event viewer that you expect? I mean, i am wondering it's not a situation where there are no events.
a
yes, There is events in event viewer
also I am seeing this logs in /var/log/plgx_srv.log
2019-12-24 184810,216--E--140116265395408--append_node_information_to_result_log--'NoneType' object is not subscriptable 2019-12-24 184810,217--E--140116265395408--append_node_information_to_result_log--'NoneType' object is not subscriptable
m
I don't see any tags attached to the query from the screenshot you have shared Add the same tag to a 
query
and the desired 
endpoint
a
Thank you @moulik. It is working
m
Awesome!
a
Can we specify custom tag on endpoint agents using --host_identifier=specified ? [7:54 AM] Also log coming from rsyslog do not have hostname or machine name so is it possible to append hostname and specific tag in each and every logs coming from endpoint ?
m
There is an attribute in this file https://github.com/polylogyx/plgx-esp/blob/master/plgx-esp/polylogyx/settings.py POLYLOGYX_ENROLL_DEFAULT_TAGS If you set this variable, these tags will be automatically applied to the newly enrolled endpoints
Can you change the line in the file (line 327) https://github.com/polylogyx/plgx-esp/blob/master/plgx-esp/polylogyx/api.py 
log_tee.handle_result(data, host_identifier=node.host_identifier)
to 
log_tee.handle_result(data, host_identifier=node.host_identifier,node=node.to_dict())
a
Thank you @moulik log_tee.handle_result(data, host_identifier=node.host_identifier,node=node.to_dict()) is working.
For adding a custom tag ,I am not sure what need to done here as in setting.py it is define as : POLYLOGYX_ENROLL_DEFAULT_TAGS[] I want to add tag like this in endpoint --host_identifier=specified --specified_identifier=ASHISH123 and append this information in all results coming from that endpoint.
m
These are osquery specific attributes and tags are something which is server specific. You can create a list of predefined tags in this array(POLYLOGYX_ENROLL_DEFAULT_TAGS) and everytime an endpoint will register these tags will get automatically applied
Open in Slack
PreviousNext
Powered by