However I am not seeing any entry in result log table polylo

Question

However I am not seeing any entry in result log table polylogyx= select from result log polylogyx

moulik · Answer

Are you running the server using docker containers

moulik · Answer

I meant to say that are you trying to run the server through command line on host machine directly We save the incoming scheduled query data using celery worker and that needs to be running

ASHISH TIWARI · Answer

Yes I am running server as docker container

ASHISH TIWARI · Answer

I have seen celery worker running inside plgx esp plgx esp 1 container I have schedule a simple query select from processes but no data so Not sure what else could be wrong or missing

OpenPlgx · Answer

how are you adding the query

OpenPlgx · Answer

are the default set of queries workiing

ASHISH TIWARI · Answer

Yes Default set of query is working I can see result in log file

OpenPlgx · Answer

did you connect the newly added query and the target endpoint with a tag

ASHISH TIWARI · Answer

Yes I added query and target via tag

ASHISH TIWARI · Answer

Also I updated pack all events pack with new query Windows Native Logs SELECT from windows events where source = Security or source = Microsoft Windows Windows Defender Operational or source = microsoft windows powershell operational

ASHISH TIWARI · Answer

I am seeing query running in status log file but no result in result log file

OpenPlgx · Answer

And there are relevant events in the windows event viewer that you expect I mean i am wondering it s not a situation where there are no events

ASHISH TIWARI · Answer

yes There is events in event viewer

ASHISH TIWARI · Answer

also I am seeing this logs in var log plgx srv log

ASHISH TIWARI · Answer

2019 12 24 18 48 10 216 E 140116265395408 append node information to result log NoneType object is not subscriptable 2019 12 24 18 48 10 217 E 140116265395408 append node information to result log NoneType object is not subscriptable

moulik · Answer

I don t see any tags attached to the query from the screenshot you have shared Add the same tag to a `query` and the desired `endpoint`

ASHISH TIWARI · Answer

Thank you < moulik> It is working

moulik · Answer

Awesome

ASHISH TIWARI · Answer

Can we specify custom tag on endpoint agents using host identifier=specified 7 54 AM Also log coming from rsyslog do not have hostname or machine name so is it possible to append hostname and specific tag in each and every logs coming from endpoint

moulik · Answer

There is an attribute in this file <https github com polylogyx plgx esp blob master plgx esp polylogyx settings py> POLYLOGYX ENROLL DEFAULT TAGS If you set this variable these tags will be automatically applied to the newly enrolled endpoints

moulik · Answer

Can you change the line in the file line 327 <https github com polylogyx plgx esp blob master plgx esp polylogyx api py> `log tee handle result data host identifier=node host identifier ` to `log tee handle result data host identifier=node host identifier node=node to dict `

ASHISH TIWARI · Answer

Thank you < moulik> log tee handle result data host identifier=node host identifier node=node to dict is working

ASHISH TIWARI · Answer

For adding a custom tag I am not sure what need to done here as in setting py it is define as POLYLOGYX ENROLL DEFAULT TAGS I want to add tag like this in endpoint host identifier=specified specified identifier=ASHISH123 and append this information in all results coming from that endpoint

moulik · Answer

These are osquery specific attributes and tags are something which is server specific You can create a list of predefined tags in this array POLYLOGYX ENROLL DEFAULT TAGS and everytime an endpoint will register these tags will get automatically applied