Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
a
Alex Woolford
10/15/2019, 12:10 AMSo, the immediate question is: what should the string that is currently
schedule-process_portprocess-portz
zwass
10/15/2019, 12:13 AMI am not super familiar with Kafka logging but my feeling is that you may need to put it in a pack and then use
pack_<pack_name>_<query_name>@Alex Woolford
a
Alex Woolford
10/15/2019, 12:17 AMGotcha. I’ll put it in a pack.
z
zwass
10/15/2019, 1:35 AMDid it work with a pack?
a
Alex Woolford
10/15/2019, 2:11 AMThe output ends up being written to the
catchallbase_topic{
"options": {
"logger_kafka_brokers": "<http://cp01.woolford.io:9092,cp02.woolford.io:9092,cp03.woolford.io:9092|cp01.woolford.io:9092,cp02.woolford.io:9092,cp03.woolford.io:9092>",
"logger_kafka_topic": "base_topic",
"logger_kafka_acks": "1"
},
"packs": {
"system-snapshot": {
"queries": {
"processes_by_port": {
"query": "select u.username, p.pid, p.name, pos.local_address, pos.local_port, pos.remote_address, pos.remote_port from processes p join users u on u.uid = p.uid join process_open_sockets pos on pos.pid=p.pid where pos.remote_port != '0'",
"interval": 10,
"snapshot": false
}
}
}
},
"kafka_topics": {
"process-port": [
"pack_system-snapshot_processes_by_port"
]
}
}