https://github.com/osquery/osquery logo
Powered by
Title
a

aby

02/02/2021, 10:18 PM
Is here a minimum supported OS version for I am running into issues with 
4.4.0-142-generic
&& 
Ubuntu 16.04.7 LTS
p:/home/superlog# osqueryi --verbose --disable_events=false --enable_bpf_events=true --events_expiry=1
I0202 16:22:35.706341   687 init.cpp:340] osquery initialized [version=4.6.0]
I0202 16:22:35.706419   687 extensions.cpp:453] Could not autoload extensions: Cannot open file for reading: /etc/osquery/extensions.load
I0202 16:22:35.706588   687 dispatcher.cpp:78] Adding new service: ExtensionWatcher (0x564027c14d58) to thread: 139977553381120 (0x564027c151e0) in process 687
I0202 16:22:35.706670   687 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (0x564027c1bbf8) to thread: 139977544988416 (0x564027c1be40) in process 687
I0202 16:22:35.706717   687 auto_constructed_tables.cpp:97] Removing stale ATC entries
I0202 16:22:35.706832   691 interface.cpp:270] Extension manager service starting: /root/.osquery/shell.em
terminating with uncaught exception of type tob::StringError
Aborted (core dumped)
z

zwass

02/02/2021, 10:18 PM
Yeah you need 4.6.0
a

aby

02/02/2021, 10:19 PM
osqueryd --version
osqueryd version 4.6.0
z

zwass

02/02/2021, 10:20 PM
Ah sorry thought you meant osquery 4.4.0
@alessandrogario wonder if this is familiar to you?
a

alessandrogario

02/02/2021, 10:21 PM
nooo @ the uncaught exception! I have to fix it! thanks for bringing this up!
👍 1
BPF requires at least kernel 4.18 to work correctly
We use certain BPF map features that require something around ~4.10 but then we also capture cgroup information which raise the kernel requirements to 4.18
this should be roughly CentOS 8, and Ubuntu 18.10
a

aby

02/02/2021, 10:32 PM
@alessandrogario my kernel version is 
4.4.0-142-generic
but OS version is Ubuntu 16.
2 Views
#ebpfJoin Slack
Powered by