Sorry if this has been asked before but is there documentati osquery #kolide

Sorry if this has been asked before but is there d...

Ayan

08/26/2020, 7:51 PM

Sorry if this has been asked before but is there documentation support for querying custom tables in osquery using fleet? I can query it using osqueryi but fleet fails to produce results.

zwass

08/26/2020, 7:52 PM

You query them the same way as any other table. If that's not working it is probably because you have not configured osqueryd to include the table.

zwass

08/26/2020, 7:52 PM

You can use

select * from osquery_tables

to check

Ayan

08/26/2020, 8:00 PM

Appreciate your prompt response. I have setup my endpoint using the launcher so I did not configure osqueryd at all

Ayan

08/26/2020, 8:02 PM

I tried checking osquery_extensions table and it shows there is one connection (I only have one custom table at the moment at the endpoint). The output is ambiguous because it does not show extension name

zwass

08/26/2020, 8:47 PM

Sounds like your extension is not connected. I'm not sure there is a way to include additional extensions with Launcher unless you modify the source code yourself.

Ayan

08/26/2020, 9:26 PM

Okay so osqueryd configuration is the only option

seph

08/26/2020, 9:44 PM

Is this an extension? Launcher starts osqeryd with an

extension_autoload

file. If

--extensions_require

is additive, you could use that. I could imagine supporting this in launcher, but I’m not up for writing that PR this week

Ayan

08/26/2020, 10:13 PM

Yes, it is an extension. I will need to use the

extension_autoload

flag with osqueryd as you and @zwass have pointed out. Thank you both!

🍻 1

seph

08/27/2020, 12:22 AM

Yes. Note that this should work through launcher.

Open in Slack

Previous Next