Hi everyone I wrote a custom table plugin that s working wit osquery #kolide

Hi everyone, I wrote a custom table plugin that’s ...

grant seltzer

04/14/2020, 11:26 PM

Hi everyone, I wrote a custom table plugin that’s working with osqueryi locally, but fleet is failing to query that table (returns 0 results, says 1 failed). What’s the best way to debug this?

zwass

04/15/2020, 12:06 AM

Live query

select * from osquery_extensions

to see if your extension is loaded.

grant seltzer

04/15/2020, 12:08 AM

I do see it loaded properly

grant seltzer

04/15/2020, 12:08 AM

Using that query

grant seltzer

04/15/2020, 12:09 AM

I also tried doing the auto table construction option and the results from those tables don’t work either

grant seltzer

04/15/2020, 12:09 AM

(i.e. https://blog.kolide.com/build-custom-osquery-tables-using-atc-ab112a30674c)

grant seltzer

04/15/2020, 12:09 AM

Does fleet have to know about the schema of these tables somehow?

zwass

04/15/2020, 12:10 AM

Nope, fleet just sends the query to osquery

zwass

04/15/2020, 12:10 AM

You can use

--verbose --tls_dump

with osquery to see what they are sending each other.

grant seltzer

04/15/2020, 12:18 AM

Hm, yea I do get log message for

"NewDistributedQueryCampaign"

grant seltzer

04/15/2020, 12:18 AM

and the query is correct, but no error messages

grant seltzer

04/15/2020, 12:18 AM

I just get the “1 Failure” in the UI

grant seltzer

04/15/2020, 12:20 AM

Should the auto tables show up as a result in

osquery_registry

grant seltzer

04/15/2020, 12:20 AM

They don’t, although the custom extension one does

zwass

04/15/2020, 12:21 AM

That I don't know. Maybe try another channel if Fleet is sending the correct query but osquery is not returning results.

grant seltzer

04/15/2020, 12:21 AM

Got it, thank you for your help!

zwass

04/15/2020, 2:37 AM

What was the issue?

Open in Slack

Previous Next