Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
m
Matt Ackard
11/30/2021, 10:04 PMHi all. I'm trying to run the osqueryi profiler on some custom extension tables and am not having any luck. I can run osqueryi interactively and all works. Passing the query directly to osqueryi along with an
extensions_requireprofile_delayworking with require flag
osquery]# osqueryi --extensions_require /etc/osquery/endsecmon.ext "select * from ecs_info;" --verbose
I1130 21:55:48.637089 5044 init.cpp:357] osquery initialized [version=4.9.0]
I1130 21:55:48.637485 5044 extensions.cpp:438] Found autoloadable extension: /etc/osquery/endsecmon.ext
I1130 21:55:48.637588 5044 dispatcher.cpp:78] Adding new service: WatcherRunner (0x55711ea10868) to thread: 140693170312960 (0x55711ea12ec0) in process 5044
I1130 21:55:48.637881 5044 dispatcher.cpp:78] Adding new service: ExtensionWatcher (0x55711ea26878) to thread: 140693161920256 (0x55711ea1f0b0) in process 5044
I1130 21:55:48.637939 5044 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (0x55711ea0eef8) to thread: 140693153527552 (0x55711ea1b2b0) in process 5044
I1130 21:55:48.638526 5045 watcher.cpp:658] Created and monitoring extension child (5048): /etc/osquery/endsecmon.ext
I1130 21:55:48.639202 5047 interface.cpp:299] Extension manager service starting: /root/.osquery/shell.em
I1130 21:55:48.849835 5072 interface.cpp:137] Registering extension (endsecmon, 45104, version=, sdk=)
I1130 21:55:48.876806 5072 registry_factory.cpp:107] Extension 45104 registered table plugin docker_container_software
I1130 21:55:48.876834 5072 registry_factory.cpp:107] Extension 45104 registered table plugin docker_container_software_export
I1130 21:55:48.876840 5072 registry_factory.cpp:107] Extension 45104 registered table plugin docker_containers_all
I1130 21:55:48.876847 5072 registry_factory.cpp:107] Extension 45104 registered table plugin docker_image_software
I1130 21:55:48.876852 5072 registry_factory.cpp:107] Extension 45104 registered table plugin ecs_config
I1130 21:55:48.876857 5072 registry_factory.cpp:107] Extension 45104 registered table plugin ecs_info
W1130 21:55:51.748333 5044 extensions.cpp:781] Required extension not found or not loaded: /etc/osquery/endsecmon.ext
E1130 21:55:51.748381 5044 init.cpp:570] An error occurred during extension manager startup: Required extension not found or not loaded: /etc/osquery/endsecmon.ext
I1130 21:55:51.748417 5044 auto_constructed_tables.cpp:97] Removing stale ATC entries
I1130 21:55:51.751497 5044 smbios_tables.cpp:105] Reading SMBIOS from sysfs DMI node
I1130 21:55:51.753219 5044 events.cpp:36] Skipping subscriber: process_file_events: Subscriber disabled via configuration
+-----------------+-------------------+-----------------------+-----------------------------+-------------------------+
| ecs_cluster | ecs_config_exists | ecs_awsvpc_block_imds | ecs_container_instance_tags | ecs_instance_attributes |
+-----------------+-------------------+-----------------------+-----------------------------+-------------------------+
| ${cluster_name} | true | false | {} | {} |
+-----------------+-------------------+-----------------------+-----------------------------+-------------------------+
I1130 21:55:51.757611 5044 dispatcher.cpp:149] Thread: 140693192668864 requesting a stop
I1130 21:55:51.965121 5044 dispatcher.cpp:156] Service: 0x55711ea10868 has been interrupted
I1130 21:55:51.965169 5044 dispatcher.cpp:156] Service: 0x55711ea26878 has been interrupted
I1130 21:55:51.965196 5044 dispatcher.cpp:156] Service: 0x55711ea0eef8 has been interrupted
I1130 21:55:51.965207 5044 dispatcher.cpp:122] Thread: 140693192668864 requesting a join
I1130 21:55:51.965361 5046 extensions.cpp:244] Extension UUID 45104 shutdown request failed
I1130 21:55:51.965759 5044 dispatcher.cpp:140] Service thread: 0x55711ea1b2b0 has joined
I1130 21:55:51.966540 5044 dispatcher.cpp:140] Service thread: 0x55711ea1f0b0 has joined
I1130 21:55:51.967247 5044 dispatcher.cpp:140] Service thread: 0x55711ea12ec0 has joined
I1130 21:55:51.967270 5044 dispatcher.cpp:144] Services and threads have been clearedtrying the same with --profile
osqueryi --extensions_require /etc/osquery/endsecmon.ext "select * from ecs_info;" --verbose --profile 1
I1130 21:55:59.835947 5397 init.cpp:357] osquery initialized [version=4.9.0]
I1130 21:55:59.836236 5397 extensions.cpp:438] Found autoloadable extension: /etc/osquery/endsecmon.ext
I1130 21:55:59.836323 5397 dispatcher.cpp:78] Adding new service: WatcherRunner (0x5589d1b26868) to thread: 139697988925184 (0x5589d1b28ec0) in process 5397
I1130 21:55:59.836861 5398 watcher.cpp:658] Created and monitoring extension child (5399): /etc/osquery/endsecmon.ext
Query failed (1): no such table: ecs_info
I1130 21:55:59.866814 5397 dispatcher.cpp:149] Thread: 139698011281088 requesting a stop
I1130 21:56:00.067754 5397 dispatcher.cpp:156] Service: 0x5589d1b26868 has been interrupted
I1130 21:56:00.067793 5397 dispatcher.cpp:122] Thread: 139698011281088 requesting a join
I1130 21:56:00.067950 5397 dispatcher.cpp:140] Service thread: 0x5589d1b28ec0 has joined
I1130 21:56:00.067975 5397 dispatcher.cpp:144] Services and threads have been cleared