Hi all I m trying to run the osqueryi profiler on some custo osquery #extensions

Hi all. I'm trying to run the osqueryi profiler on...

Matt Ackard

11/30/2021, 10:04 PM

Hi all. I'm trying to run the osqueryi profiler on some custom extension tables and am not having any luck. I can run osqueryi interactively and all works. Passing the query directly to osqueryi along with an

extensions_require

flag works too. Can't pass the query directly if the extensions require flag is not passed. Everything works fine in osqueryd as well. If I try adding

profile_delay

it seems like the extension can't connect to the socket. Has anyone run into this issue? I'll add some osqueryi outputs in thread

Matt Ackard

11/30/2021, 10:05 PM

working with require flag

Copy code

osquery]# osqueryi --extensions_require /etc/osquery/endsecmon.ext "select * from ecs_info;" --verbose
I1130 21:55:48.637089  5044 init.cpp:357] osquery initialized [version=4.9.0]
I1130 21:55:48.637485  5044 extensions.cpp:438] Found autoloadable extension: /etc/osquery/endsecmon.ext
I1130 21:55:48.637588  5044 dispatcher.cpp:78] Adding new service: WatcherRunner (0x55711ea10868) to thread: 140693170312960 (0x55711ea12ec0) in process 5044
I1130 21:55:48.637881  5044 dispatcher.cpp:78] Adding new service: ExtensionWatcher (0x55711ea26878) to thread: 140693161920256 (0x55711ea1f0b0) in process 5044
I1130 21:55:48.637939  5044 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (0x55711ea0eef8) to thread: 140693153527552 (0x55711ea1b2b0) in process 5044
I1130 21:55:48.638526  5045 watcher.cpp:658] Created and monitoring extension child (5048): /etc/osquery/endsecmon.ext
I1130 21:55:48.639202  5047 interface.cpp:299] Extension manager service starting: /root/.osquery/shell.em
I1130 21:55:48.849835  5072 interface.cpp:137] Registering extension (endsecmon, 45104, version=, sdk=)
I1130 21:55:48.876806  5072 registry_factory.cpp:107] Extension 45104 registered table plugin docker_container_software
I1130 21:55:48.876834  5072 registry_factory.cpp:107] Extension 45104 registered table plugin docker_container_software_export
I1130 21:55:48.876840  5072 registry_factory.cpp:107] Extension 45104 registered table plugin docker_containers_all
I1130 21:55:48.876847  5072 registry_factory.cpp:107] Extension 45104 registered table plugin docker_image_software
I1130 21:55:48.876852  5072 registry_factory.cpp:107] Extension 45104 registered table plugin ecs_config
I1130 21:55:48.876857  5072 registry_factory.cpp:107] Extension 45104 registered table plugin ecs_info
W1130 21:55:51.748333  5044 extensions.cpp:781] Required extension not found or not loaded: /etc/osquery/endsecmon.ext
E1130 21:55:51.748381  5044 init.cpp:570] An error occurred during extension manager startup: Required extension not found or not loaded: /etc/osquery/endsecmon.ext
I1130 21:55:51.748417  5044 auto_constructed_tables.cpp:97] Removing stale ATC entries
I1130 21:55:51.751497  5044 smbios_tables.cpp:105] Reading SMBIOS from sysfs DMI node
I1130 21:55:51.753219  5044 events.cpp:36] Skipping subscriber: process_file_events: Subscriber disabled via configuration
+-----------------+-------------------+-----------------------+-----------------------------+-------------------------+
| ecs_cluster     | ecs_config_exists | ecs_awsvpc_block_imds | ecs_container_instance_tags | ecs_instance_attributes |
+-----------------+-------------------+-----------------------+-----------------------------+-------------------------+
| ${cluster_name} | true              | false                 | {}                          | {}                      |
+-----------------+-------------------+-----------------------+-----------------------------+-------------------------+
I1130 21:55:51.757611  5044 dispatcher.cpp:149] Thread: 140693192668864 requesting a stop
I1130 21:55:51.965121  5044 dispatcher.cpp:156] Service: 0x55711ea10868 has been interrupted
I1130 21:55:51.965169  5044 dispatcher.cpp:156] Service: 0x55711ea26878 has been interrupted
I1130 21:55:51.965196  5044 dispatcher.cpp:156] Service: 0x55711ea0eef8 has been interrupted
I1130 21:55:51.965207  5044 dispatcher.cpp:122] Thread: 140693192668864 requesting a join
I1130 21:55:51.965361  5046 extensions.cpp:244] Extension UUID 45104 shutdown request failed
I1130 21:55:51.965759  5044 dispatcher.cpp:140] Service thread: 0x55711ea1b2b0 has joined
I1130 21:55:51.966540  5044 dispatcher.cpp:140] Service thread: 0x55711ea1f0b0 has joined
I1130 21:55:51.967247  5044 dispatcher.cpp:140] Service thread: 0x55711ea12ec0 has joined
I1130 21:55:51.967270  5044 dispatcher.cpp:144] Services and threads have been cleared

Matt Ackard

11/30/2021, 10:06 PM

trying the same with --profile

Copy code

osqueryi --extensions_require /etc/osquery/endsecmon.ext "select * from ecs_info;" --verbose --profile 1
I1130 21:55:59.835947  5397 init.cpp:357] osquery initialized [version=4.9.0]
I1130 21:55:59.836236  5397 extensions.cpp:438] Found autoloadable extension: /etc/osquery/endsecmon.ext
I1130 21:55:59.836323  5397 dispatcher.cpp:78] Adding new service: WatcherRunner (0x5589d1b26868) to thread: 139697988925184 (0x5589d1b28ec0) in process 5397
I1130 21:55:59.836861  5398 watcher.cpp:658] Created and monitoring extension child (5399): /etc/osquery/endsecmon.ext
Query failed (1): no such table: ecs_info
I1130 21:55:59.866814  5397 dispatcher.cpp:149] Thread: 139698011281088 requesting a stop
I1130 21:56:00.067754  5397 dispatcher.cpp:156] Service: 0x5589d1b26868 has been interrupted
I1130 21:56:00.067793  5397 dispatcher.cpp:122] Thread: 139698011281088 requesting a join
I1130 21:56:00.067950  5397 dispatcher.cpp:140] Service thread: 0x5589d1b28ec0 has joined
I1130 21:56:00.067975  5397 dispatcher.cpp:144] Services and threads have been cleared

35 Views

Open in Slack

Previous Next