https://github.com/osquery/osquery logo
Powered by
#extensions
Title
# extensions
m

Matt Ackard

11/30/2021, 10:04 PM
Hi all. I'm trying to run the osqueryi profiler on some custom extension tables and am not having any luck. I can run osqueryi interactively and all works. Passing the query directly to osqueryi along with an 
extensions_require
flag works too. Can't pass the query directly if the extensions require flag is not passed. Everything works fine in osqueryd as well. If I try adding 
profile_delay
it seems like the extension can't connect to the socket. Has anyone run into this issue? I'll add some osqueryi outputs in thread
working with require flag
Copy code
osquery]# osqueryi --extensions_require /etc/osquery/endsecmon.ext "select * from ecs_info;" --verbose
I1130 21:55:48.637089  5044 init.cpp:357] osquery initialized [version=4.9.0]
I1130 21:55:48.637485  5044 extensions.cpp:438] Found autoloadable extension: /etc/osquery/endsecmon.ext
I1130 21:55:48.637588  5044 dispatcher.cpp:78] Adding new service: WatcherRunner (0x55711ea10868) to thread: 140693170312960 (0x55711ea12ec0) in process 5044
I1130 21:55:48.637881  5044 dispatcher.cpp:78] Adding new service: ExtensionWatcher (0x55711ea26878) to thread: 140693161920256 (0x55711ea1f0b0) in process 5044
I1130 21:55:48.637939  5044 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (0x55711ea0eef8) to thread: 140693153527552 (0x55711ea1b2b0) in process 5044
I1130 21:55:48.638526  5045 watcher.cpp:658] Created and monitoring extension child (5048): /etc/osquery/endsecmon.ext
I1130 21:55:48.639202  5047 interface.cpp:299] Extension manager service starting: /root/.osquery/shell.em
I1130 21:55:48.849835  5072 interface.cpp:137] Registering extension (endsecmon, 45104, version=, sdk=)
I1130 21:55:48.876806  5072 registry_factory.cpp:107] Extension 45104 registered table plugin docker_container_software
I1130 21:55:48.876834  5072 registry_factory.cpp:107] Extension 45104 registered table plugin docker_container_software_export
I1130 21:55:48.876840  5072 registry_factory.cpp:107] Extension 45104 registered table plugin docker_containers_all
I1130 21:55:48.876847  5072 registry_factory.cpp:107] Extension 45104 registered table plugin docker_image_software
I1130 21:55:48.876852  5072 registry_factory.cpp:107] Extension 45104 registered table plugin ecs_config
I1130 21:55:48.876857  5072 registry_factory.cpp:107] Extension 45104 registered table plugin ecs_info
W1130 21:55:51.748333  5044 extensions.cpp:781] Required extension not found or not loaded: /etc/osquery/endsecmon.ext
E1130 21:55:51.748381  5044 init.cpp:570] An error occurred during extension manager startup: Required extension not found or not loaded: /etc/osquery/endsecmon.ext
I1130 21:55:51.748417  5044 auto_constructed_tables.cpp:97] Removing stale ATC entries
I1130 21:55:51.751497  5044 smbios_tables.cpp:105] Reading SMBIOS from sysfs DMI node
I1130 21:55:51.753219  5044 events.cpp:36] Skipping subscriber: process_file_events: Subscriber disabled via configuration
+-----------------+-------------------+-----------------------+-----------------------------+-------------------------+
| ecs_cluster     | ecs_config_exists | ecs_awsvpc_block_imds | ecs_container_instance_tags | ecs_instance_attributes |
+-----------------+-------------------+-----------------------+-----------------------------+-------------------------+
| ${cluster_name} | true              | false                 | {}                          | {}                      |
+-----------------+-------------------+-----------------------+-----------------------------+-------------------------+
I1130 21:55:51.757611  5044 dispatcher.cpp:149] Thread: 140693192668864 requesting a stop
I1130 21:55:51.965121  5044 dispatcher.cpp:156] Service: 0x55711ea10868 has been interrupted
I1130 21:55:51.965169  5044 dispatcher.cpp:156] Service: 0x55711ea26878 has been interrupted
I1130 21:55:51.965196  5044 dispatcher.cpp:156] Service: 0x55711ea0eef8 has been interrupted
I1130 21:55:51.965207  5044 dispatcher.cpp:122] Thread: 140693192668864 requesting a join
I1130 21:55:51.965361  5046 extensions.cpp:244] Extension UUID 45104 shutdown request failed
I1130 21:55:51.965759  5044 dispatcher.cpp:140] Service thread: 0x55711ea1b2b0 has joined
I1130 21:55:51.966540  5044 dispatcher.cpp:140] Service thread: 0x55711ea1f0b0 has joined
I1130 21:55:51.967247  5044 dispatcher.cpp:140] Service thread: 0x55711ea12ec0 has joined
I1130 21:55:51.967270  5044 dispatcher.cpp:144] Services and threads have been cleared
trying the same with --profile
Copy code
osqueryi --extensions_require /etc/osquery/endsecmon.ext "select * from ecs_info;" --verbose --profile 1
I1130 21:55:59.835947  5397 init.cpp:357] osquery initialized [version=4.9.0]
I1130 21:55:59.836236  5397 extensions.cpp:438] Found autoloadable extension: /etc/osquery/endsecmon.ext
I1130 21:55:59.836323  5397 dispatcher.cpp:78] Adding new service: WatcherRunner (0x5589d1b26868) to thread: 139697988925184 (0x5589d1b28ec0) in process 5397
I1130 21:55:59.836861  5398 watcher.cpp:658] Created and monitoring extension child (5399): /etc/osquery/endsecmon.ext
Query failed (1): no such table: ecs_info
I1130 21:55:59.866814  5397 dispatcher.cpp:149] Thread: 139698011281088 requesting a stop
I1130 21:56:00.067754  5397 dispatcher.cpp:156] Service: 0x5589d1b26868 has been interrupted
I1130 21:56:00.067793  5397 dispatcher.cpp:122] Thread: 139698011281088 requesting a join
I1130 21:56:00.067950  5397 dispatcher.cpp:140] Service thread: 0x5589d1b28ec0 has joined
I1130 21:56:00.067975  5397 dispatcher.cpp:144] Services and threads have been cleared
11 Views
Powered by