Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
w
Woogs
03/15/2019, 10:41 PMFor packs being pushed down via fleet, what will cause a scheduled query to reset its counter value to 0? Today I modified a single query, that's included in a pack to a handful of systems, and I'm noticing that the counter values on other, unrelated and unchanged queries ended up being reset and were back at 0
z
zwass
03/15/2019, 10:44 PMBy what means did you modify the query?
w
Woogs
03/16/2019, 8:01 PMI just changed one of the columns in the SELECT for the query
z
zwass
03/17/2019, 7:54 PMWas this via the web ui or fleetctl?
w
Woogs
03/18/2019, 3:52 AMUI
Looking at more historical data, I'm actually seeing query results with the counter set to back to 0 much more frequently then I would expect, especially given I don't recall making any changes to queries. Perhaps the counter value doesn't work like I expected, I thought the value would always increase.
The other thing to note, looking at my status log on fleet, I'm seeing entries for
"filename":"query.cpp","line":"115","message":"Scheduled query has been updated: pack/z
zwass
03/19/2019, 2:42 AMIf you can reproduce this it would be interesting to enable —verbose —tls_dump logs and see whether the query sent over is actually changing or if it could be a bug on the osquery side.
w
Woogs
03/19/2019, 5:57 PMDo you happen to know if it's possible to run osquery with tls_dump and verbose and redirect that extra verbosity/tls_dump into just a standard log file? I can't reliably reproduce, but I can at least let it run with those two flags in the background and wait to see that message about a query being updated. It might take a couple of days to trigger on its own, so I don't want to necessarily have to run osquery as a non-daemon
z
zwass
03/20/2019, 4:23 PMHow are you running osquery? Can you configure stderr to go to a file?
w
Woogs
03/20/2019, 5:50 PMThat's what I ended up doing and caught one of the log messages about the query being updated (there haven't been any query updates in days), but I don't see anything of note or any reasoning in the output on the client. The message came about in between osqueryd doing a config refresh, the one previous to this event was ~4 minutes prior. Best I can tell, would seem like it's being triggered as a result of the scheduled query running. I don't see any differences between the query getting sent down to the endpoint either. Looks consistent at each checkin
I0320 15:21:37.129468 33521 scheduler.cpp:100] Executing scheduled query pack/BaseSystemInfo/groups: SELECT * FROM groups where gid<10000;
I0320 15:21:37.137094 33521 query.cpp:115] Scheduled query has been updated: pack/BaseSystemInfo/groups"groups": {
"query": "SELECT * FROM groups where gid\u003c10000;",
"interval": 86400,
"platform": "",
"version": "",
"removed": true
},