https://github.com/osquery/osquery logo
Powered by
#kolide
Title
# kolide
w

Woogs

03/15/2019, 10:41 PM
For packs being pushed down via fleet, what will cause a scheduled query to reset its counter value to 0? Today I modified a single query, that's included in a pack to a handful of systems, and I'm noticing that the counter values on other, unrelated and unchanged queries ended up being reset and were back at 0
z

zwass

03/15/2019, 10:44 PM
By what means did you modify the query?
w

Woogs

03/16/2019, 8:01 PM
I just changed one of the columns in the SELECT for the query
z

zwass

03/17/2019, 7:54 PM
Was this via the web ui or fleetctl?
w

Woogs

03/18/2019, 3:52 AM
UI
Looking at more historical data, I'm actually seeing query results with the counter set to back to 0 much more frequently then I would expect, especially given I don't recall making any changes to queries. Perhaps the counter value doesn't work like I expected, I thought the value would always increase.
The other thing to note, looking at my status log on fleet, I'm seeing entries for 
"filename":"query.cpp","line":"115","message":"Scheduled query has been updated: pack/
followed by the pack name/query name that it thinks is changing. Except its listing queries that definitely haven't changed in months. So for some reason osquery thinks the query is changing.
z

zwass

03/19/2019, 2:42 AM
If you can reproduce this it would be interesting to enable —verbose —tls_dump logs and see whether the query sent over is actually changing or if it could be a bug on the osquery side.
w

Woogs

03/19/2019, 5:57 PM
Do you happen to know if it's possible to run osquery with tls_dump and verbose and redirect that extra verbosity/tls_dump into just a standard log file? I can't reliably reproduce, but I can at least let it run with those two flags in the background and wait to see that message about a query being updated. It might take a couple of days to trigger on its own, so I don't want to necessarily have to run osquery as a non-daemon
z

zwass

03/20/2019, 4:23 PM
How are you running osquery? Can you configure stderr to go to a file?
w

Woogs

03/20/2019, 5:50 PM
That's what I ended up doing and caught one of the log messages about the query being updated (there haven't been any query updates in days), but I don't see anything of note or any reasoning in the output on the client. The message came about in between osqueryd doing a config refresh, the one previous to this event was ~4 minutes prior. Best I can tell, would seem like it's being triggered as a result of the scheduled query running. I don't see any differences between the query getting sent down to the endpoint either. Looks consistent at each checkin
Copy code
I0320 15:21:37.129468 33521 scheduler.cpp:100] Executing scheduled query pack/BaseSystemInfo/groups: SELECT * FROM groups where gid<10000;
I0320 15:21:37.137094 33521 query.cpp:115] Scheduled query has been updated: pack/BaseSystemInfo/groups
Copy code
"groups": {
          "query": "SELECT * FROM groups where gid\u003c10000;",
          "interval": 86400,
          "platform": "",
          "version": "",
          "removed": true
        },
Powered by