https://github.com/osquery/osquery logo
Join Slack
Powered by
For packs being pushed down via fleet, what will c...
# kolide
w
For packs being pushed down via fleet, what will cause a scheduled query to reset its counter value to 0? Today I modified a single query, that's included in a pack to a handful of systems, and I'm noticing that the counter values on other, unrelated and unchanged queries ended up being reset and were back at 0
z
By what means did you modify the query?
w
I just changed one of the columns in the SELECT for the query
z
Was this via the web ui or fleetctl?
w
UI
Looking at more historical data, I'm actually seeing query results with the counter set to back to 0 much more frequently then I would expect, especially given I don't recall making any changes to queries. Perhaps the counter value doesn't work like I expected, I thought the value would always increase.
The other thing to note, looking at my status log on fleet, I'm seeing entries for 
"filename":"query.cpp","line":"115","message":"Scheduled query has been updated: pack/
followed by the pack name/query name that it thinks is changing. Except its listing queries that definitely haven't changed in months. So for some reason osquery thinks the query is changing.
z
If you can reproduce this it would be interesting to enable —verbose —tls_dump logs and see whether the query sent over is actually changing or if it could be a bug on the osquery side.
w
Do you happen to know if it's possible to run osquery with tls_dump and verbose and redirect that extra verbosity/tls_dump into just a standard log file? I can't reliably reproduce, but I can at least let it run with those two flags in the background and wait to see that message about a query being updated. It might take a couple of days to trigger on its own, so I don't want to necessarily have to run osquery as a non-daemon
z
How are you running osquery? Can you configure stderr to go to a file?
w
That's what I ended up doing and caught one of the log messages about the query being updated (there haven't been any query updates in days), but I don't see anything of note or any reasoning in the output on the client. The message came about in between osqueryd doing a config refresh, the one previous to this event was ~4 minutes prior. Best I can tell, would seem like it's being triggered as a result of the scheduled query running. I don't see any differences between the query getting sent down to the endpoint either. Looks consistent at each checkin
Copy code
I0320 15:21:37.129468 33521 scheduler.cpp:100] Executing scheduled query pack/BaseSystemInfo/groups: SELECT * FROM groups where gid<10000;
I0320 15:21:37.137094 33521 query.cpp:115] Scheduled query has been updated: pack/BaseSystemInfo/groups
Copy code
"groups": {
          "query": "SELECT * FROM groups where gid\u003c10000;",
          "interval": 86400,
          "platform": "",
          "version": "",
          "removed": true
        },
Open in Slack
PreviousNext
Powered by