Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
g
groob
12/02/2018, 12:13 AMHey @thor mike was saying something about windows services without watchdog+extensions might cause some weird behavior?
I’m curious if you have some more details. I can’t repro that myself.
a
Anjali
12/03/2018, 3:09 AMHi @groob, I have some weird behaviour on Windows with service and watchdogs.
I have an extension in Go based on Kolide osquery-go, and the setup is Win Server 2016, with OSQ 3.3.1, with osqueryd running as a service.
Theres osquery.flags with watchdog disabled and a few other flags, a osquery.conf pointing to a packs file.
Relevant log lines below. Its the same osqueryd process 3716, extension is registered, and all is sweet with queries running as expected.
Then at some point ~10 hours later the extension goes away. I am not sure if the extension crashed or what has happened.
After that OSQ watcher is trying to restart it, and weird behaviour starts.
The extension watchdog should be off since it is disabled by default, and its not enabled in my flags file either. The extension is not set as "required" either.
D:\dev\test\3Dec\log\osqueryd.INFO.20181129-212728.3716 (2 hits)
Line 6: I1129 21:27:28.158903 4480 interface.cpp:105] Registering extension (testext, 12976, version=, sdk=)
Line 7: I1129 21:27:28.159905 4480 registry_factory.cpp:109] Extension 12976 registered table plugin testext_table
D:\dev\test\3Dec\log\osqueryd.INFO.20181130-054055.3716 (5 hits)
Line 70714: I1130 07:42:09.150415 4464 extensions.cpp:305] Extension UUID 12976 has gone away
Line 76783: I1130 08:13:51.688372 2400 watcher.cpp:629] Created and monitoring extension child (3864): C:\ProgramData\osquery\testext\testext.exe
Line 77902: I1130 08:15:00.154594 2852 interface.cpp:105] Registering extension (testext, 11586, version=, sdk=)
Line 78234: W1130 08:15:07.172192 2400 watcher.cpp:595] Extension respawning too quickly: C:\ProgramData\osquery\testext\testext.exe
Line 78246: I1130 08:15:07.187816 2400 watcher.cpp:629] Created and monitoring extension child (1012): C:\ProgramData\osquery\testext\testext.exe
D:\dev\test\3Dec\log\osqueryd.INFO.20181130-081508.3716 (9977 hits)
Line 777: I1130 08:15:11.078513 3924 interface.cpp:105] Registering extension (testext, 24354, version=, sdk=)
Line 778: I1130 08:15:11.078513 3924 registry_factory.cpp:84] Extension 24354 has duplicate plugin name: testext_table in registry: table
Line 779: W1130 08:15:11.079512 3924 interface.cpp:111] Could not add extension testext: Duplicate registry item: testext_table
Line 921: W1130 08:15:11.781533 2852 interface.cpp:111] Could not add extension testext: SQLITE_ERROR
Line 923: I1130 08:15:13.328397 4464 extensions.cpp:273] Extension UUID 11586 initial check failed
Line 924: W1130 08:15:13.328397 2400 watcher.cpp:595] Extension respawning too quickly: C:\ProgramData\osquery\testext\testext.exe
Line 925: I1130 08:15:13.328397 2400 watcher.cpp:629] Created and monitoring extension child (4388): C:\ProgramData\osquery\testext\testext.exe
Line 926: I1130 08:15:13.495498 172 interface.cpp:105] Registering extension (testext, 7984, version=, sdk=)
<snip>
... and so it goes