https://github.com/osquery/osquery logo
Powered by
#windows
Title
# windows
g

groob

12/02/2018, 12:13 AM
Hey @thor mike was saying something about windows services without watchdog+extensions might cause some weird behavior? I’m curious if you have some more details. I can’t repro that myself.
a

Anjali

12/03/2018, 3:09 AM
Hi @groob, I have some weird behaviour on Windows with service and watchdogs. I have an extension in Go based on Kolide osquery-go, and the setup is Win Server 2016, with OSQ 3.3.1, with osqueryd running as a service. Theres osquery.flags with watchdog disabled and a few other flags, a osquery.conf pointing to a packs file. Relevant log lines below. Its the same osqueryd process 3716, extension is registered, and all is sweet with queries running as expected. Then at some point ~10 hours later the extension goes away. I am not sure if the extension crashed or what has happened. After that OSQ watcher is trying to restart it, and weird behaviour starts. The extension watchdog should be off since it is disabled by default, and its not enabled in my flags file either. The extension is not set as "required" either.
Copy code
D:\dev\test\3Dec\log\osqueryd.INFO.20181129-212728.3716 (2 hits)
	Line 6: I1129 21:27:28.158903  4480 interface.cpp:105] Registering extension (testext, 12976, version=, sdk=)
	Line 7: I1129 21:27:28.159905  4480 registry_factory.cpp:109] Extension 12976 registered table plugin testext_table
  D:\dev\test\3Dec\log\osqueryd.INFO.20181130-054055.3716 (5 hits)
	Line 70714: I1130 07:42:09.150415  4464 extensions.cpp:305] Extension UUID 12976 has gone away
	Line 76783: I1130 08:13:51.688372  2400 watcher.cpp:629] Created and monitoring extension child (3864): C:\ProgramData\osquery\testext\testext.exe
	Line 77902: I1130 08:15:00.154594  2852 interface.cpp:105] Registering extension (testext, 11586, version=, sdk=)
	Line 78234: W1130 08:15:07.172192  2400 watcher.cpp:595] Extension respawning too quickly: C:\ProgramData\osquery\testext\testext.exe
	Line 78246: I1130 08:15:07.187816  2400 watcher.cpp:629] Created and monitoring extension child (1012): C:\ProgramData\osquery\testext\testext.exe
  D:\dev\test\3Dec\log\osqueryd.INFO.20181130-081508.3716 (9977 hits)
	Line 777: I1130 08:15:11.078513  3924 interface.cpp:105] Registering extension (testext, 24354, version=, sdk=)
	Line 778: I1130 08:15:11.078513  3924 registry_factory.cpp:84] Extension 24354 has duplicate plugin name: testext_table in registry: table
	Line 779: W1130 08:15:11.079512  3924 interface.cpp:111] Could not add extension testext: Duplicate registry item: testext_table
	Line 921: W1130 08:15:11.781533  2852 interface.cpp:111] Could not add extension testext: SQLITE_ERROR
	Line 923: I1130 08:15:13.328397  4464 extensions.cpp:273] Extension UUID 11586 initial check failed
	Line 924: W1130 08:15:13.328397  2400 watcher.cpp:595] Extension respawning too quickly: C:\ProgramData\osquery\testext\testext.exe
	Line 925: I1130 08:15:13.328397  2400 watcher.cpp:629] Created and monitoring extension child (4388): C:\ProgramData\osquery\testext\testext.exe
	Line 926: I1130 08:15:13.495498   172 interface.cpp:105] Registering extension (testext, 7984, version=, sdk=)
	<snip>
	... and so it goes
2 Views
Powered by