https://github.com/osquery/osquery logo
Powered by
Title
a

alessandrogario

09/09/2019, 11:25 AM
@Ski alot can you restart osquery with the --verbose flag and paste here the output?
s

Ski alot

09/10/2019, 6:04 AM
I0811 14:53:52.564669 5740 killswitch.cpp:60] enum osquery::Killswitch::IsEnabledError 1 (Cannot call registry item: ) I0811 14:53:52.658277 3948 events.cpp:784] Starting event publisher run loop: windows_events I0811 14:53:52.658277 5740 main.cpp:109] Not starting the distributed query service: Distributed query service not enabled. I0811 14:55:01.755991 5556 database.cpp:134] Resetting the database plugin: rocksdb I0811 14:55:02.317636 5556 rocksdb.cpp:134] Opening RocksDB handle: \ProgramData\osquery\osquery.db I0811 14:55:14.923404 5556 scheduler.cpp:100] Executing scheduled query foobar: SELECT * from foobar; E0811 14:55:15.219827 5556 scheduler.cpp:105] Error executing scheduled query foobar: Error running query: no such table: foobar I0811 14:55:15.360239 5556 killswitch.cpp:60] enum osquery::Killswitch::IsEnabledError 1 (Cannot call registry item: ) I0811 14:55:18.730098 3160 interface.cpp:105] Registering extension (fooextensionexa, 22760, version=1.0.0.0, sdk=1.8.0) I0811 14:55:18.730098 3160 registry_factory.cpp:109] Extension 22760 registered table plugin foobar I0811 14:56:12.928666 5556 scheduler.cpp:100] Executing scheduled query foobar: SELECT * from foobar; I0811 14:56:17.000579 5556 killswitch.cpp:60] enum osquery::Killswitch::IsEnabledError 1 (Cannot call registry item: ) I0811 14:56:32.149344 5556 scheduler.cpp:100] Executing scheduled query foobar: SELECT * from foobar; I0811 14:56:35.519203 5556 scheduler.cpp:165] Found results for query: foobar I0811 14:56:35.581609 5556 killswitch.cpp:60] enum osquery::Killswitch::IsEnabledError 1 (Cannot call registry item: ) I0811 14:58:08.985993 5556 scheduler.cpp:100] Executing scheduled query foobar: SELECT * from foobar; I0811 14:58:12.309048 5556 killswitch.cpp:60] enum osquery::Killswitch::IsEnabledError 1 (Cannot call registry item: ) I0811 14:58:28.378284 5556 scheduler.cpp:100] Executing scheduled query foobar: SELECT * from foobar; I0811 14:58:33.355067 5404 extensions.cpp:305] Extension UUID 22760 has gone away I0811 14:58:33.355067 5404 sqlite_util.cpp:223] DBManager contention: opening transient SQLite database I0811 14:58:35.445628 5556 killswitch.cpp:60] enum osquery::Killswitch::IsEnabledError 1 (Cannot call registry item: ) I0811 14:58:47.536558 5556 scheduler.cpp:100] Executing scheduled query foobar: SELECT * from foobar; I0811 14:58:47.973392 5556 scheduler.cpp:165] Found results for query: foobar I0811 14:58:48.035796 5556 killswitch.cpp:60] enum osquery::Killswitch::IsEnabledError 1 (Cannot call registry item: ) I0811 15:00:04.575284 5556 scheduler.cpp:100] Executing scheduled query foobar: SELECT * from foobar; I0811 15:00:04.934111 5556 killswitch.cpp:60] enum osquery::Killswitch::IsEnabledError 1 (Cannot call registry item: ) I0811 15:00:05.604964 4856 interface.cpp:105] Registering extension (fooextensionexa, 29898, version=1.0.0.0, sdk=1.8.0) W0811 15:00:05.604964 4856 interface.cpp:111] Could not add extension fooextensionexa: SQLITE_ERROR I0811 15:00:06.587838 5556 database.cpp:134] Resetting the database plugin: rocksdb I0811 15:00:06.619041 5556 rocksdb.cpp:134] Opening RocksDB handle: \ProgramData\osquery\osquery.db I0811 15:00:15.464921 5404 extensions.cpp:273] Extension UUID 29898 initial check failed I0811 15:00:23.795962 5556 scheduler.cpp:100] Executing scheduled query foobar: SELECT * from foobar; I0811 15:00:24.310801 5556 scheduler.cpp:165] Found results for query: foobar I0811 15:00:24.373206 5556 killswitch.cpp:60] enum osquery::Killswitch::IsEnabledError 1 (Cannot call registry item: ) I0811 15:00:43.047843 5556 scheduler.cpp:100] Executing scheduled query foobar: SELECT * from foobar; I0811 15:00:43.406671 5556 killswitch.cpp:60] enum osquery::Killswitch::IsEnabledError 1 (Cannot call registry item: )
I0811 15:00:44.904386 6828 interface.cpp:105] Registering extension (fooextensionexa, 1417, version=1.0.0.0, sdk=1.8.0) I0811 15:00:44.904386 6828 registry_factory.cpp:84] Extension 1417 has duplicate plugin name: foobar in registry: table W0811 15:00:44.904386 6828 interface.cpp:111] Could not add extension fooextensionexa: Duplicate registry item: foobar I0811 15:01:02.315325 5556 scheduler.cpp:100] Executing scheduled query foobar: SELECT * from foobar; I0811 15:01:02.549343 5404 extensions.cpp:305] Extension UUID 29898 has gone away I0811 15:01:02.674152 5556 killswitch.cpp:60] enum osquery::Killswitch::IsEnabledError 1 (Cannot call registry item: ) I0811 15:01:21.582808 5556 scheduler.cpp:100] Executing scheduled query foobar: SELECT * from foobar; I0811 15:01:21.879230 5556 killswitch.cpp:60] enum osquery::Killswitch::IsEnabledError 1 (Cannot call registry item: )
i placed the logs. Its a long log but i hope that it will help to understand
2 Views
#extensionsJoin Slack
Powered by