Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hi :wave: ,

We are seeing a trend across our macos machines where the schedule counter for shell_history resets to 0 own its own. As a result, we keep getting duplicates old events into our logging endpoint. Can someone provide a guidance on how to start troubleshooting this? We havent been able to pinpoint the exact timestamp of the reset, and to guess what might caused this.

In case it’s necessary, we are still running the older version of osquery - 4.x

Thanks.

Could it be this?
&gt;  When `epoch` changes, counter will be reset back to `0`.
(from wiki, Deployment/Logging)

Thank you for the response. Unfortunately, when I check for that epoch field, the value always shows 0.

Is that expected? 

My understanding of the `epoch` is that it is how osquery knows the last time event results were gathered, so that it doesn't re-collect events older than that timestamp.

So I would expect epoch 0 on the initial query, but not after that, and if it were always 0, I might expect to see some duplicate results

Hmm surely what we’re seeing now is interesting then because the epoch value never change. Okay, I will see what I can do to investigate this further. Thanks.