wcc526
01/29/2020, 3:41 AMJoão Godinho
01/30/2020, 1:01 PMec2_instance_tags
to decorate the hosts (during load
), but it seems that some hosts miss one or more of the decorations, but I’m not sure why. I know the tags exist due to how the hosts are provisioned.
The configuration (and decorators) the hosts use is pushed using fleet when they register, the default one they have does not include the decorations, don’t know if it could be related, but since only some of the decorations are missing, doesn’t seem related.
I’m guessing that changing from load
to always
would probably fix this, but that would also increase the load for no reason, because the tags never change during a machine’s lifetimeCarl
01/30/2020, 5:50 PMStefano Bonicatti
01/31/2020, 6:37 PMJean M
02/03/2020, 3:01 PMjackjack
02/03/2020, 9:53 PMBarak Schoster
02/07/2020, 8:56 PMjoshua
02/08/2020, 11:16 AMos-query packs
alessandrogario
Martin Westergaard Lassen
02/11/2020, 1:16 PMusb_devices
?Eoin Miller
02/13/2020, 12:41 AMusers-Mac:~ user$ sudo osqueryi 'SELECT * FROM hash WHERE path = "/private/var/db/dslocal/nodes/Default/sqlindex"' --json
W0212 16:33:37.699832 448591296 hash.cpp:195] ssdeep failed: /private/var/db/dslocal/nodes/Default/sqlindex
[
{"directory":"/private/var/db/dslocal/nodes/Default","md5":"","path":"/private/var/db/dslocal/nodes/Default/sqlindex","sha1":"","sha256":"","ssdeep":"-1"}
]
Returning a -1
and putting that to the ssdeep value instead of an empty string also seems out of the ordinary.
https://github.com/osquery/osquery/blob/master/osquery/tables/system/hash.cpp#L194-L196joshua
02/13/2020, 8:26 AMThis is the beginer level talk
Tony N
02/13/2020, 7:35 PMJason W
02/13/2020, 7:44 PMshortstack
02/13/2020, 8:15 PMmsiexec /i C:\Windows\Temp\osquery-4.0.2.msi /qn
on a windows 10 endpoint, and it restarted the endpointthor
Stefano Bonicatti
02/15/2020, 12:40 PMduongtt
02/17/2020, 5:06 AMC:\osquery\tmp\osquery
+ use version 3.3.2 for building my own extension
+ run command as Administrator
+ while running .\tools\make-win64-dev-env.bat
, edit provision.ps1
to ignore the corrupted download link of doxygen
, then install it by myself
- My problem is: when I run .\tools\make-win64-binaries.bat
, I met this LINKER error whether I add my extension to folder external
or not
Creating library C:/osquery/tmp/osquery/build/windows10/osquery/Release/osqueryd.lib and object C:/osquery/tmp/osquery/build/windows10/osquery/Release/osqueryd.explibeay32.lib(b_sock.obj) : error LNK2001: unresolved external symbol __imp_htonl [C:\osquery\tmp\osquery\build\windows10\osquery\daemon.vcxproj]
osquery.lib(impl_thrift.obj) : error LNK2001: unresolved external symbol __imp_htonl [C:\osquery\tmp\osquery\build\windows10\osquery\daemon.vcxproj]
osquery.lib(rocksdb_database.obj) : error LNK2001: unresolved external symbol __imp_htonl [C:\osquery\tmp\osquery\build\windows10\osquery\daemon.vcxproj]
thriftmt.lib(TBufferTransports.obj) : error LNK2001: unresolved external symbol __imp_htonl [C:\osquery\tmp\osquery\build\windows10\osquery\daemon.vcxproj]
libeay32.lib(bss_conn.obj) : error LNK2001: unresolved external symbol __imp_htonl [C:\osquery\tmp\osquery\build\windows10\osquery\daemon.vcxproj]
osquery.lib(impl_thrift.obj) : error LNK2001: unresolved external symbol __imp_htons [C:\osquery\tmp\osquery\build\windows10\osquery\daemon.vcxproj]
osquery.lib(rocksdb_database.obj) : error LNK2001: unresolved external symbol __imp_htons [C:\osquery\tmp\osquery\build\windows10\osquery\daemon.vcxproj]
libeay32.lib(bss_conn.obj) : error LNK2001: unresolved external symbol __imp_htons [C:\osquery\tmp\osquery\build\windows10\osquery\daemon.vcxproj]
...
C:\osquery\tmp\osquery\build\windows10\osquery\Release\osqueryd.exe : fatal error LNK1120: 110 unresolved externals [C:\osquery\tmp\osquery\build\windows10\osquery\daemon.vcxproj]
- I need suggestions for fixing these LINKER errors. Please help 😞sttor
02/17/2020, 11:17 AMjoe_antony1
02/17/2020, 2:44 PMZlexis
02/17/2020, 8:52 PMsudo ls /proc/12345/fd
where 12345 is a process ID. Why is this command considered an outbound connection?Eoin Miller
02/18/2020, 7:21 PMscheduled_tasks
table when doing JOIN's against other tables such as file
and `hash`:
osquery> SELECT count(*) FROM scheduled_tasks;
| 162 |
When joining, we get an empty set response:
osquery> SELECT count(*) FROM scheduled_tasks JOIN file USING (path);
| 0 |
osquery> SELECT count(*) FROM scheduled_tasks JOIN hash USING (path);
| 0 |
I'll capture it in a GitHub issue, just wondering if this is know or others have encountered similiar?Zach Zeid
02/18/2020, 8:23 PMCarl
02/19/2020, 5:04 PMselect
socket_events.remote_port,
socket_events.remote_address,
process_events.cmdline,
process_events.pid
from socket_events
join process_events on process_events.pid = socket_events.pid
Stefano Bonicatti
02/20/2020, 4:16 PMRajendra Stalekar
02/20/2020, 5:03 PMColin OBrien
02/20/2020, 8:37 PMosquery_schedule
monitoring from working?zwass
zwass
Zach Zeid
02/21/2020, 2:17 PMntfs_journal_events
log every change to every file on windows, or can it be scoped?