seph
Failed to get a handle to the following volume: \\\\.\\/:. Terminating...
GUWILLL
10/10/2023, 4:56 PMCannot activate filesystem logger plugin: Could not create file: C:\Program Files\osquery\log\osqueryd.results.log
And here my conf file and flag file
conf file
{
"schedule": {
"system_info": {
"query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
"interval": 60
},
"process_netports": {
"query": "SELECT lp.pid, p.name, lp.port, lp.address FROM listening_ports AS lp INNER JOIN processes AS p ON lp.pid = p.pid WHERE lp.port = 0 AND lp.address = \"127.0.0.1\" ORDER BY p.start_time DESC;",
"interval": 60
}
},
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
]
},
"options": {
"logger_plugin": "filesystem",
"disable_logging": "false",
"logger_path": "C:\\Program Files\\osquery\\log",
"utc": "true"
}
}
flag file
--allow_unsafe
--config_path=C://Program Files//osquery//osquery.conf
--disable_events=true
--host_identifier=uuid
--verbose=true
ERROR code
PS C:\Program Files\osquery\osqueryd> .\osqueryd.exe --flagfile="../osquery.flags" I1011 01:47:11.205355 1412 init.cpp:413] osquery initialized [version=5.9.1] I1011 01:47:11.225670 1412 extensions.cpp:453] Could not autoload extensions: Cannot open file for reading: \Program Files\osquery\extensions.load I1011 01:47:11.225670 1412 dispatcher.cpp:78] Adding new service: WatcherRunner (0000021525BC5D20) to thread: 2492 (0000021523EB4EC0) in process 4272 I1011 01:47:11.237401 2492 watcher.cpp:674] osqueryd watcher (4272) executing worker (4864) I1011 01:47:11.269346 204 init.cpp:410] osquery worker initialized [watcher=4272] I1011 01:47:11.289559 204 dispatcher.cpp:78] Adding new service: UsersService (00000205F3B19DA0) to thread: 4244 (00000205F3B56960) in process 4864 I1011 01:47:11.301124 204 dispatcher.cpp:78] Adding new service: GroupsService (00000205F3B1AFB0) to thread: 4816 (00000205F3B565A0) in process 4864 I1011 01:47:11.319512 4244 users_service.cpp:149] Users cache initialized I1011 01:47:11.319512 4816 groups_service.cpp:55] Groups cache initialized I1011 01:47:11.319512 204 dispatcher.cpp:78] Adding new service: WatcherWatcherRunner (00000205F585C540) to thread: 1340 (00000205F3AA0E30) in process 4864 I1011 01:47:11.333074 204 rocksdb.cpp:90] Opening RocksDB handle: \Program Files\osquery\osquery.db I1011 01:47:11.475821 204 dispatcher.cpp:78] Adding new service: ExtensionWatcher (00000205F3A86ED0) to thread: 6056 (00000205F58B5900) in process 4864 I1011 01:47:11.491575 204 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (00000205F5924BD0) to thread: 4364 (00000205F58B5720) in process 4864 I1011 01:47:11.491575 4364 interface.cpp:299] Extension manager service starting: \\.\pipe\osquery.em I1011 01:47:11.491575 204 auto_constructed_tables.cpp:99] Removing stale ATC entries W1011 01:47:11.507668 204 options.cpp:106] The CLI only flag --logger_plugin set via config file will be ignored, please use a flagfile or pass it to the process at startup E1011 01:47:13.047991 204 shutdown.cpp:79] Cannot activate filesystem logger plugin: Could not create file: C:\Program Files\osquery\log\osqueryd.results.log I1011 01:47:13.080094 204 dispatcher.cpp:149] Thread: 204 requesting a stop I1011 01:47:13.080094 204 dispatcher.cpp:156] Service: 00000205F3B19DA0 has been interrupted I1011 01:47:13.080094 204 dispatcher.cpp:156] Service: 00000205F3B1AFB0 has been interrupted I1011 01:47:13.080094 204 dispatcher.cpp:156] Service: 00000205F585C540 has been interrupted I1011 01:47:13.100395 204 dispatcher.cpp:156] Service: 00000205F3A86ED0 has been interrupted I1011 01:47:13.100395 204 dispatcher.cpp:156] Service: 00000205F5924BD0 has been interrupted I1011 01:47:13.100395 204 dispatcher.cpp:122] Thread: 204 requesting a join I1011 01:47:13.111958 204 dispatcher.cpp:140] Service thread: 00000205F58B5720 has joined I1011 01:47:13.111958 204 dispatcher.cpp:140] Service thread: 00000205F58B5900 has joined I1011 01:47:13.111958 204 dispatcher.cpp:140] Service thread: 00000205F3AA0E30 has joined I1011 01:47:13.127772 204 dispatcher.cpp:140] Service thread: 00000205F3B565A0 has joined I1011 01:47:13.131817 204 dispatcher.cpp:140] Service thread: 00000205F3B56960 has joined I1011 01:47:13.131817 204 dispatcher.cpp:144] Services and threads have been cleared E1011 01:47:14.277684 2492 shutdown.cpp:79] Worker returned exit status I1011 01:47:14.277684 1412 dispatcher.cpp:149] Thread: 1412 requesting a stop I1011 01:47:14.277684 1412 dispatcher.cpp:122] Thread: 1412 requesting a join I1011 01:47:14.288219 1412 dispatcher.cpp:140] Service thread: 0000021523EB4EC0 has joined I1011 01:47:14.319613 1412 dispatcher.cpp:144] Services and threads have been cleared
Paul Gajkowski
10/12/2023, 12:18 AMRonald Cardoso
11/07/2023, 3:26 PMdimaivanov1234
11/08/2023, 9:06 AMGuido Caffa
11/08/2023, 4:58 PMTyler
12/10/2023, 11:26 AMAnton
12/20/2023, 11:40 AMMike
12/21/2023, 12:40 PMMike
12/21/2023, 12:44 PMJulia Cox
12/28/2023, 3:23 PMJulia Cox
12/28/2023, 3:28 PM-A
flag was just wrong (should be -A Win32
) 🙂gladly toe
01/17/2024, 1:10 PMPriya Jagyasi
01/23/2024, 9:05 AMVenkatesh Revanuru
01/25/2024, 6:33 AMVenkatesh Revanuru
01/25/2024, 10:53 AMMike
02/12/2024, 7:09 AMterlanaliyev
02/12/2024, 11:27 AMterlanaliyev
02/12/2024, 11:27 AMTarlan Aliyev
02/13/2024, 10:43 AM{
// Configure the daemon below:
"options": {
"event_publisher": "etw_process_publisher",
"enable_ntfs_event_publisher": true
},
"schedule": {
"chrome_extensions": {
"query": "SELECT * from users;",
"interval": 3600
}
}
}
when i run osqueryd.exe --config_path="C:\Program Files\osquery\osquery.conf", i got the following error: I0212 135533.071751 8240 eventfactory.cpp:156] Event publisher not enabled: etw_process_publisher: etw_process_publisher publisher disabled via configuration.
How can i solve it?Tarlan Aliyev
02/13/2024, 10:43 AMvedang agarwal
02/19/2024, 11:33 AMRishabh Saxena
02/28/2024, 4:58 AMMike
02/29/2024, 6:39 AMMike
02/29/2024, 7:01 AMBearloggs
03/04/2024, 10:39 AMselect * ntfs_acl_permissions where path = "C:\Users\vagrant\Documents\test.txt";
But when I tried to use wildcard, I cannot have results:
select * from ntfs_acl_permissions where path like "C:\Users\vagrant\Documents\%";
Do you know if it is possible to use wildcard with this table or am I making a mistake?
Thanks for your help.tlark
03/13/2024, 1:46 AMwmic
output at all anywhere?tlark
03/13/2024, 1:47 AMWMIC.exe datafile "C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" list full
AccessMask=
Archive=TRUE
Caption=C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Compressed=FALSE
CompressionMethod=
CreationClassName=CIM_LogicalFile
CreationDate=20240312182146.364332-420
CSCreationClassName=Win32_ComputerSystem
CSName=TOMLARKIN23B2
Description=C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Drive=c:
EightDotThreeFileName=c:\program files (x86)\google\chrome\application\chrome.exe
Encrypted=FALSE
EncryptionMethod=
Extension=exe
FileName=chrome
FileSize=2118944
FileType=Application
FSCreationClassName=Win32_FileSystem
FSName=NTFS
Hidden=FALSE
InstallDate=20240312182146.364332-420
InUseCount=
LastAccessed=20240312182146.364332-420
LastModified=20240311200100.392708-420
Manufacturer=Google LLC
Name=C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Path=\program files (x86)\google\chrome\application\
Readable=TRUE
Status=OK
System=FALSE
Version=122.0.6261.129
Writeable=TRUE
thor
thor