Channels
  • z

    Zach Zeid

    1 year ago
    that doesn't make sense to me, is osquery actually keeping track here, or is the way I'm running the query incorrect?
    | installed_homebrew_packages_1 | SELECT name, version from homebrew_packages order by name limit 25;                                                         | 14400    | 0          | 0             | 0           | 0           | 0         | 0         | 0           | 0              | 0                   | 0                 | 0                 |
  • n

    nyanshak

    1 year ago
    I think that since you're just running
    osqueryi --json "select * from osquery_schedule;"
    , you don't actually have any queries scheduled. You'd also have to pass a config file with the scheduled queries to osqueryi (or tls config) and wait for it to execute those queries before you get data on scheduled query execution.
    You probably want to schedule a query to regularly pull data from the
    osquery_schedule
    table
  • z

    Zach Zeid

    1 year ago
    That doesn't make any sense though, how would I pass a config to osqueryi? and these scheduled queries do run
  • n

    nyanshak

    1 year ago
    right, but they're running somewhere else, e.g., through osqueryd
    and you have an entirely-separate entity, osqueryi, that you're asking to tell you about scheduled queries
    and it can't tell you about scheduled queries for osqueryd afaik
    you can pass a config to osqueryi the same* way you do to osqueryd, it's a symlink and mostly the flags are the same (* except if you need to like... enable events and such)
  • z

    Zach Zeid

    1 year ago
    I'll give it a shot thanks
    shouldn't this give some output?
    sudo osqueryi --profile 2 --profile-delay 1 "select * from users;" --json
  • n

    nyanshak

    1 year ago
    I don't think it should give output unless the query fails due to an error.
  • z

    Zach Zeid

    1 year ago
    wut.
    that's fair.
  • n

    nyanshak

    1 year ago
    btw I'm not super familiar with the profiling code, that was based on a quick glance at
    osquery/main/main.cpp
    after grepping for
    profile
  • theopolis

    theopolis

    1 year ago
    Also, a while back someone suggested having a
    osqueryi --connect /path/to/osqueryd/extension/socket.em
    such that you could inspect the runtime status of an
    osqueryd
    process. It sounds like that would be helpful here.