Channels
#general
Title
# general
j
Jeff Singleton
04/07/2020, 3:13 PMHello. I'm trying to collect user based events, specifically failed login attempts. My user_events table is empty and I see this when I query the table: "Table user_events is event-based but events are disabled". How do I enable events for this table?
a
alessandrogario
04/07/2020, 3:19 PM
--disable_events=false --disable_audit=false --audit_allow_config=true --audit_persist=true --audit_allow_user_events=true --verbose and systemctl disable auditd
j
Jeff Singleton
04/07/2020, 3:24 PMI have all of that in my flag file. Let me verify that auditd is disabled.
Does it matter what order the flags are in?
a
alessandrogario
04/07/2020, 3:27 PM
Flag order is not important
auditd will cause issues if it’s running
--verbose should show what the issue is
j
Jeff Singleton
04/07/2020, 3:28 PMIt is disabled. Adding --verbose.
a
alessandrogario
04/07/2020, 3:29 PM
It is also possible that no events are being generated for that table. You can temporarily turn process_events on (--audit_allow_process_events=true) to see if the audit publisher is working correctly
j
Jeff Singleton
04/07/2020, 3:34 PMHmm. I already had that as well. I see this error when starting osqueryd: Error registering subscriber: process_file_events: Subscriber disabled via configuration
a
alessandrogario
04/07/2020, 3:35 PM
That table is disabled by default, it’s just a warning
and can be safely ignored
j
Jeff Singleton
04/07/2020, 3:35 PMOk
Is this what I am looking for?
Starting event publisher run loop: auditeventpublisher
a
alessandrogario
04/07/2020, 3:36 PM
yes!
Is there no other error printed?
is the process_events table working?
j
Jeff Singleton
04/07/2020, 3:38 PMI see this: Enabling audit rules for the process_events (execve, execveat) table
No other errors.
a
alessandrogario
04/07/2020, 3:39 PM
ok so it seems like the audit publisher is working correctly
can you run a “SELECT * FROM process_events” query?
I haven’t used user_events much, but seem to recall that it should always record logins to the TTY
maybe on SSH too
j
Jeff Singleton
04/07/2020, 3:41 PMTable process_events is event-based but events are disabled
a
alessandrogario
04/07/2020, 3:42 PM
Has the --disable_events=false flag been passed?
j
Jeff Singleton
04/07/2020, 3:42 PMyes that is in my flag file.
a
alessandrogario
04/07/2020, 3:42 PM
Has osquery been restarted?
j
Jeff Singleton
04/07/2020, 3:43 PMYes I have restarted after each change.
a
alessandrogario
04/07/2020, 3:43 PM
or, it is possible that the flagfile is not being correctly loaded
you can pass the path to it using --flagfile=/path/to/file
(I think the default path is
/etc/osquery/osquery.flags.defaultj
Jeff Singleton
04/07/2020, 3:47 PMI'm running this on the command line in two windows. One has osqueryd --flagfile /etc/osquery/osquery.flag and the other is running osqueryi.
a
alessandrogario
04/07/2020, 3:47 PM
osqueryi does not communicate with osqueryd
osqueryi is osqueryd running in interactive mode
j
Jeff Singleton
04/07/2020, 3:49 PMGot that.
a
alessandrogario
04/07/2020, 3:49 PM
so if you run
osqueryi --flagfile /etc/osquery/osquery.flag(osqueryd must be closed otherwise it will attempt to steal the audit ownership from osqueryi)
j
Jeff Singleton
04/07/2020, 3:55 PMOh man...I think because I didn't fully understand that, I figured it out. I actually didn't have --disable-events=false and now I do and its working.
I guess it just takes going through it line by line.
a
alessandrogario
04/07/2020, 3:56 PM
Nice! 😄 if you have any issue we are here to help 🙂
j
Jeff Singleton
04/07/2020, 3:57 PMThank-you!!
120 Views