Channels
  • o

    OpenPlgx

    2 years ago
    What is your query config?
  • m

    Mario De Tore

    2 years ago
    ./fleetctl get options
    apiVersion: v1
    kind: options
    spec:
      config:
        decorators:
          load:
          - SELECT uuid AS host_uuid FROM system_info;
          - SELECT hostname AS hostname FROM system_info;
          - SELECT version AS osquery_version FROM osquery_info;
        file_paths:
          binaries:
          - /usr/bin/%%
          - /usr/sbin/%%
          - /bin/%%
          - /sbin/%%
          - /usr/local/bin/%%
          - /usr/local/sbin/%%
          configuration:
          - /etc/passwd
          - /etc/shadow
          - /etc/ld.so.conf
          - /etc/ld.so.conf.d/%%
          - /etc/pam.d/%%
          - /etc/resolv.conf
          - /etc/rc%/%%
          - /etc/my.cnf
          - /etc/modules
          - /etc/hosts
          - /etc/hostname
          - /etc/fstab
          - /etc/crontab
          - /etc/cron%/%%
          - /etc/init/%%
          - /etc/rsyslog.conf
        options:
          audit_allow_config: true
          audit_allow_sockets: true
          audit_persist: true
          config_accelerated_refresh: 300
          config_plugin: tls
          config_refresh: 3600
          config_tls_endpoint: /api/v1/osquery/config
          disable_audit: false
          disable_distributed: false
          disable_events: false
          disable_subscribers: user_events
          disable_tables: windows_events
          disable_watchdog: false
          distributed_interval: 10
          distributed_plugin: tls
          distributed_tls_max_attempts: 3
          distributed_tls_read_endpoint: /api/v1/osquery/distributed/read
          distributed_tls_write_endpoint: /api/v1/osquery/distributed/write
          enable_extensions_watchdog: true
          events_expiry: 1
          events_max: 500000
          logger_min_status: 1
          logger_plugin: tls
          logger_snapshot_event_type: true
          logger_tls_endpoint: /api/v1/osquery/log
          logger_tls_period: 10
          pack_delimiter: /
          schedule_splay_percent: 10
          watchdog_level: 1
      overrides: {}
  • o

    OpenPlgx

    2 years ago
    well, 'disable_events' is set to false, so it seems events are enabled.. While the table is disabled, I don't know if that disables the pub-sub internally or just disables the query at the top level. You might want to set it to true and try...Additionally, the event count is 500000 [seems a bit high, although i don't know if that will play role here given that there are no queries on windows_events table]