https://github.com/osquery/osquery logo
#general
Title
# general
j

Jamie Windley

05/22/2019, 5:00 PM
Is there any way of logging in the results.log the name of the table that the logs are from? rather than the arbitrary 'pack_xyz' identifier at the start of each result
z

zwass

05/22/2019, 5:02 PM
Logs could come from multiple tables — typically its best to provide a name for the query in the pack that would help you identify it later
d

defensivedepth

05/22/2019, 5:22 PM
You can also manually tag the log at query time (see screencap), but like @zwass said, it is common for a query to
join
multiple tables
z

zwass

05/22/2019, 8:06 PM
The logs include the "name" of the query as specified in the pack (see https://github.com/facebook/osquery/blob/experimental/packs/hardware-monitoring.conf#L3).
j

Jamie Windley

05/23/2019, 7:38 AM
I was hoping for there to be some way of modifying a configuration parameter to include the name of the actual table in the event itself and not reliant on an arbitrary name for the query
Perhaps as a decorator of some sort?
z

zwass

05/23/2019, 5:29 PM
This functionality doesn’t exist, but it is definitely an interesting idea.
2 Views