https://github.com/osquery/osquery logo
Powered by
#process-auditing
Title
# process-auditing
a

Avi Apelbaum

03/19/2020, 8:39 AM
Hi All below is my Flag file, for some reason I do not receive any event to my tls server. For some reason I am getting
Copy code
Event publisher not enabled: syslog: Publisher disabled via configuration"
Any idea someone ? Flag File:
Copy code
--watchdog_level=0
--watchdog_memory_limit=300
--host_identifier=uuid
--tls_hostname=kolide-server:443
--tls_server_certs=/etc/osquery/ca.crt
--config_plugin=tls
--distributed_plugin=tls
--logger_plugin=tls
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_tls_endpoint=/api/v1/osquery/config
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
--logger_tls_endpoint=/api/v1/logger
--config_refresh=300
--config_tls_max_attempts=20
--enroll_always=true
--disable_distributed=false
--distributed_interval=0
--enroll_secret_path=/etc/osquery/enroll
--database_path=/var/osquery/osquery.db
--pidfile=/var/run/osqueryd.pid
--logger_path=/var/log/osquery
--audit_allow_config=true
--audit_allow_fim_events=true
--audit_allow_process_events=true
--audit_allow_sockets=true
--audit_allow_user_events=true
--audit_force_reconfigure=true
--audit_persist=false
--disable_audit=false
--enable_dns_lookups=true
--logger_tls_event_types="user_events|process_events|process_file_events|socket_events|dns_lookup_events|file_events|http_events"
--events_max=1000
--disable_events_staging=false
--windows_event_channels=Security,System,Application,Setup
--win_enable_dns_lookups=true
--win_allow_sockets=true
--win_allow_process_events=true
--win_allow_logon_events=true
--win_allow_fim_events=true
--win_allow_drive_events=true
--win_allow_reg_events=true
--enable_windows_kernel_events=true
--allow_inotify_file_events=false
--audit_records_rate=10000
--logger_tls_compress=true
--enable_wmi=true
--enable_http_lookups=true
--process_ancestor_list=true
--audit_force_unconfigure=true
--audit_source_dispatcher=true
--watchdog_utilization_limit=21
--generate_process_hash_in_process_event=true
a

alessandrogario

03/19/2020, 2:01 PM
About the "Publisher disabled via configuration" message: that is not an error. It is just informing you which publishers are not enabled
Make sure you have scheduled queries running, then start osquery with --verbose and look at the messages to determine what is going on
a

Avi Apelbaum

03/19/2020, 2:11 PM
We do not have scheduled queries as staging of the events is disabled and send directly to the tls server.
Copy code
--disable_events_staging=true
Not as mentioned above That is to avoid to fill up the disk
a

alessandrogario

03/19/2020, 2:14 PM
i don't think that's an osquery flag
is it a private fork? you probably need to seek support to your vendor
a

Avi Apelbaum

03/19/2020, 2:17 PM
Ow yeah , you’re right 🙈
a

alessandrogario

03/19/2020, 2:17 PM
is it Uptycs? they have people in here
a

Avi Apelbaum

03/19/2020, 2:18 PM
We used to have uptycs, probably the conf file remaind there . We already installed the native one.
a

alessandrogario

03/19/2020, 2:19 PM
ah I see!
they are using a really old version of osquery
the config may have changed quite a lot
a

Avi Apelbaum

03/19/2020, 2:19 PM
Yes they are
version 3
3.3.
a

alessandrogario

03/19/2020, 2:21 PM
you can probably use the ephemeral db plugin
a

Avi Apelbaum

03/19/2020, 2:22 PM
What is that, can you elaborate ?
a

alessandrogario

03/19/2020, 2:22 PM
though it's not quite like what i think 
--disable_events_staging
was doing
it is an in-memory db, that gets lost when osquery restarts
a

Avi Apelbaum

03/19/2020, 2:22 PM
Nice, will read about it , thanks!
a

alessandrogario

03/19/2020, 2:23 PM
has less overhead compared to rocksdb (which attempts to store data in a corruption-resistant format so it persists across restarts)
but it's not like bypassing the db entirely (which is what I think that flag is doing)
a

Avi Apelbaum

03/19/2020, 2:25 PM
OK thanks for the information.
Anyway , I do not have anything in those tables.
I just checked
a

alessandrogario

03/19/2020, 2:26 PM
Copy code
--audit_persist=false
is auditd running?
a

Avi Apelbaum

03/19/2020, 2:26 PM
Copy code
auditdnetlink.cpp:613] Failed to set the netlink owner
a

alessandrogario

03/19/2020, 2:26 PM
that flag is usually enabled
but will cause errors if there's another audit-based service running
a

Avi Apelbaum

03/19/2020, 2:36 PM
It seems to work, must see how i can prevent from the disk to fill up. WIll check the ephemeral db
12 Views
Powered by