Channels
  • a

    aby

    1 year ago
    Is here a minimum supported OS version for I am running into issues with
    4.4.0-142-generic
    &&
    Ubuntu 16.04.7 LTS
    p:/home/superlog# osqueryi --verbose --disable_events=false --enable_bpf_events=true --events_expiry=1
    I0202 16:22:35.706341   687 init.cpp:340] osquery initialized [version=4.6.0]
    I0202 16:22:35.706419   687 extensions.cpp:453] Could not autoload extensions: Cannot open file for reading: /etc/osquery/extensions.load
    I0202 16:22:35.706588   687 dispatcher.cpp:78] Adding new service: ExtensionWatcher (0x564027c14d58) to thread: 139977553381120 (0x564027c151e0) in process 687
    I0202 16:22:35.706670   687 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (0x564027c1bbf8) to thread: 139977544988416 (0x564027c1be40) in process 687
    I0202 16:22:35.706717   687 auto_constructed_tables.cpp:97] Removing stale ATC entries
    I0202 16:22:35.706832   691 interface.cpp:270] Extension manager service starting: /root/.osquery/shell.em
    terminating with uncaught exception of type tob::StringError
    Aborted (core dumped)
  • zwass

    zwass

    1 year ago
    Yeah you need 4.6.0
  • a

    aby

    1 year ago
    osqueryd --version
    osqueryd version 4.6.0
  • zwass

    zwass

    1 year ago
    Ah sorry thought you meant osquery 4.4.0
    @User wonder if this is familiar to you?
  • a

    alessandrogario

    1 year ago
    nooo @ the uncaught exception! I have to fix it! thanks for bringing this up!
    BPF requires at least kernel 4.18 to work correctly
    We use certain BPF map features that require something around ~4.10 but then we also capture cgroup information which raise the kernel requirements to 4.18
    this should be roughly CentOS 8, and Ubuntu 18.10