https://github.com/osquery/osquery logo
#extensions
Title
# extensions
a

alessandrogario

09/09/2019, 11:25 AM
@Ski alot can you restart osquery with the --verbose flag and paste here the output?
s

Ski alot

09/10/2019, 6:04 AM
I0811 145352.564669 5740 killswitch.cpp:60] enum osquery:Killswitch:IsEnabledError 1 (Cannot call registry item: ) I0811 145352.658277 3948 events.cpp:784] Starting event publisher run loop: windows_events I0811 145352.658277 5740 main.cpp:109] Not starting the distributed query service: Distributed query service not enabled. I0811 145501.755991 5556 database.cpp:134] Resetting the database plugin: rocksdb I0811 145502.317636 5556 rocksdb.cpp:134] Opening RocksDB handle: \ProgramData\osquery\osquery.db I0811 145514.923404 5556 scheduler.cpp:100] Executing scheduled query foobar: SELECT * from foobar; E0811 145515.219827 5556 scheduler.cpp:105] Error executing scheduled query foobar: Error running query: no such table: foobar I0811 145515.360239 5556 killswitch.cpp:60] enum osquery:Killswitch:IsEnabledError 1 (Cannot call registry item: ) I0811 145518.730098 3160 interface.cpp:105] Registering extension (fooextensionexa, 22760, version=1.0.0.0, sdk=1.8.0) I0811 145518.730098 3160 registry_factory.cpp:109] Extension 22760 registered table plugin foobar I0811 145612.928666 5556 scheduler.cpp:100] Executing scheduled query foobar: SELECT * from foobar; I0811 145617.000579 5556 killswitch.cpp:60] enum osquery:Killswitch:IsEnabledError 1 (Cannot call registry item: ) I0811 145632.149344 5556 scheduler.cpp:100] Executing scheduled query foobar: SELECT * from foobar; I0811 145635.519203 5556 scheduler.cpp:165] Found results for query: foobar I0811 145635.581609 5556 killswitch.cpp:60] enum osquery:Killswitch:IsEnabledError 1 (Cannot call registry item: ) I0811 145808.985993 5556 scheduler.cpp:100] Executing scheduled query foobar: SELECT * from foobar; I0811 145812.309048 5556 killswitch.cpp:60] enum osquery:Killswitch:IsEnabledError 1 (Cannot call registry item: ) I0811 145828.378284 5556 scheduler.cpp:100] Executing scheduled query foobar: SELECT * from foobar; I0811 145833.355067 5404 extensions.cpp:305] Extension UUID 22760 has gone away I0811 145833.355067 5404 sqlite_util.cpp:223] DBManager contention: opening transient SQLite database I0811 145835.445628 5556 killswitch.cpp:60] enum osquery:Killswitch:IsEnabledError 1 (Cannot call registry item: ) I0811 145847.536558 5556 scheduler.cpp:100] Executing scheduled query foobar: SELECT * from foobar; I0811 145847.973392 5556 scheduler.cpp:165] Found results for query: foobar I0811 145848.035796 5556 killswitch.cpp:60] enum osquery:Killswitch:IsEnabledError 1 (Cannot call registry item: ) I0811 150004.575284 5556 scheduler.cpp:100] Executing scheduled query foobar: SELECT * from foobar; I0811 150004.934111 5556 killswitch.cpp:60] enum osquery:Killswitch:IsEnabledError 1 (Cannot call registry item: ) I0811 150005.604964 4856 interface.cpp:105] Registering extension (fooextensionexa, 29898, version=1.0.0.0, sdk=1.8.0) W0811 150005.604964 4856 interface.cpp:111] Could not add extension fooextensionexa: SQLITE_ERROR I0811 150006.587838 5556 database.cpp:134] Resetting the database plugin: rocksdb I0811 150006.619041 5556 rocksdb.cpp:134] Opening RocksDB handle: \ProgramData\osquery\osquery.db I0811 150015.464921 5404 extensions.cpp:273] Extension UUID 29898 initial check failed I0811 150023.795962 5556 scheduler.cpp:100] Executing scheduled query foobar: SELECT * from foobar; I0811 150024.310801 5556 scheduler.cpp:165] Found results for query: foobar I0811 150024.373206 5556 killswitch.cpp:60] enum osquery:Killswitch:IsEnabledError 1 (Cannot call registry item: ) I0811 150043.047843 5556 scheduler.cpp:100] Executing scheduled query foobar: SELECT * from foobar; I0811 150043.406671 5556 killswitch.cpp:60] enum osquery:Killswitch:IsEnabledError 1 (Cannot call registry item: )
I0811 150044.904386 6828 interface.cpp:105] Registering extension (fooextensionexa, 1417, version=1.0.0.0, sdk=1.8.0) I0811 150044.904386 6828 registry_factory.cpp:84] Extension 1417 has duplicate plugin name: foobar in registry: table W0811 150044.904386 6828 interface.cpp:111] Could not add extension fooextensionexa: Duplicate registry item: foobar I0811 150102.315325 5556 scheduler.cpp:100] Executing scheduled query foobar: SELECT * from foobar; I0811 150102.549343 5404 extensions.cpp:305] Extension UUID 29898 has gone away I0811 150102.674152 5556 killswitch.cpp:60] enum osquery:Killswitch:IsEnabledError 1 (Cannot call registry item: ) I0811 150121.582808 5556 scheduler.cpp:100] Executing scheduled query foobar: SELECT * from foobar; I0811 150121.879230 5556 killswitch.cpp:60] enum osquery:Killswitch:IsEnabledError 1 (Cannot call registry item: )
i placed the logs. Its a long log but i hope that it will help to understand
2 Views