Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

differential osquery query output to base_topic #5890

Closed
alexwoolford opened this issue Oct 15, 2019 · 3 comments · Fixed by #6449
Closed

differential osquery query output to base_topic #5890

alexwoolford opened this issue Oct 15, 2019 · 3 comments · Fixed by #6449
Labels
triage Issue needs to be verified, reproduced and prioritized

Comments

@alexwoolford
Copy link

alexwoolford commented Oct 15, 2019
edited

Bug report

versions

CentOS 7.7
osquery 4.0.2

What steps did you take to reproduce the issue?

The osquery.conf has the following properties:

{
  "options": {
    "logger_kafka_brokers": "cp01.woolford.io:9092,cp02.woolford.io:9092,cp03.woolford.io:9092",
    "logger_kafka_topic": "base_topic",
    "logger_kafka_acks": "1"
  },
  "packs": {
    "system-snapshot": {
      "queries": {
        "processes_by_port": {
          "query": "select u.username, p.pid, p.name, pos.local_address, pos.local_port, pos.remote_address, pos.remote_port from processes p join users u on u.uid = p.uid join process_open_sockets pos on pos.pid=p.pid where pos.remote_port != '0';",
          "interval": 10,
          "snapshot": false
        }
      }
    }
  },
  "kafka_topics": {
    "process-port": [
      "pack_system-snapshot_processes_by_port"
    ]
  }
}

The output is written to the process-port topic. If I toggle the snapshot property, the output is written to the base_topic. That is, in my opinion, a bug.

links:

What did you expect to see?

The differential records should be written to the process-port.

What did you see instead?

The records are written to base_topic.
@directionless directionless added the triage Issue needs to be verified, reproduced and prioritized label Oct 18, 2019
@directionless
Copy link
Member

I know @zwass and @alexwoolford were talking in slack, but I'm not sure if there was a conclusion

@alexwoolford
Copy link
Author

Hey @directionless, @zwass suggested that I file a bug in Github: https://osquery.slack.com/archives/C08V7KTJB/p1571159030065500?thread_ts=1571098086.052800&cid=C08V7KTJB, and so I did.

I'll gladly jump on a Zoom if you'd like to poke around in my environment to see what's going on.

@directionless
Copy link
Member

I don't know this part of the code base. I'm recording that the conversation happened. The bug is great.

analyzeDFIR added a commit to analyzeDFIR/osquery that referenced this issue May 16, 2020
@analyzeDFIR
Added tests to reproduce bug identified in osquery#5890
2cfa509
This was referenced May 18, 2020
Merged
Open
theopolis pushed a commit that referenced this issue Jun 7, 2020
@analyzeDFIR
Fix for #5890: Event Format Results and the Kafka Logger (#6449)
c197af9
aikuchin pushed a commit to aikuchin/osquery that referenced this issue Jul 11, 2023
@OlegOAndreev
Merge pull request osquery#10 in CLOUD/osquery from sync/osquery-4.4.…
7fea62e 
…0 to master

* commit 'eeee0fb0957f5af983f817c2e6f19c53108d9e09': (83 commits)
  Add additional changelog items (osquery#6523)
  Changelog for 4.4.0 (osquery#6492)
  build: Add Azure tables to specs CMakeLists (osquery#6507)
  CMake: Correct macOS framework linking (osquery#6522)
  tables: Only populate table cache with star-like selects (osquery#6513)
  CMake: Fix and cleanup compile flags (osquery#6521)
  docs: Add note to bump the Homebrew cask (osquery#6519)
  tests: Fix atom_packages, processes, rpm_packages flakiness (osquery#6518)
  bug: Do not use system proxy for AWS local authority (osquery#6512)
  packaging: updating docs on cpack usage to include Chocolatey (osquery#6022)
  bug: Fix typed_row table caching (osquery#6508)
  Implement event batching support for Windows tables (osquery#6280)
  http: Use sync resolve (osquery#6490)
  Add support for basic chassis information (osquery#5282)
  Only emit 'denylist' warning once (osquery#6493)
  docs: Remove references to brew in macOS install (osquery#6494)
  Fix for osquery#5890: Event Format Results and the Kafka Logger (osquery#6449)
  make apt_sources table parsing much more resilient (osquery#6482)
  Make file and hash container columns hidden (osquery#6486)
  Update documentation to use 'allow list' and 'deny list' diction (osquery#6489)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage Issue needs to be verified, reproduced and prioritized
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix for #5890: Event Format Results and the Kafka Logger analyzeDFIR/osquery
2 participants
@directionless @alexwoolford