Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add logger_snapshot_event_type flag for snapshot events #3838

Merged
merged 3 commits into from
Oct 17, 2017
Merged

Add logger_snapshot_event_type flag for snapshot events #3838

merged 3 commits into from
Oct 17, 2017

Conversation

theopolis
Copy link
Member

This implements #3701.

» cat ./build/example.conf 
{
  "options": {
    "logger_snapshot_event_type": "true"
  },
  "schedule": {
    "3groups": {
      "query": "select * from groups limit 3",
      "interval": 5,
      "snapshot": "true"
    }
  }
}
» ./build/linux/osquery/osqueryd --ephemeral --disable_database --logger_plugin=stdout --config_path ./build/example.conf
{"name":"3groups","hostIdentifier":"maverics","calendarTime":"Mon Oct 16 05:50:00 2017 UTC","unixTime":"1508133000","epoch":"0","counter":"0","columns":{"gid":"0","gid_signed":"0","groupname":"root"},"action":"snapshot"}
{"name":"3groups","hostIdentifier":"maverics","calendarTime":"Mon Oct 16 05:50:00 2017 UTC","unixTime":"1508133000","epoch":"0","counter":"0","columns":{"gid":"1","gid_signed":"1","groupname":"daemon"},"action":"snapshot"}
{"name":"3groups","hostIdentifier":"maverics","calendarTime":"Mon Oct 16 05:50:00 2017 UTC","unixTime":"1508133000","epoch":"0","counter":"0","columns":{"gid":"2","gid_signed":"2","groupname":"bin"},"action":"snapshot"}
severity=0 location=events.cpp:824 message=Event publisher not enabled: audit: Publisher disabled via configuration
severity=0 location=events.cpp:824 message=Event publisher not enabled: syslog: Publisher disabled via configuration
severity=0 location=scheduler.cpp:75 message=Executing scheduled query 3groups: select * from groups limit 3
{"name":"3groups","hostIdentifier":"maverics","calendarTime":"Mon Oct 16 05:50:05 2017 UTC","unixTime":"1508133005","epoch":"0","counter":"0","columns":{"gid":"0","gid_signed":"0","groupname":"root"},"action":"snapshot"}
{"name":"3groups","hostIdentifier":"maverics","calendarTime":"Mon Oct 16 05:50:05 2017 UTC","unixTime":"1508133005","epoch":"0","counter":"0","columns":{"gid":"1","gid_signed":"1","groupname":"daemon"},"action":"snapshot"}
{"name":"3groups","hostIdentifier":"maverics","calendarTime":"Mon Oct 16 05:50:05 2017 UTC","unixTime":"1508133005","epoch":"0","counter":"0","columns":{"gid":"2","gid_signed":"2","groupname":"bin"},"action":"snapshot"}
severity=0 location=scheduler.cpp:75 message=Executing scheduled query 3groups: select * from groups limit 3

@facebook-github-bot facebook-github-bot added the cla signed Automated label: Pull Request author has signed the osquery CLA label Oct 16, 2017
@osqueryer
Copy link

👎 The commit 0418840 (Job results: 939) failed one or more tests (FreeBSD).

@osqueryer
Copy link

👎 The commit 0418840 (Job results: 2127) failed one or more tests (macOS/OS X).

@osqueryer
Copy link

👎 The commit 0418840 (Job results: 6022) failed one or more tests (Linux).

@osqueryer
Copy link

👎 The commit 0418840 (Job results: 6023) failed one or more tests (Linux).

@osqueryer
Copy link

👎 The commit 0418840 (Job results: 940) failed one or more tests (FreeBSD).

@osqueryer
Copy link

👎 The commit 0418840 (Job results: 2128) failed one or more tests (macOS/OS X).

@facebook-github-bot
Copy link

@theopolis has updated the pull request. View: changes

@osqueryer
Copy link

👎 The commit c80888b (Job results: 2900) failed one or more tests (Windows).

@osqueryer
Copy link

👎 The commit c80888b (Job results: 2901) failed one or more tests (Windows).

obelisk
obelisk reviewed Oct 16, 2017
View reviewed changes
Copy link
Contributor

@obelisk obelisk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a couple hold overs from the old code

osquery/core/query.cpp Outdated
pt::ptree& tree) {
addLegacyFieldsAndDecorations(item, tree);
pt::ptree columns;
for (auto& i : event) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

const?

osquery/core/query.cpp Outdated
if (!status.ok()) {
return status;
}
} else if (item.snapshot_results.size() > 0) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prefer !item.snapshot_results.empty()

osquery/core/query.cpp Outdated
return Status(1, "No diff results or snapshot results");
}

for (auto& action : results) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can these be consts?

obelisk
obelisk reviewed Oct 16, 2017
View reviewed changes
osquery/core/query.cpp Outdated
Status serializeQueryLogItemAsEvents(const QueryLogItem& item,
pt::ptree& tree) {
pt::ptree results;
if (item.results.added.size() > 0 || item.results.removed.size() > 0) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If possible, prefer not empty

@facebook-github-bot
Copy link

@theopolis has updated the pull request. View: changes

@theopolis theopolis merged commit 418973f into osquery:master Oct 17, 2017
This was referenced Dec 11, 2017
Closed
Closed
trizt pushed a commit to trizt/osquery that referenced this pull request May 24, 2019
@trizt
Add logger_snapshot_event_type flag for snapshot events (osquery#3838)
6ec962f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@obelisk obelisk obelisk left review comments

Assignees
No one assigned
Labels
cla signed Automated label: Pull Request author has signed the osquery CLA feature logging
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@theopolis @osqueryer @facebook-github-bot @obelisk