API tools faq
paste
Advertisement
phoenixdigital

osqueryd.INFO.20210201-133214.12128

phoenixdigital
Jan 31st, 2021
184
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.12 KB | None | 0 0
raw download clone embed print report
  1. Log file created at: 2021/02/01 13:32:14
  2. Running on machine: primary.local
  3. Log line format: [IWEF]mmdd hh:mm:ss.uuuuuu threadid file:line] msg
  4. I0201 13:32:14.351812 12128 events.cpp:867] Event publisher not enabled: BPFEventPublisher: Publisher disabled via configuration
  5. I0201 13:32:14.352272 12128 events.cpp:867] Event publisher not enabled: auditeventpublisher: Publisher disabled via configuration
  6. I0201 13:32:14.352320 12128 events.cpp:867] Event publisher not enabled: inotify: Publisher disabled via configuration
  7. I0201 13:32:14.352356 12128 events.cpp:867] Event publisher not enabled: syslog: Publisher disabled via configuration
  8. I0201 13:32:14.352916 12128 events.cpp:1126] Error registering subscriber: apparmor_events: Subscriber disabled via configuration
  9. I0201 13:32:14.353240 12128 events.cpp:1126] Error registering subscriber: process_file_events: Subscriber disabled via configuration
  10. I0201 13:32:14.353312 12128 events.cpp:1126] Error registering subscriber: selinux_events: Subscriber disabled via configuration
  11. I0201 13:32:14.353377 12128 events.cpp:1126] Error registering subscriber: socket_events: Subscriber disabled via configuration
  12. I0201 13:32:14.360189 12128 file_events.cpp:83] Added file event listener to: /etc/**
  13. I0201 13:32:14.360278 12128 file_events.cpp:83] Added file event listener to: /root/.ssh/**
  14. I0201 13:32:14.360301 12128 file_events.cpp:83] Added file event listener to: /home/*/.ssh/**
  15. I0201 13:32:14.360318 12128 file_events.cpp:83] Added file event listener to: /usr/bin/**
  16. I0201 13:32:14.360334 12128 file_events.cpp:83] Added file event listener to: /usr/sbin/**
  17. I0201 13:32:14.360350 12128 file_events.cpp:83] Added file event listener to: /usr/lib/**
  18. I0201 13:32:14.360391 12128 file_events.cpp:83] Added file event listener to: /boot/**
  19. I0201 13:32:14.360409 12128 file_events.cpp:83] Added file event listener to: /initrd/**
  20. I0201 13:32:14.360445 12128 file_events.cpp:83] Added file event listener to: /home/*/bin/**
  21. I0201 13:32:14.360462 12128 file_events.cpp:83] Added file event listener to: /home/*/sbin/**
  22. I0201 13:32:14.360496 12128 file_events.cpp:83] Added file event listener to: /usr/bin/**
  23. I0201 13:32:14.360514 12128 file_events.cpp:83] Added file event listener to: /usr/sbin/**
  24. I0201 13:32:14.360548 12128 file_events.cpp:83] Added file event listener to: /usr/lib/**
  25. I0201 13:32:14.360565 12128 file_events.cpp:83] Added file event listener to: /usr/local/bin/**
  26. I0201 13:32:14.360599 12128 file_events.cpp:83] Added file event listener to: /usr/local/sbin/**
  27. I0201 13:32:14.360617 12128 file_events.cpp:83] Added file event listener to: /usr/local/lib/**
  28. I0201 13:32:14.360651 12128 file_events.cpp:83] Added file event listener to: /root/bin/**
  29. I0201 13:32:14.425642 12128 filesystem.cpp:313] Symlink loop detected. Ignoring: /etc/xdg/systemd/user/sockets.target.wants
  30. I0201 13:32:15.952646 12128 filesystem.cpp:313] Symlink loop detected. Ignoring: /usr/lib/kbd/keymaps/legacy/ppc/all
  31. I0201 13:32:15.952921 12128 filesystem.cpp:313] Symlink loop detected. Ignoring: /usr/lib/kbd/keymaps/legacy/ppc/include
  32. I0201 13:32:16.028165 12128 filesystem.cpp:313] Symlink loop detected. Ignoring: /boot/efi/EFI/BOOT
  33. I0201 13:32:16.434620 12128 filesystem.cpp:313] Symlink loop detected. Ignoring: /usr/lib/kbd/keymaps/legacy/ppc/all
  34. I0201 13:32:16.434747 12128 filesystem.cpp:313] Symlink loop detected. Ignoring: /usr/lib/kbd/keymaps/legacy/ppc/include
  35. I0201 13:32:16.843138 12233 events.cpp:786] Starting event publisher run loop: udev
  36. I0201 13:32:16.843150 12128 main.cpp:105] Not starting the distributed query service: Distributed query service not enabled.
  37. I0201 13:32:16.843746 12128 dispatcher.cpp:78] Adding new service: SchedulerRunner (0x558116e94b18) to thread: 140152357775104 (0x558117014960) in process 12128
  38. I0201 13:32:24.845624 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_route_table: select * from routes
  39. I0201 13:32:30.848031 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_etc_hosts_entries: SELECT * FROM etc_hosts
  40. I0201 13:33:17.858827 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_logged_in_users: select type, user, tty, host, time, datetime(time,'unixepoch') || ' UTC' AS logon_time_readable, pid from logged_in_users
  41. I0201 13:33:18.859200 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_route_table: select * from routes
  42. I0201 13:33:32.861614 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_etc_hosts_entries: SELECT * FROM etc_hosts
  43. I0201 13:34:12.871292 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_route_table: select * from routes
  44. I0201 13:34:12.899142 12234 scheduler.cpp:103] Executing scheduled query pack_osquery-monitoring_osquery_info: select i.*, p.resident_size, p.user_time, p.system_time, time.minutes as counter from osquery_info i, processes p, time where p.pid = i.pid;
  45. I0201 13:34:12.920712 12234 scheduler.cpp:164] Found results for query: pack_osquery-monitoring_osquery_info
  46. I0201 13:34:34.875988 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_etc_hosts_entries: SELECT * FROM etc_hosts
  47. I0201 13:35:06.884479 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_route_table: select * from routes
  48. I0201 13:35:18.887013 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_logged_in_users: select type, user, tty, host, time, datetime(time,'unixepoch') || ' UTC' AS logon_time_readable, pid from logged_in_users
  49. I0201 13:35:26.888841 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_top_10_processes_most_active: select (select datetime from time) AS poll_time, processes.pid, processes.name, processes.path, processes.uid, users.username, count(pid) as total_threads, processes.resident_size, processes.total_size, processes.user_time, processes.system_time, processes.disk_bytes_read, processes.disk_bytes_written, processes.handle_count, processes.percent_processor_time, users.username, datetime(processes.start_time,'unixepoch') || ' UTC' AS start_time_readable from processes JOIN users ON processes.uid = users.uid group by name order by total_threads desc limit 10
  50. I0201 13:35:27.143002 12234 scheduler.cpp:164] Found results for query: pack_splunk-all_top_10_processes_most_active
  51. I0201 13:35:36.890563 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_etc_hosts_entries: SELECT * FROM etc_hosts
  52. I0201 13:35:40.892182 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-nix_file_events: SELECT file_events.*, users.username FROM file_events JOIN users ON file_events.uid = users.uid
  53. I0201 13:36:00.895588 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_route_table: select * from routes
  54. I0201 13:36:34.901424 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_listening_ports: select (select datetime from time) AS poll_time, processes.name, users.username, etc_protocols.name AS protocol, listening_ports.pid, listening_ports.port, listening_ports.family, listening_ports.address from listening_ports JOIN processes ON listening_ports.pid = processes.pid JOIN users ON processes.uid = users.uid JOIN etc_protocols ON etc_protocols.number = listening_ports.protocol where listening_ports.port > 0
  55. I0201 13:36:35.238584 12234 scheduler.cpp:164] Found results for query: pack_splunk-all_listening_ports
  56. I0201 13:36:38.902189 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_etc_hosts_entries: SELECT * FROM etc_hosts
  57. I0201 13:36:48.904335 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_top_10_processes_memory_usage: select (select datetime from time) AS poll_time, processes.pid, processes.path, processes.name, processes.uid, users.username, processes.resident_size, processes.total_size, processes.user_time, processes.system_time, processes.disk_bytes_read, processes.disk_bytes_written, processes.handle_count, processes.percent_processor_time, users.username, datetime(processes.start_time,'unixepoch') || ' UTC' AS start_time_readable, users.username from processes JOIN users ON processes.uid = users.uid order by resident_size desc limit 10
  58. I0201 13:36:49.160676 12234 scheduler.cpp:164] Found results for query: pack_splunk-all_top_10_processes_memory_usage
  59. I0201 13:36:54.905736 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_route_table: select * from routes
  60. I0201 13:37:19.910331 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_logged_in_users: select type, user, tty, host, time, datetime(time,'unixepoch') || ' UTC' AS logon_time_readable, pid from logged_in_users
  61. I0201 13:37:40.914034 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_etc_hosts_entries: SELECT * FROM etc_hosts
  62. I0201 13:37:48.916080 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_route_table: select * from routes
  63. I0201 13:38:42.925004 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_etc_hosts_entries: SELECT * FROM etc_hosts
  64. I0201 13:38:42.948263 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_route_table: select * from routes
  65. I0201 13:39:20.937896 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_logged_in_users: select type, user, tty, host, time, datetime(time,'unixepoch') || ' UTC' AS logon_time_readable, pid from logged_in_users
  66. I0201 13:39:36.942453 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_route_table: select * from routes
  67. I0201 13:39:44.944015 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_etc_hosts_entries: SELECT * FROM etc_hosts
  68. I0201 13:40:26.950893 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-nix_file_events: SELECT file_events.*, users.username FROM file_events JOIN users ON file_events.uid = users.uid
  69. I0201 13:40:30.952219 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_route_table: select * from routes
  70. I0201 13:40:46.955407 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_etc_hosts_entries: SELECT * FROM etc_hosts
  71. I0201 13:41:21.960705 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_logged_in_users: select type, user, tty, host, time, datetime(time,'unixepoch') || ' UTC' AS logon_time_readable, pid from logged_in_users
  72. I0201 13:41:24.962277 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_route_table: select * from routes
  73. I0201 13:41:36.964331 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_listening_ports: select (select datetime from time) AS poll_time, processes.name, users.username, etc_protocols.name AS protocol, listening_ports.pid, listening_ports.port, listening_ports.family, listening_ports.address from listening_ports JOIN processes ON listening_ports.pid = processes.pid JOIN users ON processes.uid = users.uid JOIN etc_protocols ON etc_protocols.number = listening_ports.protocol where listening_ports.port > 0
  74. I0201 13:41:37.247303 12234 scheduler.cpp:164] Found results for query: pack_splunk-all_listening_ports
  75. I0201 13:41:48.967262 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_etc_hosts_entries: SELECT * FROM etc_hosts
  76. I0201 13:42:18.972790 12234 scheduler.cpp:103] Executing scheduled query pack_splunk-all_route_table: select * from routes
  77.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!