osquery error 24001

[Dee M]

I am using wazuh v4.8.1 and osquery 5.12.1 is installed in Windows 10 Pro 64bit Build 19045

This is the JSON log file

{ "_index": "wazuh-alerts-4.x-2024.08.01", "_id": "m79lDpEBSZn7V9Nag54F", "_version": 1, "_score": null, "_source": { "input": { "type": "log" }, "agent": { "ip": "192.168.100.30", "name": "win-apt-01", "id": "002" }, "manager": { "name": "wazuh" }, "rule": { "firedtimes": 3, "mail": false, "level": 5, "description": "osquery error message", "groups": [ "osquery" ], "id": "24001" }, "location": "osquery", "decoder": {}, "id": "1722523412.10651568", "full_log": "E0801 22:43:32.429441 5140 init.cpp:520] osqueryd Pidfile check failed: Pidfile::Error::Busy\r", "timestamp": "2024-08-01T14:43:32.926+0000" }, "fields": { "timestamp": [ "2024-08-01T14:43:32.926Z" ] }, "highlight": { "agent.id": [ "@opensearch-dashboards-highlighted-field@002@/opensearch-dashboards-highlighted-field@" ], "manager.name": [ "@opensearch-dashboards-highlighted-field@wazuh@/opensearch-dashboards-highlighted-field@" ] }, "sort": [ 1722523412926 ] }

I am always getting this osquery error message from my wazuh, not able to have any osquery rule logs.

please help. thank you.

[Javier Medeot]

Hi Dee M.

Wazuh is alerting you that something's wrong with OSquery.

From the full_log field in the Wazuh alert, it seems the osquery service is busy. Is your Wazuh osquery module configured to run the osqueryd daemon? In this case, maybe Windows is already executing the service and the Wazuh agent tries to execute it regardless. Please check the run_daemon configuration in your Windows agent ossec.conf file. Try  setting it to no and restarting the Wazuh agent.

<wodle name="osquery">
    ...
    <run_daemon>no</run_daemon>
   ...
</wodle>

Let me know if this is the issue here.

Also, check the C:\Program Files\osquery\log\osqueryd.results.log for any other related information that might be logged there.

Thanks.

[Dee M]

Hi Javier Medeot, 

I disabled the run_daemon on Windows wazuh agent  ossec.conf, the error is now not appearing, however, my goal is to use osquery to generate log and sent to wazuh manager to injest and normalize the data, this is for MISP integration. 

this is on my Windows wazuh agent osqueryd.log, 

{"name":"system_info","hostIdentifier":"DESKTOP-DPGAV5L","calendarTime":"Tue Jul 30 05:25:58 2024 UTC","unixTime":1722317158,"epoch":0,"counter":0,"numerics":false,"decorations":{"host_uuid":"03D502E0-045E-0536-5206-2E0700080009","username":"workslash-PC"},"columns":{"cpu_brand":"Intel(R) Pentium(R) CPU G4560 @ 3.50GHz","hostname":"DESKTOP-DPGAV5L","physical_memory":"17179869184"},"action":"added"}

[Javier Medeot]

I'm glad it worked. And you have proof that the Wazuh agent is correctly configured to monitor the OSQuery log file. Now you need to look for Wazuh alerts.

The log you're sharing seems to be reporting hostname, cpu_brand, physical_memory from  system_info but you might want to be alerted about a high CPU load or low free memory. Check your  /etc/osquery/osquery.conf configuration file and make sure it's configured according to your needs. You can take a look at https://documentation.wazuh.com/current/user-manual/capabilities/malware-detection/osquery.html#osquery to learn more. Check the time intervals you've configured for the scheduled queries. Put your system to the test in order to generate Wazuh alerts. Keep in mind that some alerts will be generated once and not repeatedly. Let me know if this is what you need to know. Thanks