I have configured osquery to query table socket_events. When i use curl -k "https://www.google.com" , i get the action:"connect" event. But once the curl command ends, the 'Close' event is not seen.
- In osquery.conf have configured to query socket_events.
"socket_events": { "query": "SELECT * FROM socket_events;", "removed": false, "interval": 10 } curl -k "https://www.google.com"- Can see string:
{"name":"socket_events","hostIdentifier":"XXX","calendarTime":"Wed May 3 17:03:18 2023 UTC","unixTime":1683133398,"epoch":0,"counter":172,"numerics":false,"decorations":{"host_uuid":"XXXX7-F941-5D88-81FE-3FEBB9503CF9","username":"SSSSn"},"columns":{"action":"connect","auid":"502","family":"2","fd":"5","local_address":"0","local_port":"0","path":"/usr/bin/curl","pid":"3237","remote_address":"216.239.38.120","remote_port":"443","status":"","time":"1683133396","uptime":"115078"},"action":"added"}
But "action":"Close" is never seen.
Enabled all type of flags related to socket events -
--disable_audit=false
--audit_persist=false
--audit_allow_config=true
--audit_allow_sockets=true
--audit_allow_null_accept_socket_events=true
--audit_allow_accept_socket_events=true
--audit_allow_failed_socket_events=true
--audit_allow_unix=true
- Even from browsers like Chrome, only 'Connect' event is seen.
