You are not logged in.
- Topics: Active | Unanswered
#1 2025-03-26 18:13:50
- neyb
- Member
- Registered: 2019-06-21
- Posts: 24
is it me or the osquery package is bugged ?
Hi there !
I'm trying to install primo / fleet / orbit.
I found an AUR which seems to be fine (https://aur.archlinux.org/packages/fleet-orbit). Note this package depends on osquery (which contains the osqueryd binary file).
on primo I can download a deb file. I've extracted this deb with debtap -x.
From there I can see that this deb file embed a osqueryd binary on which I can run `extracted/.../osqueryd --version` which returns a version... As expected...
But the problem is if I run `/usr/bin/osqueryd --version` I get this error :
./osqueryd: symbol lookup error: ./osqueryd: undefined symbol: _ZN3Aws8Firehose5Model21PutRecordBatchRequestC1EvI've replaced the /usr/bin/osquery with the one provided in the deb file... But it's feels kinda lame.
Can someone else test this :
sudo pacman -S osquery
/usr/bin/osqueryd --versionHow can I signal this ?
----
ps: I've tried a lot of version from archive, none seems to work (for example `sudo pacman -U https://archive.archlinux.org/packages/o/osquery/osquery-5.14.1-4-x86_64.pkg.tar.zst`).
Last edited by neyb (2025-03-26 20:59:43)
Offline
#2 2025-03-26 21:38:48
- seth
- Member
- Registered: 2012-09-03
- Posts: 62,203
Re: is it me or the osquery package is bugged ?
pacman -Qikk osquery aws-sdk-cpp-firehose
ldd /usr/bin/osquerydMost liekly you ran a partial update.
Offline
#3 2025-03-27 06:40:51
- neyb
- Member
- Registered: 2019-06-21
- Posts: 24
Re: is it me or the osquery package is bugged ?
I don't remember having run a partial update... That being said, I rermember having canceled the first installation of fleet-orbit...
❯ pacman -Qikk osquery aws-sdk-cpp-firehose
Nom : osquery
Version : 5.16.0-2
Description : SQL powered operating system instrumentation, monitoring, and analytics
Architecture : x86_64
URL : https://osquery.io
Licences : Apache-2.0 OR GPL-2.0-only
Groupes : --
Fournit : --
Dépend de : audit augeas aws-c-auth aws-c-cal aws-c-common aws-c-compression aws-c-event-stream aws-c-http aws-c-io aws-c-mqtt aws-c-s3
aws-c-sdkutils aws-checksums aws-crt-cpp aws-sdk-cpp-core aws-sdk-cpp-ec2 aws-sdk-cpp-firehose aws-sdk-cpp-iam aws-sdk-cpp-kinesis bash
boost-libs cryptsetup dbus device-mapper file gcc-libs gflags glibc google-glog iptables libarchive libcap librdkafka openssl popt
rocksdb rpm-tools s2n-tls sleuthkit sqlite systemd-libs thrift yara zlib zstd
Dépendances opt. : --
Requis par : fleet-orbit
Optionnel pour : --
Est en conflit avec : --
Remplace : --
Taille installée : 4,22 MiB
Paqueteur : Carl Smedstad <carsme@archlinux.org>
Compilé le : mer. 12 mars 2025 14:03:40
Installé le : mer. 26 mars 2025 18:52:16
Motif d’installation : Installé comme dépendance d’un autre paquet
Script d’installation : Non
Validé par : Signature
avertissement : osquery : /usr/bin/osqueryd (Les dates de modification ne correspondent pas)
avertissement : osquery : /usr/bin/osqueryd (Les tailles ne correspondent pas)
avertissement : osquery : /usr/bin/osqueryd (SHA256 les sommes de contrôle ne correspondent pas)
osquery : 36 fichiers au total, 1 fichier modifié
Nom : aws-sdk-cpp-firehose
Version : 1.11.531-1
Description : AWS SDK for C++ - Firehose libraries
Architecture : x86_64
URL : https://github.com/aws/aws-sdk-cpp
Licences : Apache-2.0
Groupes : --
Fournit : --
Dépend de : aws-c-common aws-crt-cpp aws-sdk-cpp-core gcc-libs glibc
Dépendances opt. : --
Requis par : aws-sdk-cpp osquery
Optionnel pour : --
Est en conflit avec : --
Remplace : --
Taille installée : 1420,04 KiB
Paqueteur : Carl Smedstad <carsme@archlinux.org>
Compilé le : sam. 22 mars 2025 16:02:00
Installé le : mer. 26 mars 2025 17:13:42
Motif d’installation : Installé comme dépendance d’un autre paquet
Script d’installation : Non
Validé par : Signature
aws-sdk-cpp-firehose : 185 fichiers au total, 0 fichier modifié
zed main [!] v1.85.1
❌1 ❯ ldd /usr/bin/osqueryd
linux-vdso.so.1 (0x0000731b499a6000)
libdl.so.2 => /usr/lib/libdl.so.2 (0x0000731b4999b000)
libresolv.so.2 => /usr/lib/libresolv.so.2 (0x0000731b443c8000)
librt.so.1 => /usr/lib/librt.so.1 (0x0000731b49996000)
libm.so.6 => /usr/lib/libm.so.6 (0x0000731b442d0000)
libpthread.so.0 => /usr/lib/libpthread.so.0 (0x0000731b442cb000)
libc.so.6 => /usr/lib/libc.so.6 (0x0000731b440d9000)
/lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x0000731b499a8000)Last edited by neyb (2025-03-27 06:53:00)
Offline
#4 2025-03-27 06:52:22
- neyb
- Member
- Registered: 2019-06-21
- Posts: 24
Re: is it me or the osquery package is bugged ?
I ran
sudo pacman -S --asdeps osqueryand now
❯ ldd /usr/bin/osqueryd
linux-vdso.so.1 (0x000074f83c294000)
libresolv.so.2 => /usr/lib/libresolv.so.2 (0x000074f83c25c000)
libthrift-0.21.0.so => /usr/lib/libthrift-0.21.0.so (0x000074f83bd67000)
librocksdb.so.9.10 => /usr/lib/librocksdb.so.9.10 (0x000074f83b200000)
librdkafka.so.1 => /usr/lib/librdkafka.so.1 (0x000074f83ae00000)
libyara.so.10 => /usr/lib/libyara.so.10 (0x000074f83bcfa000)
libip4tc.so.2 => /usr/lib/libip4tc.so.2 (0x000074f83c253000)
libip6tc.so.2 => /usr/lib/libip6tc.so.2 (0x000074f83c248000)
libaudit.so.1 => /usr/lib/libaudit.so.1 (0x000074f83c21a000)
libudev.so.1 => /usr/lib/libudev.so.1 (0x000074f83bcb3000)
libaugeas.so.0 => /usr/lib/libaugeas.so.0 (0x000074f83bc66000)
libmagic.so.1 => /usr/lib/libmagic.so.1 (0x000074f83bc3b000)
libdevmapper.so.1.02 => /usr/lib/libdevmapper.so.1.02 (0x000074f83bbdf000)
libcryptsetup.so.12 => /usr/lib/libcryptsetup.so.12 (0x000074f83b16f000)
librpm.so.10 => /usr/lib/librpm.so.10 (0x000074f83b0ef000)
librpmio.so.10 => /usr/lib/librpmio.so.10 (0x000074f83bbaf000)
libpopt.so.0 => /usr/lib/libpopt.so.0 (0x000074f83c209000)
libdbus-1.so.3 => /usr/lib/libdbus-1.so.3 (0x000074f83b09c000)
libcap.so.2 => /usr/lib/libcap.so.2 (0x000074f83c1fd000)
libtsk.so.22 => /usr/lib/libtsk.so.22 (0x000074f83acf9000)
libsqlite3.so.0 => /usr/lib/libsqlite3.so.0 (0x000074f83ab88000)
libarchive.so.13 => /usr/lib/libarchive.so.13 (0x000074f83aab3000)
libzstd.so.1 => /usr/lib/libzstd.so.1 (0x000074f83a9ce000)
libglog.so.2 => /usr/lib/libglog.so.2 (0x000074f83a979000)
libgflags.so.2.2 => /usr/lib/libgflags.so.2.2 (0x000074f83a94b000)
libssl.so.3 => /usr/lib/libssl.so.3 (0x000074f83a86f000)
libcrypto.so.3 => /usr/lib/libcrypto.so.3 (0x000074f83a200000)
libboost_chrono.so.1.87.0 => /usr/lib/libboost_chrono.so.1.87.0 (0x000074f83bba6000)
libboost_context.so.1.87.0 => /usr/lib/libboost_context.so.1.87.0 (0x000074f83c1f4000)
libboost_filesystem.so.1.87.0 => /usr/lib/libboost_filesystem.so.1.87.0 (0x000074f83a847000)
libboost_system.so.1.87.0 => /usr/lib/libboost_system.so.1.87.0 (0x000074f83a842000)
libboost_thread.so.1.87.0 => /usr/lib/libboost_thread.so.1.87.0 (0x000074f83a824000)
libz.so.1 => /usr/lib/libz.so.1 (0x000074f83a80b000)
libaws-cpp-sdk-firehose.so => /usr/lib/libaws-cpp-sdk-firehose.so (0x000074f83a778000)
libaws-cpp-sdk-kinesis.so => /usr/lib/libaws-cpp-sdk-kinesis.so (0x000074f83a173000)
libaws-cpp-sdk-sts.so => /usr/lib/libaws-cpp-sdk-sts.so (0x000074f83a73d000)
libaws-cpp-sdk-ec2.so => /usr/lib/libaws-cpp-sdk-ec2.so (0x000074f839200000)
libaws-cpp-sdk-core.so => /usr/lib/libaws-cpp-sdk-core.so (0x000074f839090000)
libaws-crt-cpp.so => /usr/lib/libaws-crt-cpp.so (0x000074f83a0ef000)
libaws-c-mqtt.so.1.0.0 => /usr/lib/libaws-c-mqtt.so.1.0.0 (0x000074f83a095000)
libaws-c-event-stream.so.1.0.0 => /usr/lib/libaws-c-event-stream.so.1.0.0 (0x000074f83a725000)
libaws-c-s3.so.0unstable => /usr/lib/libaws-c-s3.so.0unstable (0x000074f83a6ed000)
libaws-c-auth.so.1.0.0 => /usr/lib/libaws-c-auth.so.1.0.0 (0x000074f839059000)
libaws-c-http.so.1.0.0 => /usr/lib/libaws-c-http.so.1.0.0 (0x000074f838ffa000)
libaws-c-io.so.1.0.0 => /usr/lib/libaws-c-io.so.1.0.0 (0x000074f838fb4000)
libs2n.so.1 => /usr/lib/libs2n.so.1 (0x000074f838e47000)
libaws-c-cal.so.1.0.0 => /usr/lib/libaws-c-cal.so.1.0.0 (0x000074f83a082000)
libaws-checksums.so.1.0.0 => /usr/lib/libaws-checksums.so.1.0.0 (0x000074f83a070000)
libaws-c-compression.so.1.0.0 => /usr/lib/libaws-c-compression.so.1.0.0 (0x000074f83a06b000)
libaws-c-sdkutils.so.1.0.0 => /usr/lib/libaws-c-sdkutils.so.1.0.0 (0x000074f838e2d000)
libaws-c-common.so.1 => /usr/lib/libaws-c-common.so.1 (0x000074f838ded000)
libm.so.6 => /usr/lib/libm.so.6 (0x000074f838cf5000)
libstdc++.so.6 => /usr/lib/libstdc++.so.6 (0x000074f838a00000)
libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x000074f838cc7000)
libc.so.6 => /usr/lib/libc.so.6 (0x000074f83880e000)
/lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x000074f83c296000)
libsnappy.so.1 => /usr/lib/libsnappy.so.1 (0x000074f838cb8000)
libbz2.so.1.0 => /usr/lib/libbz2.so.1.0 (0x000074f838ca5000)
liblz4.so.1 => /usr/lib/liblz4.so.1 (0x000074f8387e9000)
liburing.so.2 => /usr/lib/liburing.so.2 (0x000074f838c9e000)
libcurl.so.4 => /usr/lib/libcurl.so.4 (0x000074f838715000)
libsasl2.so.3 => /usr/lib/libsasl2.so.3 (0x000074f8386f7000)
libcap-ng.so.0 => /usr/lib/libcap-ng.so.0 (0x000074f838c96000)
libfa.so.1 => /usr/lib/libfa.so.1 (0x000074f8386e5000)
libxml2.so.2 => /usr/lib/libxml2.so.2 (0x000074f838598000)
liblzma.so.5 => /usr/lib/liblzma.so.5 (0x000074f838565000)
libuuid.so.1 => /usr/lib/libuuid.so.1 (0x000074f838c8c000)
libjson-c.so.5 => /usr/lib/libjson-c.so.5 (0x000074f838551000)
libblkid.so.1 => /usr/lib/libblkid.so.1 (0x000074f838517000)
libacl.so.1 => /usr/lib/libacl.so.1 (0x000074f83850e000)
liblua.so.5.4 => /usr/lib/liblua.so.5.4 (0x000074f8384ca000)
librpm_sequoia.so.1 => /usr/lib/librpm_sequoia.so.1 (0x000074f838200000)
libsystemd.so.0 => /usr/lib/libsystemd.so.0 (0x000074f8380dd000)
libewf.so.2 => /usr/lib/libewf.so.2 (0x000074f837f56000)
libnghttp3.so.9 => /usr/lib/libnghttp3.so.9 (0x000074f8384a6000)
libnghttp2.so.14 => /usr/lib/libnghttp2.so.14 (0x000074f837f2e000)
libidn2.so.0 => /usr/lib/libidn2.so.0 (0x000074f837f0c000)
libssh2.so.1 => /usr/lib/libssh2.so.1 (0x000074f837ec1000)
libpsl.so.5 => /usr/lib/libpsl.so.5 (0x000074f837ead000)
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x000074f837e5a000)
libbrotlidec.so.1 => /usr/lib/libbrotlidec.so.1 (0x000074f837e4b000)
libicuuc.so.76 => /usr/lib/libicuuc.so.76 (0x000074f837c00000)
libnettle.so.8 => /usr/lib/libnettle.so.8 (0x000074f837ba7000)
libhogweed.so.6 => /usr/lib/libhogweed.so.6 (0x000074f837b5d000)
libgmp.so.10 => /usr/lib/libgmp.so.10 (0x000074f837ab7000)
libunistring.so.5 => /usr/lib/libunistring.so.5 (0x000074f8378d4000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x000074f83780f000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x000074f837e1e000)
libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x000074f837e18000)
libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x000074f837e0a000)
libkeyutils.so.1 => /usr/lib/libkeyutils.so.1 (0x000074f837e03000)
libbrotlicommon.so.1 => /usr/lib/libbrotlicommon.so.1 (0x000074f8377ec000)
libicudata.so.76 => /usr/lib/libicudata.so.76 (0x000074f835800000)but the binary is still broken...
Offline
#5 2025-03-27 06:55:05
- neyb
- Member
- Registered: 2019-06-21
- Posts: 24
Re: is it me or the osquery package is bugged ?
from the wiki : `A simple pacman -Syu to a properly synced mirror will fix the problem as long as pacman is not broken`. I don't understand what "properly synced mirror" means (does not work :sad:)
Offline
#6 2025-03-27 07:12:45
- seth
- Member
- Registered: 2012-09-03
- Posts: 62,203
Re: is it me or the osquery package is bugged ?
libaws-cpp-sdk-firehose.so => /usr/lib/libaws-cpp-sdk-firehose.so (0x000074f83a778000)osquery and aws-sdk-cpp-firehose are (now) up-to-date and you're resolving the correct library.
Sorry, this looks like a packaing bug,
libaws-cpp-sdk-firehose.so has the _ZTVN3Aws8Firehose5Model21PutRecordBatchRequestE object but not the _ZN3Aws8Firehose5Model21PutRecordBatchRequestC1Ev function.
Offline
#7 2025-03-27 07:38:49
- neyb
- Member
- Registered: 2019-06-21
- Posts: 24
Re: is it me or the osquery package is bugged ?
thank you. I'll wait for the update.
Offline