version = 10.0.18362
build = 18362
platform = windows
version = 4.1.2
Install 4.1.2 MSI from osquery.io on new W10 VM, run osqueryi with elevated ps.
The query complete with no error messages.

Further testing reveals the same behavior with 4.1.1 but not with 4.0.2
This is annoying and unwanted but it did not cause any issues when I started / tested a python extension.
@theopolis Just to be clear - this happens with no extensions, just vanilla osquery MSI from the website.
Right, it happens when you query osquery_info (and most likely other places) that test the Thrift socket. That table reports if extensions are active and does so by pinging the socket.
ah, ok. Understood.
These messages started to appear when we started compiling thrift from source on Windows.
I just verified with this simple source code:
#include <string>
#include <thrift/TOutput.h>
int main()
{
apache::thrift::TOutput t;
t.printf("hello");
return 0;
}
that linking the source compiled library prints, the pre-built one doesn't.
So this is the "issue":
https://github.com/apache/thrift/blob/327ebb6c2b6df8bf075da02ef45a2a034e9b79ba/lib/cpp/src/thrift/TOutput.cpp#L33
perror, which is used for those messages doesn't have that define, but uses the f_ function, which by default is
https://github.com/apache/thrift/blob/327ebb6c2b6df8bf075da02ef45a2a034e9b79ba/lib/cpp/src/thrift/TOutput.cpp#L85
which again has that define.
TLDR: Either we compile with THRIFT_SQUELCH_CONSOLE_OUTPUT or we could also change what f_ points to with GlobalOutput.setOutputFunction(myOutputFunction);
Honestly for debugging purposes I would be inclined to keep it, for instance give it an empty function by default, but switching to something that prints with --verbose.
Thanks for debugging! Is this something we could change upstream too?
Thanks for debugging! Is this something we could change upstream too?
I'm not sure I follow, change what where?
You mean patching thrift to remove in some way the printing?
Ah, sorry I misunderstood and thought that the upstream did not use f_ (something we can supply) in once instance.
Ah, sorry I misunderstood and thought that the upstream did not use f_ (something we can supply) in once instance.
Ah no we're not using setOutputFunction at all, so f_ it's set to a default that prints on stdout with that format.
I believe in the pre-built library the define is given, to completely remove the printing, but I would keep the output for debugging instead.
@theopolis, @Smjert I attempted to fix the issue in PR #6592. The logging is enabled in the verbose mode and also the log format is the same as in TOutput::errorTimeWrapper. It will be great to get your feedback.
Most helpful comment
These messages started to appear when we started compiling thrift from source on Windows.
I just verified with this simple source code:
that linking the source compiled library prints, the pre-built one doesn't.
So this is the "issue":
https://github.com/apache/thrift/blob/327ebb6c2b6df8bf075da02ef45a2a034e9b79ba/lib/cpp/src/thrift/TOutput.cpp#L33
perror, which is used for those messages doesn't have that define, but uses the
f_function, which by default ishttps://github.com/apache/thrift/blob/327ebb6c2b6df8bf075da02ef45a2a034e9b79ba/lib/cpp/src/thrift/TOutput.cpp#L85
which again has that define.
TLDR: Either we compile with
THRIFT_SQUELCH_CONSOLE_OUTPUTor we could also change whatf_points to withGlobalOutput.setOutputFunction(myOutputFunction);Honestly for debugging purposes I would be inclined to keep it, for instance give it an empty function by default, but switching to something that prints with
--verbose.