Erich Stoekl
05/19/2020, 4:47 PMJulian Scala
05/19/2020, 5:21 PMforce=True
flag but its not working.koba
05/20/2020, 6:04 AMkolide.flags
looks like this
--enroll_secret_path=/private/var/osquery/enroll_secret
--tls_server_certs=/pathtocert/server.cert
--tls_hostname=my.hostname
--host_identifier=uuid
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_refresh=10
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=10
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
--logger_plugin=tls
--logger_tls_endpoint=/api/v1/osquery/log
--logger_tls_period=10
--allow_unsafe
--disable_events=false
Error when i run sudo ./osqueryd --flagfile=./kolide.flags
E0520 11:28:23.254142 330911168 init.cpp:509] Cannot activate filesystem logger plugin: Could not create file: /var/log/osquery/osqueryd.results.log
I0520 11:28:23.254894 330911168 events.cpp:863] Event publisher not enabled: openbsm: Publisher disabled via configuration
I0520 11:28:23.254936 330911168 events.cpp:863] Event publisher not enabled: scnetwork: Publisher not used
I0520 11:28:23.255002 330911168 events.cpp:863] Event publisher not enabled: event_tapping: Publisher disabled via configuration
E0520 11:28:28.949097 311709120 init.cpp:509] Cannot activate filesystem logger plugin: Could not create file: /var/log/osquery/osqueryd.results.log
I0520 11:28:28.950387 311709120 events.cpp:863] Event publisher not enabled: openbsm: Publisher disabled via configuration
I0520 11:28:28.950567 311709120 events.cpp:863] Event publisher not enabled: scnetwork: Publisher not used
I0520 11:28:28.950739 311709120 events.cpp:863] Event publisher not enabled: event_tapping: Publisher disabled via configuration
E0520 11:28:34.946043 267435456 init.cpp:509] Cannot activate filesystem logger plugin: Could not create file: /var/log/osquery/osqueryd.results.log
I0520 11:28:34.947048 267435456 events.cpp:863] Event publisher not enabled: openbsm: Publisher disabled via configuration
I0520 11:28:34.947127 267435456 events.cpp:863] Event publisher not enabled: scnetwork: Publisher not used
I0520 11:28:34.947149 267435456 events.cpp:863] Event publisher not enabled: event_tapping: Publisher disabled via configuration
wtheaker
05/21/2020, 5:52 PMadditional_queries
like decorators for ad-hoc queries?poisonous97
05/25/2020, 3:46 AMAvi Apelbaum
05/25/2020, 9:31 AMOMAR
05/28/2020, 9:20 PMnyanshak
05/29/2020, 5:22 PMtory
05/29/2020, 7:53 PMKyle
06/01/2020, 1:17 AMkolide_grpc
and filesystem
loggers for launcher. The logs are being sent to the fleet server just fine, however, no results appear on the filesystem. My options file is:
apiVersion: v1
kind: options
spec:
config:
decorators:
always:
- SELECT user AS username FROM logged_in_users WHERE user <> '' ORDER BY time
LIMIT 1
interval:
"3600": SELECT total_seconds AS uptime FROM uptime
load:
- SELECT version FROM osquery_info
- SELECT uuid AS host_uuid FROM system_info
options:
config_plugin: kolide_grpc
disable_events: false
distributed_interval: 3
distributed_tls_max_attempts: 3
events_max: 8
logger_path: /var/log/launcher/results
logger_plugin: kolide_grpc,filesystem
verbose: true
watchdog_level: -1
overrides: {}
Is there something I've missed? CheersVishnuVardhan
06/01/2020, 4:00 PMwtheaker
06/01/2020, 11:54 PMdefensivedepth
06/03/2020, 9:09 AMenabled
- How do I import them as disabled
? I know I have done this in the past, but I can't remember/find the docs I used.VishnuVardhan
06/03/2020, 2:10 PMMartinC
06/04/2020, 6:51 AMMartinC
06/04/2020, 7:03 AM--hostname=10.15.168.149:8080 \
--enroll_secret=ffdfdsfsdfsdfsJXP6H4ZY \
--autoupdate \
--update_channel=stable \
--osquery_version=stable \
--launcher_version ./build/darwin/launcher \
--extension_version ./build/darwin/osquery-extension.extBuilt you packages in /var/folders/lg/1cj49b613q1_8qdt8dn_71zm0000gn/T/launcher-package855399667
MartinC
06/04/2020, 7:03 AMEric Brue
06/05/2020, 3:48 PMAndrew MacKenzie
06/05/2020, 6:17 PMhilt
06/08/2020, 2:26 AMTaj Popoola
06/08/2020, 3:21 PMDavid
06/09/2020, 11:38 PMDavid
06/10/2020, 7:55 PMDavid
06/10/2020, 9:54 PM--tls_hostname=<http://mykolide.lab.mydomain.com:8080|mykolide.lab.mydomain.com:8080>
--tls_server_certs=C:\ProgramData\osquery\cert.pem
--enroll_secret_path=C:\ProgramData\osquery\secret.txt
--host_identifier=hostname
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_tls_refresh=120
--config_tls_max_attempts=3
--config_accelerated_refresh=60
--enroll_tls_endpoint=/api/v1/osquery/enroll
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=60
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
--logger_plugin=tls
--logger_tls_endpoint=/api/v1/osquery/log
--logger_tls_period=60
--disable_audit=false
--audit_allow_config=true
--audit_persist=true
--disable_carver=true
--config_refresh=60
--buffered_log_max=500000
David
06/11/2020, 9:32 PMbinu
06/15/2020, 10:36 AMRyan
06/15/2020, 3:33 PMSELECT 1 FROM custom_metadata WHERE team = "Team name"
 for each team name in use. This was working fine, but today we noticed that the labels were failing to load in the Fleet sidebar. The request to /api/v1/kolide/labels
 times out. The equivalent request fleetctl get labels
was working, but taking several seconds.
Are we creating too many labels here perhaps? Is there a better way to accomplish this instead?SRGNR
06/16/2020, 6:42 AMKyle
06/17/2020, 2:03 AM<http://localhost:8080>
I get connection refused or “sending http request to https server”, and then using https, it works with a self-signed cert (I think the default one?). I checked my pod’s config, everything is mounting correctly, exec’d into the pod to check the config and it had tls: false
vaar
06/18/2020, 7:38 AM