Hey there, I'm using fleet file carving feature. B...
# fleetj
Jian Zheng
06/23/2023, 10:09 PMHey there, I'm using fleet file carving feature. But when I try to create a carve with a big file (~7MB, my carve block size set to 8MB), the carve block record doesn't seem be stored in Mysql database. I also checked my fleet server logs, I can see osquery carve/begin API was called. But, later on, I can't find any osquery carver/block API call in fleet server.
Anyone has similar issue? Or any context about what other places I should check might go wrong? Thanks!
k
Kathy Satterlee
06/23/2023, 10:11 PMHi @Jian Zheng the osquery status logs on the host may be able to shed some light here. Do you see anything there?
j
Jian Zheng
06/23/2023, 10:25 PMYeah, OSquery log is what I should check. I didn't check there yet. The Osquery is installed via fleetctl on my MacOS. Do you know where should be the log located?
Jian Zheng
06/23/2023, 10:45 PMIt doesn't seem there is a /var/log/osquery/ dir in my Mac.
Jian Zheng
06/23/2023, 11:54 PMUpdate here: I enrolled another Linux host. Installed the osquery using the linux repo. Tried the same file. It works correctly.
Still unable to figure out what's wrong on my MacOS host. I didn't find its osquery status.log. Let me know if you know where should I find the MasOS osquery log.
k
Kathy Satterlee
06/24/2023, 12:55 AM2 Views