Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Good morning. I have a question about writing osquery logs to syslog.  I have successfully written data to the osqueryd.results.log, but would prefer the data so into /var/log/syslog.  I am on a Debian 11 VM with the following setup.

osquery.conf:

`{`
  `"options": {`
   `"utc": "true"`
  `}`
  `"schedule": {`
     `"users":`
        `"query": "SELECT * from users",`
       `"interval":  60,`
      `"description": "List all users"`
  `}`
`}`

(I'm using a interval of 60 just for testing.)
My osquery.flags file is this:

`--logger_plugin=syslog`
`--config_plugin=filesystem`
`--logger_rotate=true`
`--logger_rotate_max_files=2`

Using this setup, I get nothing in /var/log/syslog after restartin osquery.  Is there something wrong with this setup?

`--logger_rotate=true` and `--logger_rotate_max_files` have no effect, those are specific to the filesystem logger.

When using syslog as a logging output, osquery calls the `syslog` library using whatever facility is set by `--logger_syslog_facility` (with a default of `LOCAL3`)

What your syslog does with that is controlled by your syslog configuration. And I do not remember what debian sends to `/var/log/syslog`

OK.  That makes sense - I can add local3 to my rsyslog.conf file. Thank you!