I've got question about permissions of the /var/log/osquery/osqueryd.results.file. When I restart rsyslog on my Ubuntu20 host, in /var/log/syslog, I get the message

$FLAG_FILE: No such file or directory

yet the flag file clearly exists in /etc/osquery/osquery.flags. The osquery flag file has permissions of 640 but I've tried 777 and it still doesn't find it. What could be wrong?

Hi again @Kathy Lyons! This sounds like it may be an issue with the path rather than permissions. Can you share the command you're using to launch osquery?

sorry it took me so long to respond - was away. I use: systemctl start osqueryd to start osquery

MIght be useful to check out the unit properties:

systemctl show osquery