https://github.com/osquery/osquery logo
Join Slack
Powered by
Hi folks - looking for a little debug help here. I...
# macos
e
Hi folks - looking for a little debug help here. Installing osquery 5.11.0 from the .pkg on a MacBook Pro M1 Pro, MacOS 14.4. When I install the .pkg and try to run 
osqueryi
, bash can’t find the command. Then, when I look at 
/opt/osquery/lib/
it’s empty, no 
osquery.app
. I have previously installed via Homebrew and had the same issue (after a number of initial successful installs/deinstalls when testing an osquery install script). Tried all sorts of cleanup steps to try and get a greenfield install, but nothing seems to be working. Any idea what’s going on here?
a
This is interesting, if folks don’t follow up sooner I’ll take a look
s
e
Ah - thank you @Stefano Bonicatti!
k
Ah yeah this would do it!
Would clearing out previous osquery package receipts be a viable workaround (since I don't see one on the issue?)
e
Tried this I believe, and it didn’t seem to work (with a 
sudo pkgutil --forget io.osquery.agent
)
s
That's not enough, the installer still finds the folder. It knows where it is (admittedly I'm not very familiar on the how exactly, but forgetting it it's not enough)
e
Also, does having a Kolide installation with osqueryd prevent another installation from working? Or do I just need to update 
osqueryi
symlink to point to Kolide?
s
I'm not familiar with how Kolide install things and where, but in general, beyond the .app issue, you can run multiple osqueryd, but they all need their own paths for the database, filesystem log files (if any), pidfile and so on
otherwise when they are not specified, the default paths are used and they will collide (or osquery refuses to start).
--database_path
, 
--pidfile
, 
--logger_path
But the question I would have is why you would want that, unless you want a very specific version (or you are developing osquery related things). If you just want to run osquery in shell mode, then you can use the binary Kolide has installed, no need to change paths. 
osqueryi
is just a symlink/convenience for 
osqueryd -S
The collision issue I was referring to above is more if you wanted a second instance of osquery running as a daemon
e
Got it - yep, just want to run osquery in shell mode
Makes sense
s
Forgot about the config part too, that's also read by the shell, so in case it's giving you issues (maybe it limits what you'd like to do/query), you want to change 
--config_path
and 
--flagfile
e
Hmm - okay, so getting a “cannot execute binary” error. Forgive me for lack of knowledge here - how can I run shell mode here?
s
how are you executing it?
e
initially trying to run it from the shell itself. Do I need to instead create a symlink?
in directory with Kolide’s osqueryd binary: 
bash osqueryd
s
From an existing terminal you would do 
./<path to folder where osqueryd is>/osqueryd -S
or move into that folder and do 
./osqueryd -S
e
Ah yes
Got it
s
The shell mode is provided by osquery itself
e
yep - got that sorted. Then to escape Kolide’s configuration, I would need to create my own config file and point at it with --config_path flag?
s
Correct, and likely 
--flagfile
too
👍 1
e
Okay great, thanks much for the help!
s
Hrm. Kolide does ship the stock 
<http://osquery.app|osquery.app>
(though not inside the .pkg) You’re suggesting that because of #7900 this is problematic.
Kolide does not ship an osquery configuration or a flag file. Those come out of launcher. Depending on what you’re doing, you may want to run 
/usr/local/kolide-k2/bin/launcher interactive
7 Views
Open in Slack
PreviousNext
Powered by