Hi, I've tried looking at the online guides but I can't figure out the steps to install osquery and generate the msi package, where to pass all the files in the screenshot, I saw that within the manage-osquery.ps1 file you can change the name of the service. currently on the company pc's osquery is installed under the path "C:\Program Files\osqueryd" where you see the attached files, I should install another agent that sends the data to another fleet server(that's why I want to change the system service name from osqueryd to something else, so that the 2 agents don't bother each other, what do you recommend to do? Thanks

Hello @Ibra, have you checked https://osquery.readthedocs.io/en/latest/development/building/#building-packages? It’s a two step process. First the code in the repo

osquery/osquery

builds osquery and then installs it in a folder together with all the files needed. Then the code in the repo

osquery/osquery-packaging

, takes whatever it’s in that folder and creates the MSI. What goes in the initial install folder is driven by https://github.com/osquery/osquery/blob/master/cmake/install_directives.cmake, but instead of modifying that you can have CMake include your own by specifying the

OSQUERY_INSTALL_DIRECTIVES

option at configure time, pointing to a different

.cmake

. Keep in mind that the

install_directives.cmake

file doesn’t just copy files that will be included in the MSI, but there’s also a WiX patch file which helps constructing the MSI itself. If you want to then modify other things of the MSI itself, then you most likely need to edit the CMake code in the

osquery/osquery-packaging

repo.

thank you @Stefano Bonicatti, but I still can't understand, could you detail the steps I should follow by pointing them out in steps? what i want to do is to install osquery in different path from "C:\program files\osqueryd" for example in "C:\program files\EXP-OSQUERY" also changing the daemon name from osqueryd to exp-osquery. is it possible?

also changing the daemon name from osqueryd to exp-osquery. is it possible?

I don't think this is currently possible

can the daemon have 2 different flag files and send data to 2 different fleet servers?

can the daemon have 2 different flag files and send data to 2 different fleet servers? (edited)

Not for the same

osqueryd

process, I think it might be possible for another distinct

osqueryd

process from a different path though

is what I want to do, which is to run 2 instances of osquery on the same machine but I don't know how to pass it different file flags and if they can coexist as osqueryd

I think that would depend on how you run osqueryd, it might require that one has to create a new service (I am assuming you want to do this on Windows, which I don't know much about), with a different path, and a different set of flagfile/configs

exactly is exactly what I want to do, only I can't find any guide

If you need to run 2 instances of the daemon you already can with a single installation, you just have to set a different path for the pidfile with

--pidfile

flag and a different database path with

--database_path

, also ensuring that the config file in the installation doesn’t touch those flags, or just provide a separate config file with

--config_path

; that’s what would cause launching a second instance of osquery to fail. You can also create 2 services that points to the same osquery binary, with different names and those different flags.