https://github.com/osquery/osquery logo
Join Slack
Powered by
<@zwass> am trying to get syslog entries via osque...
# general
n
@zwass am trying to get syslog entries via osquery, for that I have integrated syslog-ng with osquery. I was able to get the syslog table, how ever not as non-root user. Hence I tried the below to get it :
Copy code
sudo useradd -r -s /bin/false <username>
sudo systemctl stop osqueryd
sudo mkdir /var/run/osquery
sudo chown -R osquery:osquery /var/osquery
sudo chown -R osquery:osquery /var/run/osquery
sudo mkdir /etc/systemd/system/osqueryd.service.d
cat << EOF | sudo tee /etc/systemd/system/osqueryd.service.d/nonroot.conf
[Service]
User=<username>
Group=<username>
AmbientCapabilities=CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_DAC_READ_SEARCH
PIDFile=/var/osquery/osqueryd.pidfile
EOF
echo "--pidfile=/var/osquery/osqueryd.pidfile" | sudo tee -a /etc/osquery/osquery.flags
sudo systemctl daemon-reload
sudo systemctl start osqueryd
After this as a root user and non-root user I was able to fetch syslog data, however, after some time I start to get the error as I shown above : and no data obtained for syslog till now(both as root and non-root user. E0901 110339.587262 10114 udev.cpp:89] udev monitor returned invalid device: No buffer space available
2 Views
Open in Slack
PreviousNext
Powered by