https://github.com/osquery/osquery logo
Powered by
#fleet
Title
# fleet
n

nick fury

09/06/2022, 2:02 PM
hi, my osquery_resault.log at my fleet stop getting data in the past two weeks, and idea why does can it happen?
k

Kathy Satterlee

09/06/2022, 2:41 PM
Hi, @nick fury! Any chance your Logging destination got changed in Fleet? Are your hosts showing up as 
online
?
n

nick fury

09/06/2022, 2:46 PM
no changes and my hosts are online
k

Kathy Satterlee

09/06/2022, 3:03 PM
Are there any errors in the server logs?
And are the osquery status logs still updating?
n

nick fury

09/06/2022, 4:36 PM
the osquery status log still getting updated
k

Kathy Satterlee

09/06/2022, 4:44 PM
That depends a little on your setup. The default output for Fleet error logs is 
stderr
and you'd see them in the console running Fleet.
If the status logs are getting updated, is there any chance that we have an odd situation where you're only running differential queries and things haven't changed? Or have you run live queries as well?
n

nick fury

09/06/2022, 6:56 PM
k

Kathy Satterlee

09/06/2022, 6:57 PM
You'd need to look at the terminal window/console that is running Fleet.
n

nick fury

09/06/2022, 6:59 PM
do you have any other idie?
k

Kathy Satterlee

09/07/2022, 2:46 PM
Are you getting results back when you run a love query?
n

nick fury

09/08/2022, 9:32 AM
yes
k

Kathy Satterlee

09/08/2022, 4:45 PM
Just to be absolutely sure, can you pull the Fleet configuration with 
fleetctl get config --include-server-config
and share the values for 
osquery.result_log_plugin
and 
filesystem.result_log_file
?
n

nick fury

09/11/2022, 11:38 AM
this command isn't working for me
are you sure that is available in fleet 3.5.1
6 Views
Powered by