@Dan Achin is this with a package generated with

fleetctl package

? https://osquery.slack.com/archives/C08V7KTJB/p1646159484058179

No, I think just downloaded direct from osquery. we just set up our flags file to connect to fleet

Can you just have your install script create the directory?

I can ask them. I don't do windows. 🙂.

Are you intentionally using the

filesystem

logger?

the only plugin we specify in flags is tls

Sounds like something is giving osquery instructions to log via filesystem.

right...and actually we don't have a plugin specified at all, or it shouldn't. let me try and get the windows team to give me their flags file. Could a registry entry also turn on fs logging?

filesystem is the default, so that likely explains it

k. well we set tls information in flags....let me check fleet as well to see what we set there. it's been a while since I've looked at this

It does if config plugin is set to tls in flags.

yes, config plugin is tls

I'm not aware of osquery picking up any config from the registry.

hmmm...very strange then

maybe osquery is not pointing to the right flags file? Seems like it is not taking the proper file for config.

@Juan Alvarez - yes, this is exactly what it seems like. We aren't even getting tls connections to Fleet, but the flags file is specified correctly. Asking the team to look at file permissions