https://github.com/osquery/osquery logo
Title
z

zwass

03/01/2022, 6:40 PM
@Dan Achin is this with a package generated with
fleetctl package
? https://osquery.slack.com/archives/C08V7KTJB/p1646159484058179
d

Dan Achin

03/01/2022, 6:43 PM
No, I think just downloaded direct from osquery. we just set up our flags file to connect to fleet
z

zwass

03/01/2022, 6:43 PM
Can you just have your install script create the directory?
d

Dan Achin

03/01/2022, 6:44 PM
I can ask them. I don't do windows. 🙂.
@Skip Pile - does that directory exist ?
z

zwass

03/01/2022, 6:46 PM
Are you intentionally using the
filesystem
logger?
d

Dan Achin

03/01/2022, 6:52 PM
the only plugin we specify in flags is tls
z

zwass

03/01/2022, 6:53 PM
Sounds like something is giving osquery instructions to log via filesystem.
d

Dan Achin

03/01/2022, 6:54 PM
right...and actually we don't have a plugin specified at all, or it shouldn't. let me try and get the windows team to give me their flags file. Could a registry entry also turn on fs logging?
z

zwass

03/01/2022, 6:55 PM
filesystem is the default, so that likely explains it
d

Dan Achin

03/01/2022, 6:57 PM
k. well we set tls information in flags....let me check fleet as well to see what we set there. it's been a while since I've looked at this
ok, ya it's all coming back to me. we set this at fleet - logger_plugin: tls
then we have tls endpoints, etc at the client. I thought Fleet overrode the client
z

zwass

03/01/2022, 6:58 PM
It does if config plugin is set to tls in flags.
d

Dan Achin

03/01/2022, 7:02 PM
yes, config plugin is tls
--config_plugin=tls
i need to step away for a bit. I've asked our internal windows team what registry entries they have set
their flags looks good to me
z

zwass

03/01/2022, 7:04 PM
I'm not aware of osquery picking up any config from the registry.
d

Dan Achin

03/01/2022, 7:24 PM
hmmm...very strange then
j

Juan Alvarez

03/02/2022, 4:13 PM
maybe osquery is not pointing to the right flags file? Seems like it is not taking the proper file for config.
👍 1
d

Dan Achin

03/03/2022, 8:42 PM
@Juan Alvarez - yes, this is exactly what it seems like. We aren't even getting tls connections to Fleet, but the flags file is specified correctly. Asking the team to look at file permissions