Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
z
zwass
03/01/2022, 6:40 PM@Dan Achin is this with a package generated with
fleetctl packaged
Dan Achin
03/01/2022, 6:43 PMNo, I think just downloaded direct from osquery. we just set up our flags file to connect to fleet
z
zwass
03/01/2022, 6:43 PMCan you just have your install script create the directory?
d
Dan Achin
03/01/2022, 6:44 PMI can ask them. I don't do windows. 🙂.
@Skip Pile - does that directory exist ?
z
zwass
03/01/2022, 6:46 PMAre you intentionally using the
filesystemd
Dan Achin
03/01/2022, 6:52 PMthe only plugin we specify in flags is tls
z
zwass
03/01/2022, 6:53 PMSounds like something is giving osquery instructions to log via filesystem.
d
Dan Achin
03/01/2022, 6:54 PMright...and actually we don't have a plugin specified at all, or it shouldn't. let me try and get the windows team to give me their flags file.
Could a registry entry also turn on fs logging?
z
zwass
03/01/2022, 6:55 PMfilesystem is the default, so that likely explains it
d
Dan Achin
03/01/2022, 6:57 PMk. well we set tls information in flags....let me check fleet as well to see what we set there. it's been a while since I've looked at this
ok, ya it's all coming back to me. we set this at fleet -
logger_plugin: tls
then we have tls endpoints, etc at the client. I thought Fleet overrode the client
z
zwass
03/01/2022, 6:58 PMIt does if config plugin is set to tls in flags.
d
Dan Achin
03/01/2022, 7:02 PMyes, config plugin is tls
--config_plugin=tls
i need to step away for a bit. I've asked our internal windows team what registry entries they have set
their flags looks good to me
z
zwass
03/01/2022, 7:04 PMI'm not aware of osquery picking up any config from the registry.
d
Dan Achin
03/01/2022, 7:24 PMhmmm...very strange then
j
Juan Alvarez
03/02/2022, 4:13 PMmaybe osquery is not pointing to the right flags file? Seems like it is not taking the proper file for config.
👍 1
d
Dan Achin
03/03/2022, 8:42 PM@Juan Alvarez - yes, this is exactly what it seems like. We aren't even getting tls connections to Fleet, but the flags file is specified correctly. Asking the team to look at file permissions