Title
#fleet
zwass

zwass

03/01/2022, 6:40 PM
@Dan Achin is this with a package generated with
fleetctl package
? https://osquery.slack.com/archives/C08V7KTJB/p1646159484058179
Dan Achin

Dan Achin

03/01/2022, 6:43 PM
No, I think just downloaded direct from osquery. we just set up our flags file to connect to fleet
zwass

zwass

03/01/2022, 6:43 PM
Can you just have your install script create the directory?
Dan Achin

Dan Achin

03/01/2022, 6:44 PM
I can ask them. I don't do windows. 🙂.
6:44 PM
@Skip Pile - does that directory exist ?
zwass

zwass

03/01/2022, 6:46 PM
Are you intentionally using the
filesystem
logger?
Dan Achin

Dan Achin

03/01/2022, 6:52 PM
the only plugin we specify in flags is tls
zwass

zwass

03/01/2022, 6:53 PM
Sounds like something is giving osquery instructions to log via filesystem.
Dan Achin

Dan Achin

03/01/2022, 6:54 PM
right...and actually we don't have a plugin specified at all, or it shouldn't. let me try and get the windows team to give me their flags file. Could a registry entry also turn on fs logging?
zwass

zwass

03/01/2022, 6:55 PM
filesystem is the default, so that likely explains it
Dan Achin

Dan Achin

03/01/2022, 6:57 PM
k. well we set tls information in flags....let me check fleet as well to see what we set there. it's been a while since I've looked at this
6:58 PM
ok, ya it's all coming back to me. we set this at fleet - logger_plugin: tls
6:58 PM
then we have tls endpoints, etc at the client. I thought Fleet overrode the client
zwass

zwass

03/01/2022, 6:58 PM
It does if config plugin is set to tls in flags.
Dan Achin

Dan Achin

03/01/2022, 7:02 PM
yes, config plugin is tls
7:02 PM
--config_plugin=tls
7:02 PM
i need to step away for a bit. I've asked our internal windows team what registry entries they have set
7:02 PM
their flags looks good to me
zwass

zwass

03/01/2022, 7:04 PM
I'm not aware of osquery picking up any config from the registry.
Dan Achin

Dan Achin

03/01/2022, 7:24 PM
hmmm...very strange then
j

Juan Alvarez

03/02/2022, 4:13 PM
maybe osquery is not pointing to the right flags file? Seems like it is not taking the proper file for config.
Dan Achin

Dan Achin

03/03/2022, 8:42 PM
@Juan Alvarez - yes, this is exactly what it seems like. We aren't even getting tls connections to Fleet, but the flags file is specified correctly. Asking the team to look at file permissions