https://github.com/osquery/osquery logo
Join Slack
Powered by
Hey How do i change the log level from fleet conf...
# general
o
Hey How do i change the log level from fleet config? Info level logs are creating too much noise. I want to shift to warning ones and above
t
hi there! what version of fleet are you running? and what kind of noise is info level causing? usually debug logs are the noisy ones, if info is too noisy, we would need to know how so that we can address it in the code
l
@Ojas Did you mean "fleet server" logs or "osquery status logs" (which are sent to fleet via TLS)?
o
i ment osquery logs, i am storing them on filesystem and then sending to splunk by forwarder.
Since the findings are logged to the .result file then do i need the warning and info logs? If i dont then how do i switch it off from making those
In warning all i see is this:
t
from discussing with the team, you probably want to run osquery with 
--logger_min_status=2
so that you don't see those warnings
🙌 1
o
@Tomas Touceda hey i tried doing it by putting this in global agent option in fleet but it dosent work. I dont want to install the agent again in my 1000+ hosts. Is there a way i can configure this in the global agent itself?
I dont see good docs for what all options we can utilise in global agent options 😞
W0512 185651.738189 6408 tls_enroll.cpp:77] Failed enrollment request to (No node key returned from TLS enroll plugin) retrying... host = punct = _:. .]_____//..////_(_______)_... source = C:\Program Files\osquery\log\osqueryd.WARNING.20220425-190228.6396 sourcetype = osquery:warning timestamp = 0512 185651.738189 12/05/2022 132649.032 W0512 185649.032799 6408 tls_enroll.cpp:77] Failed enrollment request to (No node key returned from TLS enroll plugin) retrying... host = punct = _:. .]_____//..////_(_______)_... source = C:\Program Files\osquery\log\osqueryd.INFO.20220429-172544.6396 sourcetype = osquery:info timestamp = 0512 185649.032799 basically i am getting these type of logs in both warning as well as info.
l
I dont see good docs for what all options we can utilise in global agent options
We use the following docs: https://osquery.readthedocs.io/en/stable/installation/cli-flags/. Some options require osquery restart to take effect. E.g. one I found out today is 
disable_tables
, such option can be set in Fleet's Global Agent options, but requires a osquery restart to take effect.
A few things to check: 1. What osquery version are you running? 2. Is osqueryd being executed with 
--verbose
? (
--logger_min_status
is ignored if that's the case) 3. Is 
--logger_min_status
flag being set when launching osqueryd in the host? Regarding the duplication of the 
Failed enrollment request to
in 
WARNING
and 
INFO
log maybe worth asking on the #C08V7KTJB channel?
o
But at times what happen is when i set a flag in global agents on refresh all other settings are gone and just the new flag remains. weird
l
I believe you are hitting a known bug (which was fixed recently). Let me dig and I'll get back to you.
🙌 1
o
Also i am not running osqueryd with any options. I am using the fleet installers to install the agents directly
l
But at times what happen is when i set a flag in global agents on refresh all other settings are gone and just the new flag remains. weird
@Ojas The issue was fixed in Fleet 
v4.11.0
(#4470).
o
awesome, i havent updated it yet. I’ll update and check. thanks 🙂
👍 1
l
In case you need the default values for the "Global agent options", here they are:
Copy code
config:
  options:
    logger_plugin: tls
    disable_tables: curl
    pack_delimiter: /
    logger_tls_period: 10
    distributed_plugin: tls
    disable_distributed: false
    logger_tls_endpoint: /api/osquery/log
    distributed_interval: 10
    distributed_tls_max_attempts: 3
  decorators:
    load:
      - SELECT uuid AS host_uuid FROM system_info;
      - SELECT hostname AS hostname FROM system_info;
overrides: {}
(Assuming you lost them due to the update bug.)
7 Views
Open in Slack
PreviousNext
Powered by