Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
o
Ojas
04/11/2022, 10:22 AMHey
How do i change the log level from fleet config? Info level logs are creating too much noise. I want to shift to warning ones and above
t
Tomas Touceda
04/11/2022, 11:28 AMhi there! what version of fleet are you running? and what kind of noise is info level causing? usually debug logs are the noisy ones, if info is too noisy, we would need to know how so that we can address it in the code
l
Lucas Rodriguez
04/12/2022, 9:55 AM@Ojas Did you mean "fleet server" logs or "osquery status logs" (which are sent to fleet via TLS)?
o
Ojas
04/13/2022, 3:59 AMi ment osquery logs, i am storing them on filesystem and then sending to splunk by forwarder.
Since the findings are logged to the .result file then do i need the warning and info logs? If i dont then how do i switch it off from making those
In warning all i see is this:
t
Tomas Touceda
04/13/2022, 12:37 PMfrom discussing with the team, you probably want to run osquery with
--logger_min_status=2🙌 1
o
Ojas
05/13/2022, 6:45 AM@Tomas Touceda hey
i tried doing it by putting this in global agent option in fleet but it dosent work.
I dont want to install the agent again in my 1000+ hosts. Is there a way i can configure this in the global agent itself?
I dont see good docs for what all options we can utilise in global agent options 😞
W0512 18:56:51.738189 6408 tls_enroll.cpp:77] Failed enrollment request to (No node key returned from TLS enroll plugin) retrying...
host = punct = _::.___.:]_____😕/..:////_(_______)_... source = C:\Program Files\osquery\log\osqueryd.WARNING.20220425-190228.6396 sourcetype = osquery:warning timestamp = 0512 18:56:51.738189
12/05/2022
13:26:49.032
W0512 18:56:49.032799 6408 tls_enroll.cpp:77] Failed enrollment request to (No node key returned from TLS enroll plugin) retrying...
host = punct = _::.___.:]_____😕/..:////_(_______)_... source = C:\Program Files\osquery\log\osqueryd.INFO.20220429-172544.6396 sourcetype = osquery:info timestamp = 0512 18:56:49.032799
basically i am getting these type of logs in both warning as well as info.
l
Lucas Rodriguez
05/13/2022, 2:11 PMI dont see good docs for what all options we can utilise in global agent optionsWe use the following docs: https://osquery.readthedocs.io/en/stable/installation/cli-flags/. Some options require osquery restart to take effect. E.g. one I found out today is
disable_tablesA few things to check:
1. What osquery version are you running?
2. Is osqueryd being executed with
--verbose--logger_min_status--logger_min_statusFailed enrollment request toWARNINGINFOo
Ojas
05/16/2022, 4:46 PMBut at times what happen is when i set a flag in global agents on refresh all other settings are gone and just the new flag remains. weird
l
Lucas Rodriguez
05/16/2022, 4:46 PMI believe you are hitting a known bug (which was fixed recently). Let me dig and I'll get back to you.
🙌 1
o
Ojas
05/16/2022, 4:46 PMAlso i am not running osqueryd with any options. I am using the fleet installers to install the agents directly
l
Lucas Rodriguez
05/16/2022, 6:21 PMBut at times what happen is when i set a flag in global agents on refresh all other settings are gone and just the new flag remains. weird@Ojas The issue was fixed in Fleet
v4.11.0o
Ojas
05/17/2022, 5:14 AMawesome, i havent updated it yet. I’ll update and check. thanks 🙂
👍 1
l
Lucas Rodriguez
05/17/2022, 11:53 AMIn case you need the default values for the "Global agent options", here they are:
config:
options:
logger_plugin: tls
disable_tables: curl
pack_delimiter: /
logger_tls_period: 10
distributed_plugin: tls
disable_distributed: false
logger_tls_endpoint: /api/osquery/log
distributed_interval: 10
distributed_tls_max_attempts: 3
decorators:
load:
- SELECT uuid AS host_uuid FROM system_info;
- SELECT hostname AS hostname FROM system_info;
overrides: {}