Hi everyone. Did anybody had any issues with syslog\syslog_events tables being empty on Ubuntu 20.04? No matter what I'm doing

syslog

and

syslog_events

tables are empty. 1. I believe both events are syslog are enabled on my side, since I'm able to see syslog messages in

/var/osquery/syslog_pipe

pipe.

SELECT name, value FROM osquery_flags WHERE name LIKE '%syslog%';
+---------------------------+--------------------------+
| name                      | value                    |
+---------------------------+--------------------------+
| enable_syslog             | true                     |
| logger_syslog_facility    | 19                       |
| logger_syslog_prepend_cee | false                    |
| syslog_events_expiry      | 2592000                  |
| syslog_events_max         | 100000                   |
| syslog_pipe_path          | /var/osquery/syslog_pipe |
| syslog_rate_limit         | 100                      |
+---------------------------+--------------------------+

2. rsyslogd is running and actually pushing messages to a pipe

/var/osquery/syslog_pipe

.

sudo cat /var/osquery/syslog_pipe
[sudo] password for test: 
"2021-12-06T15:38:48.459938+02:00","test-pc","5","authpriv","sudo:"," test : TTY=pts/1 ; PWD=/home/test ; USER=root ; COMMAND=/usr/bin/cat /var/osquery/syslog_pipe"
"2021-12-06T15:38:48.461863+02:00","test-pc","6","authpriv","sudo:"," pam_unix(sudo:session): session opened for user root by (uid=0)"

3. Both osquery(1st), rsyslogd(2nd) were restarted in this same order to ensure that osquery will create pipe before rsyslog will attempt to push logs

I’m not totally sure about you’re setup. But I wonder…. Is the syslog config (and socket) in osqueryd, and are you using osqueryi? Because osqueryi doesn’t normally connect to the running osqueryd — instead it creates it’s own state

Yes, config is in osqueryd and I'm using osquueryi and when I'm trying

SELECT * from syslog

it's empty

It’s not the same database. Unlike postgres, osqueryi isn’t really a client of osqueryd. It’s a completely separate osquery instance, but based around an interactive shell.

Oh

If you want to connect to a running osqueryd, you can either use the distributed queries. or look at the newish

--connect

option on osqueryi

will it work if I'll point osqueryi to the same config and flag file ?

“that’s complicated” 1. Maybe. I think you should be able to do something like that, though osqueryi won’t send the logs anywhere. But it can be used for testing stuff. 1. You’d need to stop osqueryd first, as only one thing can manage the syslog pipe.

I want to consume logs, not produce