Hi everyone, I am just wrapping my head around the Orbit installer for the first time. Most things seem to work, but I am not seeing any Windows Event Log activity from osquery, even though my flagfile contains the line

--logger_plugin=windows_event_log

. I am curious if perhaps the issue is that the command line flag from here: https://github.com/fleetdm/fleet/blob/ecd155c16faebb033b3ea52e4cab309b54947220/orbit/pkg/osquery/flags.go is overriding the line in the flagfile. If so, is there a way to configure Orbit to not pass that logger plugin command line argument?

hey @Philip Royer, sorry you are having trouble with orbit, I am not super familiar with the windows event log channel, but just to double check — has the Windows Event Log support been enabled for osquery..? There is some docs on how to do this here (https://osquery.readthedocs.io/en/latest/installation/install-windows/#enabling-windows-event-log-support)

Running that query shows that the

logger_plugin=windows_event_log

, but I don't quite understand how it got there because I thought the CLI argument from Orbit would override the flagfile. But if that is correct then maybe registering the event log channel is the only issue. When trying to do that I am not seeing where the windows event log manifest file gets dropped on the endpoint when the .msi orbit package is installed. I also thought stuff like that would be taken care of by Orbit.

I don’t know much about Windows, but I have created this issue here (https://github.com/fleetdm/fleet/issues/7943), and will surface it internally to see what could be done to improve this

Thank you, I just went to the Issues section to create the same thing.

If you have any more info — would be super helpful to add to it 🙂