Hi everyone. I'm trying to use logger plugin: https://github.com/osquery/osquery-go/blob/master/examples/logger/main.go but ran into some issues. As I understand logger_plugin expects flags to be passed, but is not passing them:

flag provided but not defined: -verbose
osqueryd[99410]: Usage of /opt/osquery/plugins/logger/threat_logger.ext:
osqueryd[99410]:   -interval int
osqueryd[99410]:   -socket string
osqueryd[99410]:             path to osqueryd extensions socket
osqueryd[99410]:   -timeout int

What I've did: 1. Loaded logger_plugin via

extensions.load

file

/opt/osquery/plugins/logger/threat_logger.ext

2. Enabled it via logger_plugin flag:

--logger_plugin=/opt/osquery/plugins/logger/threat_logger.ext

Those examples are super old. It’s entirely likely that osquery now expects extensions to accept

-verbose

and those need to be updated.

exactly

Removed it from where?

@seph One more thing. Can I use two loggers in a same time ? Filesystem and custom

I can’t remember. Probably? Try it 🙂

from

osquery.flags

file

Ah, so if osquery has

verbose

set, then it passes it to the extensions and those examples lack it? I’d suggest filing an issue in osquery-go, or just sending in a PR. Assuming it’s reasonable, I’d approve it

I'm asking because I've just made up

filesystem

logger plugin, I don't know how it's called in reality, or if it even exists as an option

I’m not sure I understand your question

I need something like:

"logger_plugin": "threat_logger,filesystem"

Right. I can’t remember if it works. Probably, test it.

ok thanks

You can definitely use multiple logger plugins. I think one or more of them could be from an extension.

Yes, but I can't find how standard one is called

https://osquery.readthedocs.io/en/latest/deployment/logging/#logger-plugins says

filesystem

and confirms you can have multipole

thanks folks