Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
s
Stefano Bonicatti
07/22/2021, 12:01 PM@Madhur Jodhwani normally osquery expect to run as root. If you're not running it as root keep in mind that many tables may not show data/work correctly. That been said you can also tell it where you want to create the pidfile with
--pidfile=<path>m
Madhur Jodhwani
07/22/2021, 5:46 PMhow do i run osqueryd after building it on mac,I mean I get it that I am unable to run it as root but then how to get it done or how to build it as root?
s
Stefano Bonicatti
07/22/2021, 5:48 PMI'm not sure what you mean with "build it as root". I'm referring to running it as root; I assumed that it was intentional to run it as a normal user.
If not, you can use
sudom
Madhur Jodhwani
07/22/2021, 6:18 PMI ran osqueryd as root and it gave this error
E0722 23:47:56.249691 250744832 shutdown.cpp:75] [Ref #1382] osqueryd has unsafe permissions: /Users/mj/Desktop/osquery/build/osquery/osqueryds
Stefano Bonicatti
07/22/2021, 6:19 PMadd
--allow_unsafem
Madhur Jodhwani
07/22/2021, 7:28 PMok
then it gave this error
E0723 01:00:39.768704 376421888 shutdown.cpp:75] Cannot activate filesystem logger plugin: Could not create file: /var/log/osquery/osqueryd.results.logE0723 01:00:42.686159 39362560 shutdown.cpp:75] Worker returned exit statusI ran it with sudo
s
Stefano Bonicatti
07/23/2021, 6:40 AMAh sorry, that’s because by default osquery tries to log there and I suppose you don’t have that path, so you would have to tell it to user another one that exists (or create that one, the folders are enough).
You can specify a different path with
--logger_path=<path>m
Madhur Jodhwani
07/23/2021, 11:32 AMstill facing the errors,this is what I faced through build osqueryd run and installed osqueryd run(both attempted to run through sudo)
I0723 17:01:56.780879 307543552 eventfactory.cpp:156] Event publisher not enabled: endpointsecurity: EndpointSecurity is disabled via configuration
I0723 17:01:56.781905 307543552 eventfactory.cpp:156] Event publisher not enabled: openbsm: Publisher disabled via configuration
I0723 17:01:56.781971 307543552 eventfactory.cpp:156] Event publisher not enabled: scnetwork: Publisher not used
I0723 17:01:56.782012 307543552 eventfactory.cpp:156] Event publisher not enabled: event_tapping: Publisher disabled via configurationthis is the error
s
Stefano Bonicatti
07/23/2021, 11:33 AMThey are not really blocking errors, they would be prefixed with
EIm
Madhur Jodhwani
07/23/2021, 11:34 AMbut osqueryd is running?
s
Stefano Bonicatti
07/23/2021, 11:34 AMIf you don't get back the terminal prompt, osquery is indeed running.
m
Madhur Jodhwani
07/23/2021, 11:35 AMoh
but then I will have to keep this terminal running all the time na
how to run it through osqueryctl start script?
s
Stefano Bonicatti
07/23/2021, 11:41 AMosqueryctl is meant to be used when osquery is properly deployed on a system, via packages.
May I ask what your objective? Because normally running osquery from the build folder is done for development purposes/or quickly trying things, so keeping a terminal tab open is fine.
Or you can even run it in background mode, redirecting all output in
/dev/nullFor a proper deployment I would suggest build the package and installing it, so that then the systemd service is available
and osquery can be started/stopped as a service
actually sorry, systemd doesn't matter here, it's macOS. Anyway, there's a launchd file that can be used