Title
#general
Stefano Bonicatti

Stefano Bonicatti

07/22/2021, 12:01 PM
@Madhur Jodhwani normally osquery expect to run as root. If you're not running it as root keep in mind that many tables may not show data/work correctly. That been said you can also tell it where you want to create the pidfile with
--pidfile=<path>
m

Madhur Jodhwani

07/22/2021, 5:46 PM
how do i run osqueryd after building it on mac,I mean I get it that I am unable to run it as root but then how to get it done or how to build it as root?
Stefano Bonicatti

Stefano Bonicatti

07/22/2021, 5:48 PM
I'm not sure what you mean with "build it as root". I'm referring to running it as root; I assumed that it was intentional to run it as a normal user. If not, you can use
sudo
from the terminal to run it as root
m

Madhur Jodhwani

07/22/2021, 6:18 PM
I ran osqueryd as root and it gave this error
6:18 PM
E0722 23:47:56.249691 250744832 shutdown.cpp:75] [Ref #1382] osqueryd has unsafe permissions: /Users/mj/Desktop/osquery/build/osquery/osqueryd
Stefano Bonicatti

Stefano Bonicatti

07/22/2021, 6:19 PM
add
--allow_unsafe
to the command line when launching osquery. Normally when deployed osquery expects to be contained in a folder where only root has write access
m

Madhur Jodhwani

07/22/2021, 7:28 PM
ok
7:31 PM
then it gave this error
7:31 PM
E0723 01:00:39.768704 376421888 shutdown.cpp:75] Cannot activate filesystem logger plugin: Could not create file: /var/log/osquery/osqueryd.results.log
E0723 01:00:42.686159 39362560 shutdown.cpp:75] Worker returned exit status
7:31 PM
I ran it with sudo
Stefano Bonicatti

Stefano Bonicatti

07/23/2021, 6:40 AM
Ah sorry, that’s because by default osquery tries to log there and I suppose you don’t have that path, so you would have to tell it to user another one that exists (or create that one, the folders are enough). You can specify a different path with
--logger_path=<path>
. The path in this case is of the folder where you want to put the logs.
m

Madhur Jodhwani

07/23/2021, 11:32 AM
still facing the errors,this is what I faced through build osqueryd run and installed osqueryd run(both attempted to run through sudo)
11:32 AM
I0723 17:01:56.780879 307543552 eventfactory.cpp:156] Event publisher not enabled: endpointsecurity: EndpointSecurity is disabled via configuration
I0723 17:01:56.781905 307543552 eventfactory.cpp:156] Event publisher not enabled: openbsm: Publisher disabled via configuration
I0723 17:01:56.781971 307543552 eventfactory.cpp:156] Event publisher not enabled: scnetwork: Publisher not used
I0723 17:01:56.782012 307543552 eventfactory.cpp:156] Event publisher not enabled: event_tapping: Publisher disabled via configuration
11:32 AM
this is the error
Stefano Bonicatti

Stefano Bonicatti

07/23/2021, 11:33 AM
They are not really blocking errors, they would be prefixed with
E
not
I
. They are just informing you that those event publishers are not enabled.
m

Madhur Jodhwani

07/23/2021, 11:34 AM
but osqueryd is running?
Stefano Bonicatti

Stefano Bonicatti

07/23/2021, 11:34 AM
If you don't get back the terminal prompt, osquery is indeed running.
m

Madhur Jodhwani

07/23/2021, 11:35 AM
oh
11:35 AM
but then I will have to keep this terminal running all the time na
11:36 AM
how to run it through osqueryctl start script?
Stefano Bonicatti

Stefano Bonicatti

07/23/2021, 11:41 AM
osqueryctl is meant to be used when osquery is properly deployed on a system, via packages.
11:43 AM
May I ask what your objective? Because normally running osquery from the build folder is done for development purposes/or quickly trying things, so keeping a terminal tab open is fine. Or you can even run it in background mode, redirecting all output in
/dev/null
11:43 AM
For a proper deployment I would suggest build the package and installing it, so that then the systemd service is available
11:43 AM
and osquery can be started/stopped as a service
11:44 AM
actually sorry, systemd doesn't matter here, it's macOS. Anyway, there's a launchd file that can be used