https://github.com/osquery/osquery logo
Join Slack
Powered by
Hello, has osquery changed how osqueryd.results.lo...
# general
j
Hello, has osquery changed how osqueryd.results.log works? It now uses a sticky bit and I can't find any documentation to what changed? I am struggling to change these permissions as the daemon keeps changing it back which means I can't log my results into splunk. Thanks
s
I don't think we merged something that would change this. Is this an issue with the enclosing directory? Does the sticky but cover files?
Though.. https://github.com/osquery/osquery/pull/7015 did change some of logging
Are you using the logger-mode flag?
j
Hello Seph. Within my osquery.conf file I have "logger_mode": "644"
I am running all my conf within the osquery.conf file and it looks like the daemon is using an osquery.flags file. Could that be an issue?
s
Beware that gflags doesn't parse octal, and normally you would have to write it as 
0644
. Though for instance the documentation makes an example with 
--logger_mode=420
because that's the decimal value of the octal 
0644
So you need to use 
--logger_mode=420
, while the default right now is 
--logger_mode=416
Also the documentation has to be corrected
s
I think we should fix the parsing. not the documentation. But we can chat in the PR
j
They documentation does state "_File mode for output log files by the filesystem plugin (provided as an octal string)._" I must have missed that out, thanks for the help.
s
ah yeah, but still, the 
octal string
part is incorrect, because if so it would accept 
0644
or 
644
and always parse it as an octal, it’s instead parsing it in base 10, so as a decimal.
j
Ah yes, it is a pain working out the decimal. I have used 420 which is -rw-r--r--- and I seem to be logging it correctly. Thanks all. Glad I could help towards a fix too! 🙂
6 Views
Open in Slack
PreviousNext
Powered by