Title
#general
j

JohnM

07/13/2021, 10:45 AM
Hello, has osquery changed how osqueryd.results.log works? It now uses a sticky bit and I can't find any documentation to what changed? I am struggling to change these permissions as the daemon keeps changing it back which means I can't log my results into splunk. Thanks
s

seph

07/13/2021, 10:47 AM
I don't think we merged something that would change this. Is this an issue with the enclosing directory? Does the sticky but cover files?
10:49 AM
Though.. https://github.com/osquery/osquery/pull/7015 did change some of logging
10:50 AM
Are you using the logger-mode flag?
j

JohnM

07/13/2021, 10:55 AM
Hello Seph. Within my osquery.conf file I have "logger_mode": "644"
10:58 AM
I am running all my conf within the osquery.conf file and it looks like the daemon is using an osquery.flags file. Could that be an issue?
Stefano Bonicatti

Stefano Bonicatti

07/13/2021, 11:14 AM
Beware that gflags doesn't parse octal, and normally you would have to write it as
0644
. Though for instance the documentation makes an example with
--logger_mode=420
because that's the decimal value of the octal
0644
11:15 AM
So you need to use
--logger_mode=420
, while the default right now is
--logger_mode=416
11:17 AM
Also the documentation has to be corrected
s

seph

07/13/2021, 1:44 PM
I think we should fix the parsing. not the documentation. But we can chat in the PR
j

JohnM

07/13/2021, 1:58 PM
They documentation does state "_File mode for output log files by the filesystem plugin (provided as an octal string)._" I must have missed that out, thanks for the help.
Stefano Bonicatti

Stefano Bonicatti

07/13/2021, 2:03 PM
ah yeah, but still, the
octal string
part is incorrect, because if so it would accept
0644
or
644
and always parse it as an octal, it’s instead parsing it in base 10, so as a decimal.
j

JohnM

07/13/2021, 2:33 PM
Ah yes, it is a pain working out the decimal. I have used 420 which is -rw-r--r--- and I seem to be logging it correctly. Thanks all. Glad I could help towards a fix too! 🙂