Hello, has osquery changed how osqueryd.results.log works? It now uses a sticky bit and I can't find any documentation to what changed? I am struggling to change these permissions as the daemon keeps changing it back which means I can't log my results into splunk. Thanks

I don't think we merged something that would change this. Is this an issue with the enclosing directory? Does the sticky but cover files?

Hello Seph. Within my osquery.conf file I have "logger_mode": "644"

Beware that gflags doesn't parse octal, and normally you would have to write it as

0644

. Though for instance the documentation makes an example with

--logger_mode=420

because that's the decimal value of the octal

0644

I think we should fix the parsing. not the documentation. But we can chat in the PR

They documentation does state "_File mode for output log files by the filesystem plugin (provided as an octal string)._" I must have missed that out, thanks for the help.

ah yeah, but still, the

octal string

part is incorrect, because if so it would accept

0644

or

644

and always parse it as an octal, it’s instead parsing it in base 10, so as a decimal.

Ah yes, it is a pain working out the decimal. I have used 420 which is -rw-r--r--- and I seem to be logging it correctly. Thanks all. Glad I could help towards a fix too! 🙂