Title
#general
Jason Hoffman

Jason Hoffman

06/14/2021, 3:28 PM
Hi everyone, my name is Jason and I have a quick question on this. Once I enroll a osquery client to Kolide and I no longer see logging events in this log file (/var/log/osquery/osqueryd.results.log) is this an expected behavior? Can somebody share their experience with this? Thank you. jh
s

seph

06/14/2021, 3:35 PM
I'm not sure what you mean by "kolide" but I suspect that doesn't matter...
3:36 PM
You're enrolling it in a TLS server. What does that configuration say about logs?
Jason Hoffman

Jason Hoffman

06/14/2021, 8:01 PM
Kolide is Fleet server and is the enrollment command
8:02 PM
"/usr/bin/osqueryd \ --enroll_secret_path=/var/osquery/enroll_secret \ --tls_server_certs=/var/osquery/kolide-server.pem \ --tls_hostname=koss01-oss01-fim01-app-1612381162.int.oss.mykronos.com:8080 \ --host_identifier=uuid \ --enroll_tls_endpoint=/api/v1/osquery/enroll \ --config_plugin=tls \ --config_tls_endpoint=/api/v1/osquery/config \ --config_refresh=10 \ --disable_distributed=false \ --distributed_plugin=tls \ --distributed_interval=3 \ --distributed_tls_max_attempts=3 \ --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read \ --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write \ --logger_plugin=tls \ --logger_tls_endpoint=/api/v1/osquery/log \ --logger_tls_period=10"
s

seph

06/14/2021, 10:09 PM
That's the command line -- I'd have to check, but I think the server overrides that. That's part of the point of a TLS server.
Jason Hoffman

Jason Hoffman

06/15/2021, 11:56 AM
Thank you Seph, is there a way I can add in this command that will dictate the log location?