Hi everyone, my name is Jason and I have a quick q...
# generalj
Jason Hoffman
06/14/2021, 3:28 PMHi everyone, my name is Jason and I have a quick question on this. Once I enroll a osquery client to Kolide and I no longer see logging events in this log file (/var/log/osquery/osqueryd.results.log) is this an expected behavior? Can somebody share their experience with this? Thank you. jh
s
seph
06/14/2021, 3:35 PM
I'm not sure what you mean by "kolide" but I suspect that doesn't matter...
seph
06/14/2021, 3:36 PM
You're enrolling it in a TLS server. What does that configuration say about logs?
j
Jason Hoffman
06/14/2021, 8:01 PMKolide is Fleet server and is the enrollment command
Jason Hoffman
06/14/2021, 8:02 PM"/usr/bin/osqueryd \
--enroll_secret_path=/var/osquery/enroll_secret \
--tls_server_certs=/var/osquery/kolide-server.pem \
--tls_hostname=koss01-oss01-fim01-app-1612381162.int.oss.mykronos.com:8080 \
--host_identifier=uuid \
--enroll_tls_endpoint=/api/v1/osquery/enroll \
--config_plugin=tls \
--config_tls_endpoint=/api/v1/osquery/config \
--config_refresh=10 \
--disable_distributed=false \
--distributed_plugin=tls \
--distributed_interval=3 \
--distributed_tls_max_attempts=3 \
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read \
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write \
--logger_plugin=tls \
--logger_tls_endpoint=/api/v1/osquery/log \
--logger_tls_period=10"
s
seph
06/14/2021, 10:09 PM
That's the command line -- I'd have to check, but I think the server overrides that. That's part of the point of a TLS server.
j
Jason Hoffman
06/15/2021, 11:56 AMThank you Seph, is there a way I can add in this command that will dictate the log location?