Hi osquery team, i enabled some flags through flag file

--disable_events=false

, --enable_file_events=true, --disable_audit=false and --enable_ntfs_event_publisher=true, then i restart osquery but when i login osqueryi and check osquery_flags, i can see the value of them not changed. plz advice.

osqueryi

is not, by default, a client to the daemon; the

osqueryi

binary is a link (or a copy on Windows) to the daemon, it’s the same binary that starts as a shell instead of a daemon

so how could i check the vals of flags of running osquery agent?

You can try to connect to the daemon via the extension socket, provided that’s not disabled. Launching the

osqueryi

shell you can use the

.connect PATH

command, with PATH the path to the extensions socket.

like osqueryi .connect PATH?

You first execute osqueryi to get to the shell, then use that command

ok

osquery supports being extended, by adding new tables via extensions, that are separate processes that communicate back to osquery via a thrift socket. Depending on the system it’s either a unix domain socket or a named pipe on Windows. This is used to have the shell connect to the daemon and run queries. As to where to find it, depends if it’s the default or if it has changed. By default on Windows should be

\\.\pipe\osquery.em

@Stefano Bonicatti i suffered this err when i connect PATH. [*]osquery> select * from osquery_flags where name="disable_events"; Error: Extension call failed: connect() failed: No such file or directory [*]osquery> select * from osquery_flags [*] ...> ; Error: Extension call failed: connect() failed: No such file or directory

can you try changing "linux" to platform value from os_version ? "rhel" or "debian" will probably be right but I can't confirm