https://github.com/osquery/osquery logo
Powered by
Title
j

Jason Lockwood

03/16/2021, 6:14 PM
basically I'm getting an error that osquery can't find conf file, but I'm able to list the contents via powershell in the path listed in the error message. Running this in a 2019 core docker containers.
m

Mike Myers

03/16/2021, 8:27 PM
Maybe you can run with 
--verbose
and share the output here, including the path of the conf file and the permissions on it. If it's 
osqueryi
, it can work without the conf file too.
j

Jason Lockwood

03/16/2021, 11:53 PM
OK, will do. and get back. Thanks!
So I found a problem with my flags file, (quoted path to config) once removed I can launch osqueryd manually, but, starting the service still seems to stop with no error, logging just shows it starting then stopping.
m

Mike Myers

03/17/2021, 6:55 PM
ah, good catch. It still seems like there's a problem. Maybe with the flags or the config. You can try sharing those here for us to spot the problem
j

Jason Lockwood

03/18/2021, 6:01 PM
Let me play with those a little (total osquery nube here) so maybe just familiarity will fix the problem. Should it run 'out of box' if I adjust nothing? If so, I'll back out my changes then add one at a time till I break it again.
m

Mike Myers

03/18/2021, 9:26 PM
out of the box it probably complains about a missing config, until you make a copy of the example config at the expected path
j

Jason Lockwood

04/20/2021, 4:13 PM
--disable_events=false
--enable_windows_events_publisher=true
--enable_windows_events_subscriber=true
--enable_ntfs_event_publisher=true
--verbose
whoops, never hit send on that. Do you happen to know if anyone is successfully running osquery from within windows containers in EKS? I know there's some build in exe restrictions on the containers.
m

Mike Myers

04/20/2021, 6:48 PM
sorry I don't, but you might ask again outside of this thread
j

Jason Lockwood

04/20/2021, 10:25 PM
I did, no response. No big. Thank you!
3 Views
#generalJoin Slack
Powered by