basically I'm getting an error that osquery can't ...
# generalj
Jason Lockwood
03/16/2021, 6:14 PMbasically I'm getting an error that osquery can't find conf file, but I'm able to list the contents via powershell in the path listed in the error message. Running this in a 2019 core docker containers.
m
Mike Myers
03/16/2021, 8:27 PMMaybe you can run with
--verboseosqueryij
Jason Lockwood
03/16/2021, 11:53 PMOK, will do. and get back. Thanks!
Jason Lockwood
03/17/2021, 4:44 PMSo I found a problem with my flags file, (quoted path to config) once removed I can launch osqueryd manually, but, starting the service still seems to stop with no error, logging just shows it starting then stopping.
m
Mike Myers
03/17/2021, 6:55 PMah, good catch. It still seems like there's a problem. Maybe with the flags or the config. You can try sharing those here for us to spot the problem
j
Jason Lockwood
03/18/2021, 6:01 PMLet me play with those a little (total osquery nube here) so maybe just familiarity will fix the problem. Should it run 'out of box' if I adjust nothing? If so, I'll back out my changes then add one at a time till I break it again.
m
Mike Myers
03/18/2021, 9:26 PMout of the box it probably complains about a missing config, until you make a copy of the example config at the expected path
j
Jason Lockwood
04/20/2021, 4:13 PM Copy code
--disable_events=false
--enable_windows_events_publisher=true
--enable_windows_events_subscriber=true
--enable_ntfs_event_publisher=true
--verboseJason Lockwood
04/20/2021, 4:14 PMwhoops, never hit send on that. Do you happen to know if anyone is successfully running osquery from within windows containers in EKS? I know there's some build in exe restrictions on the containers.
m
Mike Myers
04/20/2021, 6:48 PMsorry I don't, but you might ask again outside of this thread
j
Jason Lockwood
04/20/2021, 10:25 PMI did, no response. No big. Thank you!
3 Views