Title
#general
d

demonbhao

02/25/2021, 8:35 AM
Hello, there is no count change in the log results generated after the osquery difference query, does it mean that the log results are not stored in RocksDB? Why does this happen?
Mike Myers

Mike Myers

02/26/2021, 5:50 PM
Hi demonbhao. It could mean that the event source you selected is not active/enabled, or that it failed to initialize for some reason. I think we really need more info. Maybe you can run
osqueryi --verbose
and provide the
--disable_events=false --config_path=/path/to/your/osqueryd/osquery.conf --flagfile=/path/to/your/osqueryd/osquery.flags
5:51 PM
Also the answer might be something in your conf or flags, if you can share those
d

demonbhao

03/03/2021, 8:40 AM
Hi, I didn't set the contents of the conf file on each osquery machine, but the contents of the flags file are shown below
8:43 AM
My conf files are all {} All the policies I send to osquery are based on Fleet Pack and the options in Fleet UI set the contents of the osquery conf file Fleet UI options: spec: config: options: utc: true audit_persist: true database_path: /var/osquery/osquery.db disable_audit: false logger_plugin: tls logger_stderr: false config_refresh: 300 disable_events: false pack_delimiter: / schedule_epoch: 1 logger_event_type: false logger_min_status: 2 logger_min_stderr: 2 logger_tls_period: 3 audit_allow_config: true distributed_plugin: tls audit_allow_sockets: true disable_distributed: false logger_tls_endpoint: /api/v1/osquery/log distributed_interval: 30 logger_tls_max_linesize: 10485760 audit_allow_process_events: true distributed_tls_max_attempts: 3 decorators: load: - SELECT uuid AS host_uuid FROM system_info; - SELECT hostname AS hostname FROM system_info; file_paths: etc: - /etc/passwd - /etc/shadow - /etc/rc.local - /etc/cron.d/%% usr: - /usr/bin/top - /usr/bin/ps - /usr/bin/ls - /usr/bin/netstat var: - /var/spool/cron/%% - /var/www/%% overrides: {}
8:55 AM
osqueryi --verbose