Sorry for the false hope, should've double checked...
# generals
Stefano Bonicatti
01/08/2021, 8:13 PMSorry for the false hope, should've double checked first
🙏 1
d
Dan Achin
01/08/2021, 8:14 PMsounds like you aren't able to log them either then. 😞
s
Stefano Bonicatti
01/08/2021, 8:24 PMNo; I recall having introduced fixes/changes that would make the WEL logger plugin work again and some discussion about that systemLog function which confused me.
Anyway I'm not sure if there's a specific reason why only the logger plugin is privy to the EventLog write access, if not maybe that writing to the EventLog is a bit more complicated than just calling syslog.
I think this is something we should try to explore ^^'
d
Dan Achin
01/08/2021, 9:20 PM@Stefano Bonicatti, thanks. According to @theopolis, there needs to be an IPC in between the watchdog and osquery so that the watchdog can access logger plugins - https://github.com/osquery/osquery/issues/6790
That said, it seems odd to me that the systemLog() call the watchdog does only seems to work on unix based systems. Does that call just fail on windows?
Copy code
std::stringstream error;
error << "osqueryd worker (" << child.pid()
<< ") stopping: " << status.getMessage();
systemLog(error.str());
LOG(WARNING) << error.str();
stopChild(child);s
Stefano Bonicatti
01/08/2021, 9:23 PMWindows doesn't have syslog. There are third party libraries, like syslog-ng that would implement that
🙏 1
d
Dan Achin
01/08/2021, 9:30 PMI see. I just figured Windows might interpret that c code as log to event logs or something. I dont have a ton of windows exp. 😞