Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
d
demonbhao
09/07/2020, 6:38 AMHello
This problem that there will be two processes to launch osquery service has been bothering me for a long time. Is there any good solution?
I have tried all the information I found on the Internet, but I still can't solve this error
a
alessandrogario
09/07/2020, 8:02 AMosqueryd will always appear twice due to the watchdog (see https://osquery.readthedocs.io/en/stable/installation/cli-flags/)
making a copy of the process to monitor itself
could it be a permission issue on the db folder?; you can try three things
1. sudo rm -rf /var/osquery/osquery.db
2. attempt to fix permissions with sudo chmod/chown -R /var/osquery/osquery.db (I don't know what the correct permissions are right now, but you can make sure write access is provided to the user running osqueryd)
3. attempt to use another path for the database (is /var a standard filesystem?). You can try with --database_path=/root/test_osquery_database
t
theopolis
09/07/2020, 12:45 PMIt looks like everything is running fine on your machine. Look at the systemctl output, it lists both osquery processes as being part of the unit.
a
alessandrogario
09/07/2020, 3:17 PMRight, disregard my comment; the
osqueryd --config_checkuhm not sure if --config_check should have special handling to ignore the database or not; you can maybe try with --disable_database=true if you just want to check whether the config is good
t
theopolis
09/07/2020, 4:49 PMYeah good question, it’s difficult because most folks will get their config from a remote host and will need keys/etc from the DB.
d
demonbhao
09/08/2020, 6:39 AMThis is a very strange problem. I checked from config_check and systemctl status to see that everything was normal, but the logs could not be generated.But after I osqerud --force, osquery is running properly and generates logs for all my tests
This makes me feel like I have no effect on osquery.service