https://github.com/osquery/osquery logo
Join Slack
Powered by
Hello This problem that there will be two processe...
# general
d
Hello This problem that there will be two processes to launch osquery service has been bothering me for a long time. Is there any good solution? I have tried all the information I found on the Internet, but I still can't solve this error
a
osqueryd will always appear twice due to the watchdog (see https://osquery.readthedocs.io/en/stable/installation/cli-flags/)
making a copy of the process to monitor itself
could it be a permission issue on the db folder?; you can try three things 1. sudo rm -rf /var/osquery/osquery.db 2. attempt to fix permissions with sudo chmod/chown -R /var/osquery/osquery.db (I don't know what the correct permissions are right now, but you can make sure write access is provided to the user running osqueryd) 3. attempt to use another path for the database (is /var a standard filesystem?). You can try with --database_path=/root/test_osquery_database
t
It looks like everything is running fine on your machine. Look at the systemctl output, it lists both osquery processes as being part of the unit.
a
Right, disregard my comment; the 
osqueryd --config_check
is the additional process trying to access a database that is already in use by the running instace. Everything looks fine then
uhm not sure if --config_check should have special handling to ignore the database or not; you can maybe try with --disable_database=true if you just want to check whether the config is good
t
Yeah good question, it’s difficult because most folks will get their config from a remote host and will need keys/etc from the DB.
d
This is a very strange problem. I checked from config_check and systemctl status to see that everything was normal, but the logs could not be generated.But after I osqerud --force, osquery is running properly and generates logs for all my tests This makes me feel like I have no effect on osquery.service
2 Views
Open in Slack
PreviousNext
Powered by