hello
I modified the osquery side. After the conf ...
# generald
demonbhao
08/31/2020, 6:31 AMhello
I modified the osquery side. After the conf file cannot be in the/var/log/osquery/osquery result. See the log log is this why?
a
alessandrogario
08/31/2020, 9:08 AM
Hello @demonbhao!
I'm assuming the issue is that there are no log/results file created; can you try to create the /var/log/osquery folder and then try again?
d
demonbhao
08/31/2020, 9:12 AMNo, I have /var/log/osquery
Osquery.conf will no longer generate logs after modifying the previous ability to generate logs
demonbhao
08/31/2020, 9:42 AMHello, how can I solve this problem?Osquery.conf cannot produce the log of the query even if it is modified according to the official document
t
theopolis
08/31/2020, 11:49 AM
It looks like your configuration contains invalid JSON. Check the systemd output for the osqueryd service and you will see the error.
d
demonbhao
08/31/2020, 12:45 PMSorry, I'm a rookie. How do I check for error output
t
theopolis
08/31/2020, 3:10 PM
You can try
systemctl status osquerydosqueryd --config_check --config_dump/etc/osquery/osquery.confjqd
demonbhao
09/01/2020, 1:43 AMOkay, so I'm going to check my JSON format again
Thank you very much for your help this time
Best wishes
demonbhao
09/01/2020, 2:10 AMhello
I checked the JSON format and changed the errors and looked at the service and found no problem but still couldn't generate the log
Here are the results of my check with the command:
[root@sze0-sec-test-1006 osquery]# osqueryd --config_check --config_dump
I0901 100802.557000 29037 rocksdb.cpp:148] Rocksdb open failed (5:0) IO error: While lock file: /var/osquery/osquery.db/LOCK: Resource temporarily unavailable
W0901 100802.557262 29037 database.cpp:77] Failed to activate database plugin "rocksdb": IO error: While lock file: /var/osquery/osquery.db/LOCK: Resource temporarily unavailable
{"/etc/osquery/osquery.conf": {
"option":{
"config_plugin":"filesystem",
"logger_plugin":"filesystem",
"logger_path":"/var/log/osquery",
"log_result_events":"true",
"disable_logging":"false",
"disable_events":"false",
"worker_threads": "2",
"utc":"true"
},
"schedule":{
"system_info":{
"query":"SELECT * FROM system_info;",
"interval": 20
},
"file_events":{
"query":"SELECT * FROM file_events;",
"interval":20
}
},
"file_paths":{
"home":[
"/home/%%"
]
},
"decorators":{
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
]
},
"packs": {
"osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf"
}
}
}
t
theopolis
09/01/2020, 2:16 AM
Look at the warning above
Failed to activate database plugin "rocksdb": IO error: While lock file: /var/osquery/osquery.db/LOCK: Resource temporarily unavailableosquerydd
demonbhao
09/01/2020, 2:32 AMYes, you're really good
I looked at the process and found that there really were two Osqueryd living in the system at the same time
Do you have any good ways to help me solve the problem of this process
This is my osquery.Service File:
[Unit]
Description=The osquery Daemon
After=network.service syslog.service
[Service]
TimeoutStartSec=0
ExecStart=/usr/bin/osqueryd \
--enroll_secret_path=/var/osquery/enroll_secret \
--tls_server_certs=/var/osquery/server.pem \
--tls_hostname=10.224.100.2:8080 \
--host_identifier=uuid \
--enroll_tls_endpoint=/api/v1/osquery/enroll \
--config_plugin=tls \
--config_tls_endpoint=/api/v1/osquery/config \
--config_refresh=10 \
--disable_distributed=false \
--distributed_plugin=tls \
--distributed_interval=10 \
--distributed_tls_max_attempts=3 \
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read \
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write \
--logger_plugin=tls \
--logger_tls_endpoint=/api/v1/osquery/log \
--logger_tls_period=10
[Install]
WantedBy=multi-user.target
demonbhao
09/03/2020, 10:25 AMHello
This problem that there will be two processes to launch osquery service has been bothering me for a long time. Is there any good solution?
👀 1
24 Views