hello I modified the osquery side After the conf file cannot

Question

hello I modified the osquery side After the conf file cannot be in the var log osquery osquery result See the log log is this why

alessandrogario · Answer

Hello < demonbhao> I m assuming the issue is that there are no log results file created can you try to create the var log osquery folder and then try again

demonbhao · Answer

No I have var log osquery Osquery conf will no longer generate logs after modifying the previous ability to generate logs

demonbhao · Answer

Hello how can I solve this problem Osquery conf cannot produce the log of the query even if it is modified according to the official document

theopolis · Answer

It looks like your configuration contains invalid JSON Check the systemd output for the osqueryd service and you will see the error

demonbhao · Answer

Sorry I m a rookie How do I check for error output

theopolis · Answer

You can try `systemctl status osqueryd` or `osqueryd config check config dump` but that ` etc osquery osquery conf` must be valid JSON are you familiar with JSON formatting Do you have experience with tools like `jq` to help you check the format

demonbhao · Answer

Okay so I m going to check my JSON format again Thank you very much for your help this time Best wishes

demonbhao · Answer

hello I checked the JSON format and changed the errors and looked at the service and found no problem but still couldn t generate the log Here are the results of my check with the command root sze0 sec test 1006 osquery osqueryd config check config dump I0901 10 08 02 557000 29037 rocksdb cpp 148 Rocksdb open failed 5 0 IO error While lock file var osquery osquery db LOCK Resource temporarily unavailable W0901 10 08 02 557262 29037 database cpp 77 Failed to activate database plugin rocksdb IO error While lock file var osquery osquery db LOCK Resource temporarily unavailable etc osquery osquery conf option config plugin filesystem logger plugin filesystem logger path var log osquery log result events true disable logging false disable events false worker threads 2 utc true schedule system info query SELECT FROM system info interval 20 file events query SELECT FROM file events interval 20 file paths home home decorators load SELECT uuid AS host uuid FROM system info SELECT user AS username FROM logged in users ORDER BY time DESC LIMIT 1 packs osquery monitoring usr share osquery packs osquery monitoring conf

theopolis · Answer

Look at the warning above `Failed to activate database plugin rocksdb IO error While lock file var osquery osquery db LOCK Resource temporarily unavailable` this is indicating another problem Do you have another `osqueryd` running on this system

demonbhao · Answer

Yes you re really good I looked at the process and found that there really were two Osqueryd living in the system at the same time Do you have any good ways to help me solve the problem of this process This is my osquery Service File Unit Description=The osquery Daemon After=network service syslog service Service TimeoutStartSec=0 ExecStart= usr bin osqueryd enroll secret path= var osquery enroll secret tls server certs= var osquery server pem tls hostname=10 224 100 2 8080 host identifier=uuid enroll tls endpoint= api v1 osquery enroll config plugin=tls config tls endpoint= api v1 osquery config config refresh=10 disable distributed=false distributed plugin=tls distributed interval=10 distributed tls max attempts=3 distributed tls read endpoint= api v1 osquery distributed read distributed tls write endpoint= api v1 osquery distributed write logger plugin=tls logger tls endpoint= api v1 osquery log logger tls period=10 Install WantedBy=multi user target

demonbhao · Answer

Hello This problem that there will be two processes to launch osquery service has been bothering me for a long time Is there any good solution