https://github.com/osquery/osquery logo
Powered by
Title
a

amir

08/13/2020, 6:39 AM
Hello! everyone. I install osquery and fleet but not working for windows. 
Event publisher not enablet: ntfs_event_publisher: NTFS event publisher disabled via conf.
how to reslove this problem. Thanks. Sorry for my bad engilsh 🙂
s

seph

08/13/2020, 1:46 PM
Generally we try to keep the kolide specific questions #kolide though I'm not sure this is kolide specific. As the error says, you need to enable the ntfs publisher. Specifically, you'll need to find the osquery option and configure fleet to pass it along to osquery
m

Mike Myers

08/13/2020, 4:58 PM
Check this blog post too https://blog.kolide.com/how-to-set-up-windows-file-integrity-monitoring-using-osquery-and-kolide-d5ac09db046b
a

amir

08/14/2020, 6:20 AM
first of all thank you for the answer. I use open source in the package. I solved the ntfs problem I got in 4.4.0. For help: adding "enable_ntfs_event_publisher": true to the osquery.conf file, the problem was resolved. But 4.4.0 didn't work for me. It didn't make any mistakes either. version 3.3.2 currently working. The problem with it is that mac addresses and ip addresses are not visible. There are nearly 100 machines in my company. I want to install for these but was not successful. louncher I tried it and couldn't run it in the background. I need your help thank you.
osquery cannot activate filesystem logger plugin: osqueryd.results.log error
PS C:\Program Files\osquery\osqueryd> .\osqueryd.exe flagfile=C:\Program Files\osquery\osquery.flags --verbose
I0814 17:28:54.224361 772 init.cpp:343] osquery initialized [version=4.4.0] I0814 17:28:54.256258 772 system.cpp:335] Found stale process for osqueryd (6860) I0814 17:28:54.256258 772 system.cpp:367] Writing osqueryd pid (4132) to \Program Files\osquery\osqueryd.pidfile I0814 17:28:54.256258 772 extensions.cpp:383] Could not autoload extensions: Failed reading: \Program Files\osquery\extensions.load I0814 17:28:54.256258 772 dispatcher.cpp:77] Adding new service: WatcherRunner (0000014E661660E0) to thread: 1824 (0000014E66183A20) in process 4132 I0814 17:28:54.286541 1824 watcher.cpp:585] osqueryd watcher (4132) executing worker (5308) I0814 17:28:54.333488 4232 init.cpp:340] osquery worker initialized [watcher=4132] I0814 17:28:54.333488 4232 dispatcher.cpp:77] Adding new service: WatcherWatcherRunner (0000021022CBD950) to thread: 356 (0000021022CA7100) in process 5308 I0814 17:28:54.333488 4232 rocksdb.cpp:131] Opening RocksDB handle: \Program Files\osquery\osquery.db I0814 17:28:54.708498 4232 dispatcher.cpp:77] Adding new service: ExtensionWatcher (0000021022CF15B0) to thread: 4060 (0000021022CA6900) in process 5308 I0814 17:28:54.708498 5176 interface.cpp:268] Extension manager service starting: \\.\pipe\osquery.em I0814 17:28:54.708498 4232 dispatcher.cpp:77] Adding new service: ExtensionRunnerCore (0000021022CEE420) to thread: 5176 (0000021022CA7640) in process 5308 I0814 17:28:54.708498 4232 auto_constructed_tables.cpp:96] Removing stale ATC entries E0814 17:28:56.865679 4232 init.cpp:714] Cannot activate filesystem logger plugin: Could not create file: \Program Files\osquery\log\osqueryd.results.log I0814 17:28:56.865679 4232 events.cpp:1125] Error registering subscriber: powershell_events: Required publisher is disabled by configuration I0814 17:28:56.865679 4232 events.cpp:1125] Error registering subscriber: windows_events: Required publisher is disabled by configuration I0814 17:28:56.880285 5620 events.cpp:785] Starting event publisher run loop: WindowsEventLogPublisher I0814 17:28:56.880285 5620 events.cpp:805] Event publisher WindowsEventLogPublisher run loop terminated for reason: Publisher disabled by configuration I0814 17:28:56.880285 3164 events.cpp:785] Starting event publisher run loop: ntfs_event_publisher I0814 17:28:56.880285 4232 main.cpp:103] Not starting the distributed query service: Distributed query service not enabled. I0814 17:28:57.005903 4232 dispatcher.cpp:77] Adding new service: SchedulerRunner (00000210232C8470) to thread: 5864 (00000210232ACB70) in process 5308 I0814 17:28:57.037120 4232 dispatcher.cpp:148] Thread: 4232 requesting a stop I0814 17:28:57.083953 4232 dispatcher.cpp:155] Service: 0000021022CBD950 has been interrupted I0814 17:28:57.099359 4232 dispatcher.cpp:155] Service: 0000021022CF15B0 has been interrupted Thrift: Fri Aug 14 17:28:57 2020 TPipeServer ConnectNamedPipe GLE=errno = 995 I0814 17:28:57.130811 4232 dispatcher.cpp:155] Service: 0000021022CEE420 has been interrupted I0814 17:28:57.161834 4232 dispatcher.cpp:155] Service: 00000210232C8470 has been interrupted I0814 17:28:57.161834 4232 dispatcher.cpp:121] Thread: 4232 requesting a join I0814 17:28:57.177162 4232 dispatcher.cpp:139] Service thread: 00000210232ACB70 has joined I0814 17:28:57.193634 4232 dispatcher.cpp:139] Service thread: 0000021022CA7640 has joined I0814 17:28:57.193634 4232 dispatcher.cpp:139] Service thread: 0000021022CA6900 has joined I0814 17:28:57.224517 4232 dispatcher.cpp:139] Service thread: 0000021022CA7100 has joined I0814 17:28:57.286898 4232 dispatcher.cpp:143] Services and threads have been cleared E0814 17:29:00.318363 1824 init.cpp:714] Worker returned exit status I0814 17:29:00.318363 772 dispatcher.cpp:148] Thread: 772 requesting a stop I0814 17:29:00.318363 772 dispatcher.cpp:121] Thread: 772 requesting a join I0814 17:29:00.318363 772 dispatcher.cpp:139] Service thread: 0000014E66183A20 has joined
39 Views
#generalJoin Slack
Powered by