Hello everyone I install osquery and fleet but not working f osquery #general

Hello! everyone. I install osquery and fleet but n...

amir

08/13/2020, 6:39 AM

Hello! everyone. I install osquery and fleet but not working for windows.

Event publisher not enablet: ntfs_event_publisher: NTFS event publisher disabled via conf.

how to reslove this problem. Thanks. Sorry for my bad engilsh 🙂

seph

08/13/2020, 1:46 PM

Generally we try to keep the kolide specific questions #kolide though I'm not sure this is kolide specific. As the error says, you need to enable the ntfs publisher. Specifically, you'll need to find the osquery option and configure fleet to pass it along to osquery

Mike Myers

08/13/2020, 4:58 PM

Check this blog post too https://blog.kolide.com/how-to-set-up-windows-file-integrity-monitoring-using-osquery-and-kolide-d5ac09db046b

amir

08/14/2020, 6:20 AM

Copy code

first of all thank you for the answer. I use open source in the package. I solved the ntfs problem I got in 4.4.0. For help: adding "enable_ntfs_event_publisher": true to the osquery.conf file, the problem was resolved. But 4.4.0 didn't work for me. It didn't make any mistakes either. version 3.3.2 currently working. The problem with it is that mac addresses and ip addresses are not visible. There are nearly 100 machines in my company. I want to install for these but was not successful. louncher I tried it and couldn't run it in the background. I need your help thank you.

amir

08/14/2020, 2:09 PM

osquery cannot activate filesystem logger plugin: osqueryd.results.log error

amir

08/14/2020, 2:34 PM

PS C:\Program Files\osquery\osqueryd> .\osqueryd.exe flagfile=C:\Program Files\osquery\osquery.flags --verbose

I0814 172854.224361 772 init.cpp:343] osquery initialized [version=4.4.0] I0814 172854.256258 772 system.cpp:335] Found stale process for osqueryd (6860) I0814 172854.256258 772 system.cpp:367] Writing osqueryd pid (4132) to \Program Files\osquery\osqueryd.pidfile I0814 172854.256258 772 extensions.cpp:383] Could not autoload extensions: Failed reading: \Program Files\osquery\extensions.load I0814 172854.256258 772 dispatcher.cpp:77] Adding new service: WatcherRunner (0000014E661660E0) to thread: 1824 (0000014E66183A20) in process 4132 I0814 172854.286541 1824 watcher.cpp:585] osqueryd watcher (4132) executing worker (5308) I0814 172854.333488 4232 init.cpp:340] osquery worker initialized [watcher=4132] I0814 172854.333488 4232 dispatcher.cpp:77] Adding new service: WatcherWatcherRunner (0000021022CBD950) to thread: 356 (0000021022CA7100) in process 5308 I0814 172854.333488 4232 rocksdb.cpp:131] Opening RocksDB handle: \Program Files\osquery\osquery.db I0814 172854.708498 4232 dispatcher.cpp:77] Adding new service: ExtensionWatcher (0000021022CF15B0) to thread: 4060 (0000021022CA6900) in process 5308 I0814 172854.708498 5176 interface.cpp:268] Extension manager service starting: \\.\pipe\osquery.em I0814 172854.708498 4232 dispatcher.cpp:77] Adding new service: ExtensionRunnerCore (0000021022CEE420) to thread: 5176 (0000021022CA7640) in process 5308 I0814 172854.708498 4232 auto_constructed_tables.cpp:96] Removing stale ATC entries E0814 172856.865679 4232 init.cpp:714] Cannot activate filesystem logger plugin: Could not create file: \Program Files\osquery\log\osqueryd.results.log I0814 172856.865679 4232 events.cpp:1125] Error registering subscriber: powershell_events: Required publisher is disabled by configuration I0814 172856.865679 4232 events.cpp:1125] Error registering subscriber: windows_events: Required publisher is disabled by configuration I0814 172856.880285 5620 events.cpp:785] Starting event publisher run loop: WindowsEventLogPublisher I0814 172856.880285 5620 events.cpp:805] Event publisher WindowsEventLogPublisher run loop terminated for reason: Publisher disabled by configuration I0814 172856.880285 3164 events.cpp:785] Starting event publisher run loop: ntfs_event_publisher I0814 172856.880285 4232 main.cpp:103] Not starting the distributed query service: Distributed query service not enabled. I0814 172857.005903 4232 dispatcher.cpp:77] Adding new service: SchedulerRunner (00000210232C8470) to thread: 5864 (00000210232ACB70) in process 5308 I0814 172857.037120 4232 dispatcher.cpp:148] Thread: 4232 requesting a stop I0814 172857.083953 4232 dispatcher.cpp:155] Service: 0000021022CBD950 has been interrupted I0814 172857.099359 4232 dispatcher.cpp:155] Service: 0000021022CF15B0 has been interrupted Thrift: Fri Aug 14 172857 2020 TPipeServer ConnectNamedPipe GLE=errno = 995 I0814 172857.130811 4232 dispatcher.cpp:155] Service: 0000021022CEE420 has been interrupted I0814 172857.161834 4232 dispatcher.cpp:155] Service: 00000210232C8470 has been interrupted I0814 172857.161834 4232 dispatcher.cpp:121] Thread: 4232 requesting a join I0814 172857.177162 4232 dispatcher.cpp:139] Service thread: 00000210232ACB70 has joined I0814 172857.193634 4232 dispatcher.cpp:139] Service thread: 0000021022CA7640 has joined I0814 172857.193634 4232 dispatcher.cpp:139] Service thread: 0000021022CA6900 has joined I0814 172857.224517 4232 dispatcher.cpp:139] Service thread: 0000021022CA7100 has joined I0814 172857.286898 4232 dispatcher.cpp:143] Services and threads have been cleared E0814 172900.318363 1824 init.cpp:714] Worker returned exit status I0814 172900.318363 772 dispatcher.cpp:148] Thread: 772 requesting a stop I0814 172900.318363 772 dispatcher.cpp:121] Thread: 772 requesting a join I0814 172900.318363 772 dispatcher.cpp:139] Service thread: 0000014E66183A20 has joined

194 Views

Open in Slack

Previous Next