04/15/2020, 1:31 PM
Hey Folks, i’m getting this message, and all my scheduled queries is not getting any results or not logged. i really appreciate if you could point me to solution of this issue, and if you could share all stuff needed to enable process/file/socket eventing. thanks a lot.
[root@host1 ~]# sudo systemctl status  osqueryd -l
● osqueryd.service - The osquery Daemon
   Loaded: loaded (/etc/systemd/system/osqueryd.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-04-15 09:22:16 EDT; 4min 15s ago
  Process: 32355 ExecStartPre=/bin/sh -c if [ -f $LOCAL_PIDFILE ]; then mv $LOCAL_PIDFILE $PIDFILE; fi (code=exited, status=0/SUCCESS)
  Process: 32353 ExecStartPre=/bin/sh -c if [ ! -f $FLAG_FILE ]; then touch $FLAG_FILE; fi (code=exited, status=0/SUCCESS)
 Main PID: 32358 (osqueryd)
    Tasks: 18
   Memory: 5.9M
   CGroup: /system.slice/osqueryd.service
           ├─32358 /usr/bin/osqueryd --flagfile /etc/osquery/osquery.flags --config_path /etc/osquery/osquery.conf --pidfile /var/run/osqueryd.pidfile
           └─32361 /usr/bin/osqueryd

Apr 15 09:22:16 host1 systemd[1]: Starting The osquery Daemon...
Apr 15 09:22:16 host1 systemd[1]: Started The osquery Daemon.
Apr 15 09:22:16 host1 osqueryd[32358]: osqueryd started [version=4.2.0]
Apr 15 09:22:17 host1 osqueryd[32358]: I0415 09:22:17.412950 32361 events.cpp:863] Event publisher not enabled: auditeventpublisher: Publisher disabled via configuration
Apr 15 09:22:17 host1 osqueryd[32358]: I0415 09:22:17.413987 32361 events.cpp:863] Event publisher not enabled: syslog: Publisher disabled via configuration


04/16/2020, 10:05 AM
i have read it, and the above was the out come, then i removed the flags i have enabled but still have that issue.


04/20/2020, 4:18 PM
@Ahmed I am going to assume you are using Linux and it appears to be Ubuntu. I would follow these two blog posts to ensure AuditD and Osquery are configured correctly https://medium.com/palantir/auditing-with-osquery-part-one-introduction-to-the-linux-audit-framework-217967cec406 https://medium.com/palantir/auditing-with-osquery-part-two-configuration-and-implementation-87a8bba0ef48