When I compiled OSquery from source, i noticed it ...
# general
When I compiled OSquery from source, i noticed it kept the /tmp/osquery_status in windows - can I specify an alternate location in the FLAG file (I am only using tls plugin as far as i know) , and it also appears to be logging into osquery.db folder. When i get this sorted will osquery.db folder continue to grow? Currently im just debating "--disable_logger=true" to stop the cannot write errors flooding kolide
Windows (on fleet server) says cannot write /tmp/osquery_status
My goal is limit growth on clients - and later if i do packs to also run from kolide, and have it receive the results.
The logging location is configurable both on the osquery end and the Fleet end. If you’re using the TLS logger to send the logs to Fleet, the osqueryd on the endpoint will not log to disk (outside of the cache)
it is though.. on the fleet side its logging an error, Do you mind i paste my flag file here?
--enroll_secret_path=C:\ProgramData\osquery\osquery.key --tls_server_certs=C:\ProgramData\osquery\REMOVED_Reversed.cer --tls_hostname=REMOVED:8080 --host_identifier=uuid --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_tls_refresh=10 --disable_distributed=false --config_tls_max_attempts=3 --distributed_plugin=tls --distributed_interval=10 --distributed_tls_max_attempts=3 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls --logger_tls_endpoint=/api/v1/osquery/log --logger_tls_period=10 --log_result_events=false --pack_delimiter=/ --utc
I get ~7Gb a day from EVERY client (200) thats cannot write /tmp/osquery_status (from my windows hosts)
I also get cannot lock osquery.db but it still writes to it
The clients i believe are acting since i left items in the packs folder
When in doubt, assume im wrong - if you havent heard me yet - I am very new to this software
Looks fine, except
isn’t a valid flag.
Turn on verbose logging and then you will see more details (and probably why this is happening) in daemon’s output
Oh its in the read doc under debugging
it reduced the flow of incoming to kolide i was getting - so packs run but i dont get results
I just get they ran and the query they ran
Actually maybe it was a bad google on a previous release, removing, thank you
Verbose is the original issue, when i originally deployed the flag file it had verbose
now that i removed verbose I still am getting for each windows client cannot write /tmp/osquery_status
at idle its burning 550mb/hour
every event, triggers a status, cannot write status, tls logs cannot write to kolide
Do you know the switch to over write the status file location?
If its writing the status to file, something is wrong. With TLS logger enabled, it shouldn’t write that to file. Enable verbose logging and look at the logs when the daemon starts, it will describe it attempting to connect to the TLS logging endpoint and describe why it can’t
True but i havent found one for result, maybe I mised it, but ill review again
Thank you again
The flag is
, which is documented on the page
I tried that with C:\Program Files\osquery\log in the past and didnt work. However, let me try again - Thank you again
You know I think you're right on that, and the error was i didn't encapsulate the string in "'s since there is a space in "program files"
Thank you very much for helping solve that prblem : ) My last question if you're up for it - is basically how does osquery.db work on the clients, as in do i have to worry of it growing indefinitely or have to do any maintaince. My local test machine is up to about ~60mb for the month
I think i understand now that its a cache for diffing against, and that you can set max results to save and expiration