Hi All below is my Flag file for some reason I do not receiv osquery #general

Hi All below is my Flag file, for some reason I do...

Avi Apelbaum

03/19/2020, 10:22 AM

Hi All below is my Flag file, for some reason I do not receive any event to my tls server. For some reason I am getting

Copy code

Event publisher not enabled: syslog: Publisher disabled via configuration"

Any idea someone ? Flag File:

Copy code

--watchdog_level=0
--watchdog_memory_limit=300
--host_identifier=uuid
--tls_hostname=kolide-server:443
--tls_server_certs=/etc/osquery/ca.crt
--config_plugin=tls
--distributed_plugin=tls
--logger_plugin=tls
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_tls_endpoint=/api/v1/osquery/config
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
--logger_tls_endpoint=/api/v1/logger
--config_refresh=300
--config_tls_max_attempts=20
--enroll_always=true
--disable_distributed=false
--distributed_interval=0
--enroll_secret_path=/etc/osquery/enroll
--database_path=/var/osquery/osquery.db
--pidfile=/var/run/osqueryd.pid
--logger_path=/var/log/osquery
--audit_allow_config=true
--audit_allow_fim_events=true
--audit_allow_process_events=true
--audit_allow_sockets=true
--audit_allow_user_events=true
--audit_force_reconfigure=true
--audit_persist=false
--disable_audit=false
--enable_dns_lookups=true
--logger_tls_event_types="user_events|process_events|process_file_events|socket_events|dns_lookup_events|file_events|http_events"
--events_max=1000
--disable_events_staging=false
--windows_event_channels=Security,System,Application,Setup
--win_enable_dns_lookups=true
--win_allow_sockets=true
--win_allow_process_events=true
--win_allow_logon_events=true
--win_allow_fim_events=true
--win_allow_drive_events=true
--win_allow_reg_events=true
--enable_windows_kernel_events=true
--allow_inotify_file_events=false
--audit_records_rate=10000
--logger_tls_compress=true
--enable_wmi=true
--enable_http_lookups=true
--process_ancestor_list=true
--audit_force_unconfigure=true
--audit_source_dispatcher=true
--watchdog_utilization_limit=21
--generate_process_hash_in_process_event=true

Stefano Bonicatti

03/19/2020, 12:10 PM

I’m not sure where that

--disable_events_staging=false

comes from, but you are missing

--disable_events=false

8 Views

Open in Slack

Previous Next