I am running into an issue with Syslog. Ubuntu - ...
# generals
sttor
02/17/2020, 11:17 AMI am running into an issue with Syslog. Ubuntu - 18.04, osquery - 4.0.2, Syslog-ng- 3.13.2. I got the message "Successfully opened pipe for Syslog ingestion: /var/osquery/syslog_pipe". Even cat works on syslog_pipe, but no result on query select * from syslog_events. Any help here. @zwass
s
seph
02/17/2020, 3:24 PM
Did you configure syslog to write into that pipe?
s
sttor
02/17/2020, 5:07 PM@seph Yes as per the documentation.
s
seph
02/17/2020, 9:06 PM
Hrm. Are the various osquery settings for syslog events set? (I'm mobile and can't look them up just now)
s
sttor
02/18/2020, 4:13 AMI was only using --enable_syslog, --disable_events, --syslog_pipe_path flags
s
seph
02/18/2020, 2:46 PM
Should that be
--disable_events=falses
sttor
02/19/2020, 2:12 AMyes it was --disable_events=false, I have tried all possible combinations, I read all the discussions on slack. Nothing helped me. The Syslog table always remains empty. Tried with both rsyslog and syslog-ng. both with osqueryi and osqueryd, nothing worked.
s
seph
02/19/2020, 2:13 AM
The
osquery_s
sttor
02/19/2020, 2:16 AMI queried osquery_events table and refreshes count kept on increasing
sttor
02/19/2020, 2:19 AMimage.png
s
seph
02/19/2020, 2:20 AM
I’m not really sure how to read that. But I do see the events count staying at zero there
s
sttor
02/19/2020, 2:24 AMI am receiving syslog in
cat /var/osquery/syslog_pipesttor
02/19/2020, 2:24 AMAlso
z
zwass
02/19/2020, 2:24 AM
If you are receiving it in
cats
sttor
02/19/2020, 2:25 AM@zwass Yes, I just cat it. Never simultaneously run osquery and cat on syslog_pipe
z
zwass
02/19/2020, 2:25 AM
I see
zwass
02/19/2020, 2:25 AM
Can you paste a line from when you cat it?
s
sttor
02/19/2020, 2:26 AMimage.png
z
zwass
02/19/2020, 2:28 AM
Possibly this issue? https://github.com/osquery/osquery/issues/4810 I haven't worked with syslog for a while.
s
sttor
02/19/2020, 2:29 AMProbably yes,
syslog hang issue3 Views