I have a question regarding setting up logging to tls and the filesystem. I've been looking into the documentation on how to provide multiple logging plugins via the flag system. Which I've been using the flag system for the full setup process, due to needing to have this setup between Linux, Mac, and Windows machines. This process is currently being tested on a Windows 10 machine. The tls is reporting back to our fleet server, which is working perfectly. However, when I added the filesystem appending, it will report to tls fine, but it never builds the logs on the local machine. And if I utilize the supplied config it will build to the filesystem properly as well, but this method removes tls. I have a felling I might be missing something, I included a screen snippet below to show our flags file on the Windows machine. Any advice would be highly appreciated! Here is also where I've been grabbing my information from the documentation: https://osquery.readthedocs.io/en/stable/installation/cli-flags/#loggingresults-flags Thank you for any assistance you can offer.

If I need logs on

filesystem

I usually specify

--logger_path

flag with the location where to put those logs (on your screenshot that flag is missing btw). I have noticed though that on Windows I never find the logs where specified, but I find them on

C:\Windows\Temp

(or some sub-directory) , or in

C:\Users\username\AppData\Local\Temp\

depending on how I run osquery (debug/release mode). Never had the chance to investigate better though (maybe I am missing something)

Thank you for the information. I went ahead and did a quick check to both of those directories and didn't find anything. So I went and throw a logger_path in for appdata for the user folder to see if I would receive filesystem logs that way. However, I still haven't received any local logs. I also here is a new attachment showing the adjusted flag file.

You need to make sure that the config sent by Fleet includes both logger plugins. Right now you have

--config_tls_endpoint

set and that means some values in your flagfile could be overridden by the config returned by Fleet.

Makes sense, however where exactly do I find the OsQuery Configuration that's being sent over to the clients from Fleet? I checked the path that is set in my configuration, which I got from a tutorial, and that path doesn't exist on my linux fleet machine. I noted that in some screenshots from others they have a configuration tab on the left hand side when logged into there fleet. However I do not have a configuration tab which draws more confusion. Thank you for your assistance.

You'll need to use the

fleetctl

CLI to get and modify configuration: https://github.com/kolide/fleet/tree/master/docs/cli