https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
d

Dongho Kim

01/03/2020, 6:37 AM
it returns
Copy code
W0103 15:36:34.866801 22423 filesystem.cpp:112] Cannot read file that exceeds size limit: /snap/slack/20/usr/lib/slack/slack
W0103 15:36:34.895962 22423 filesystem.cpp:112] Cannot read file that exceeds size limit: /opt/google/chrome/chrome
W0103 15:36:35.829485 22423 filesystem.cpp:112] Cannot read file that exceeds size limit: /snap/spotify/36/usr/share/spotify/spotify
a

alessandrogario

01/03/2020, 1:31 PM
I think you have to increase --read_max for it to work
t

thor

01/03/2020, 4:20 PM
@alessandrogario yeah see the discussion above, the question was how can you have the setting persist so you don’t need to continually set it for osqueryi invocation
@Dongho Kim check the osquery info table, is it loading your flags file? Maybe try passing the flags file manually in your invocations? Osqueryi —flagpole=/path/to/flagfile? It looks like the value is t getting read
👍 2
a

alessandrogario

01/03/2020, 4:23 PM
My bad, was in a rush and didn’t check all the scrollback!
👍 1
d

Dongho Kim

01/10/2020, 12:37 AM
@thor What if i want to use osquery.flag on osqueryd, since I am trying to send query using osquery-python
t

thor

01/10/2020, 12:38 AM
Er.. that should be easier. The generic, supported, expecation of invocation is 
osqueryd.exe --flagfile=/Path/to/osquery.flags
, and one tends to put most of their configuration flags inside that file.
d

Dongho Kim

01/10/2020, 12:49 AM
@thor, I am on linux and i executed
Copy code
osqueryd flagfile=/etc/osquery/osquery.flags
however it produces following error
Copy code
E0110 09:47:36.233642 20142 init.cpp:459] osqueryd initialize failed: Could not create file: /var/run/osqueryd.pidfile
so I ran with sudo but still gave following return
Copy code
W0110 09:47:44.866137 20153 init.cpp:690] Error reading config: config file does not exist: /etc/osquery/osquery.conf
I0110 09:47:44.866581 20153 events.cpp:863] Event publisher not enabled: auditeventpublisher: Publisher disabled via configuration
I0110 09:47:44.866720 20153 events.cpp:863] Event publisher not enabled: syslog: Publisher disabled via configuration
t

thor

01/10/2020, 12:50 AM
There's quite a bit of helpful information there that might answer some of your questions?
From a first glance, check that you're specifying the 
--
in the flagfile, as osquery might be failing to find your path
Also that first line looks like a problem - 
W0110 09:47:44.866137 20153 init.cpp:690] Error reading config: config file does not exist: /etc/osquery/osquery.conf
osquery as the service reads in the flagfile value. In that flagfile, one typically specifies the path to a configuration file, the configuration file should contain the scheduled queries your hoping to run, whereas the flag file contains and osquery specific configuration you want to enable/disable
Does that make sense?
d

Dongho Kim

01/10/2020, 12:52 AM
ahh, Okok i understand Thank You
t

thor

01/10/2020, 12:53 AM
Np!
d

Dongho Kim

01/10/2020, 1:08 AM
@thor just quick question, how can i enable Event publisher?
t

thor

01/10/2020, 5:18 PM
@Dongho Kim 
--disable_events=false
. That should also be pretty exhaustively documented on the readthedocs if you need additional support
2 Views
Powered by