it returns ```W0103 15 36 34 866801 22423 filesystem cpp 112 osquery #general

it returns ```W0103 15:36:34.866801 22423 filesyst...

Dongho Kim

01/03/2020, 6:37 AM

it returns

Copy code

W0103 15:36:34.866801 22423 filesystem.cpp:112] Cannot read file that exceeds size limit: /snap/slack/20/usr/lib/slack/slack
W0103 15:36:34.895962 22423 filesystem.cpp:112] Cannot read file that exceeds size limit: /opt/google/chrome/chrome
W0103 15:36:35.829485 22423 filesystem.cpp:112] Cannot read file that exceeds size limit: /snap/spotify/36/usr/share/spotify/spotify

alessandrogario

01/03/2020, 1:31 PM

I think you have to increase --read_max for it to work

thor

01/03/2020, 4:20 PM

@alessandrogario yeah see the discussion above, the question was how can you have the setting persist so you don’t need to continually set it for osqueryi invocation

thor

01/03/2020, 4:21 PM

@Dongho Kim check the osquery info table, is it loading your flags file? Maybe try passing the flags file manually in your invocations? Osqueryi —flagpole=/path/to/flagfile? It looks like the value is t getting read

👍 2

alessandrogario

01/03/2020, 4:23 PM

My bad, was in a rush and didn’t check all the scrollback!

👍 1

Dongho Kim

01/10/2020, 12:37 AM

@thor What if i want to use osquery.flag on osqueryd, since I am trying to send query using osquery-python

thor

01/10/2020, 12:38 AM

Er.. that should be easier. The generic, supported, expecation of invocation is

osqueryd.exe --flagfile=/Path/to/osquery.flags

, and one tends to put most of their configuration flags inside that file.

Dongho Kim

01/10/2020, 12:49 AM

@thor, I am on linux and i executed

Copy code

osqueryd flagfile=/etc/osquery/osquery.flags

however it produces following error

Copy code

E0110 09:47:36.233642 20142 init.cpp:459] osqueryd initialize failed: Could not create file: /var/run/osqueryd.pidfile

so I ran with sudo but still gave following return

Dongho Kim

01/10/2020, 12:49 AM

Copy code

W0110 09:47:44.866137 20153 init.cpp:690] Error reading config: config file does not exist: /etc/osquery/osquery.conf
I0110 09:47:44.866581 20153 events.cpp:863] Event publisher not enabled: auditeventpublisher: Publisher disabled via configuration
I0110 09:47:44.866720 20153 events.cpp:863] Event publisher not enabled: syslog: Publisher disabled via configuration

thor

01/10/2020, 12:50 AM

Have you checked out the readthedocs? https://osquery.readthedocs.io/en/latest/deployment/configuration/#configuration-components

thor

01/10/2020, 12:50 AM

There's quite a bit of helpful information there that might answer some of your questions?

thor

01/10/2020, 12:50 AM

From a first glance, check that you're specifying the

--

in the flagfile, as osquery might be failing to find your path

thor

01/10/2020, 12:51 AM

Also that first line looks like a problem -

W0110 09:47:44.866137 20153 init.cpp:690] Error reading config: config file does not exist: /etc/osquery/osquery.conf

thor

01/10/2020, 12:51 AM

osquery as the service reads in the flagfile value. In that flagfile, one typically specifies the path to a configuration file, the configuration file should contain the scheduled queries your hoping to run, whereas the flag file contains and osquery specific configuration you want to enable/disable

thor

01/10/2020, 12:52 AM

Does that make sense?

Dongho Kim

01/10/2020, 12:52 AM

ahh, Okok i understand Thank You

thor

01/10/2020, 12:53 AM

Np!

Dongho Kim

01/10/2020, 1:08 AM

@thor just quick question, how can i enable Event publisher?

thor

01/10/2020, 5:18 PM

@Dongho Kim

--disable_events=false

. That should also be pretty exhaustively documented on the readthedocs if you need additional support

2 Views

Open in Slack

Previous Next