Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
d
Dongho Kim
01/03/2020, 6:37 AMit returns
W0103 15:36:34.866801 22423 filesystem.cpp:112] Cannot read file that exceeds size limit: /snap/slack/20/usr/lib/slack/slack
W0103 15:36:34.895962 22423 filesystem.cpp:112] Cannot read file that exceeds size limit: /opt/google/chrome/chrome
W0103 15:36:35.829485 22423 filesystem.cpp:112] Cannot read file that exceeds size limit: /snap/spotify/36/usr/share/spotify/spotifya
alessandrogario
01/03/2020, 1:31 PMI think you have to increase --read_max for it to work
t
thor
01/03/2020, 4:20 PM@alessandrogario yeah see the discussion above, the question was how can you have the setting persist so you don’t need to continually set it for osqueryi invocation
@Dongho Kim check the osquery info table, is it loading your flags file? Maybe try passing the flags file manually in your invocations? Osqueryi —flagpole=/path/to/flagfile? It looks like the value is t getting read
👍 2
a
alessandrogario
01/03/2020, 4:23 PMMy bad, was in a rush and didn’t check all the scrollback!
👍 1
d
Dongho Kim
01/10/2020, 12:37 AM@thor What if i want to use osquery.flag on osqueryd, since I am trying to send query using osquery-python
t
thor
01/10/2020, 12:38 AMEr.. that should be easier. The generic, supported, expecation of invocation is
osqueryd.exe --flagfile=/Path/to/osquery.flagsd
Dongho Kim
01/10/2020, 12:49 AM@thor, I am on linux and i executed
osqueryd flagfile=/etc/osquery/osquery.flagsE0110 09:47:36.233642 20142 init.cpp:459] osqueryd initialize failed: Could not create file: /var/run/osqueryd.pidfileW0110 09:47:44.866137 20153 init.cpp:690] Error reading config: config file does not exist: /etc/osquery/osquery.conf
I0110 09:47:44.866581 20153 events.cpp:863] Event publisher not enabled: auditeventpublisher: Publisher disabled via configuration
I0110 09:47:44.866720 20153 events.cpp:863] Event publisher not enabled: syslog: Publisher disabled via configurationt
thor
01/10/2020, 12:50 AMHave you checked out the readthedocs? https://osquery.readthedocs.io/en/latest/deployment/configuration/#configuration-components
There's quite a bit of helpful information there that might answer some of your questions?
From a first glance, check that you're specifying the
--Also that first line looks like a problem -
W0110 09:47:44.866137 20153 init.cpp:690] Error reading config: config file does not exist: /etc/osquery/osquery.confosquery as the service reads in the flagfile value. In that flagfile, one typically specifies the path to a configuration file, the configuration file should contain the scheduled queries your hoping to run, whereas the flag file contains and osquery specific configuration you want to enable/disable
Does that make sense?
d
Dongho Kim
01/10/2020, 12:52 AMahh, Okok i understand Thank You
t
thor
01/10/2020, 12:53 AMNp!
d
Dongho Kim
01/10/2020, 1:08 AM@thor just quick question, how can i enable Event publisher?
t
thor
01/10/2020, 5:18 PM@Dongho Kim
--disable_events=false