Hi wave I m been trying to setup osquery v4 0 2 via kolide f osquery #general

Hi :wave: I’m been trying to setup osquery (v4.0....

João Godinho

12/13/2019, 12:07 AM

Hi 👋 I’m been trying to setup osquery (v4.0.2) via kolide fleet, and it seems that although the configuration is updated (when I query I can see they were changed, and I also have a differential on

osquery_flags

which is triggered), osquery itself does not refresh them during runtime, I have to manually restart the daemon. The flag in question is the

logger_plugin

one, I’m not sure if this is intended, or if I’m missing something here. I tried searching around and found this thread, which is somewhat related, but

logger_plugin

is already defined as

FLAG

and not

CLI_FLAG

https://osquery.slack.com/archives/C08V7KTJB/p1572289712208900?thread_ts=1572289712.208900

seph

12/13/2019, 1:46 AM

That you'd need to restart osquery to see flag file changes seems unsurprising.

seph

12/13/2019, 1:49 AM

There's a pr open to change some of the flag handling behavior. I think there's an inconsistency between behavior and docs.

theopolis

12/13/2019, 2:22 AM

@João Godinho, to clarify, in your testing you see

logger_plugin

is set to the new value (when you look at

osquery_flags

) but osquery is not logging to the new plugin?

João Godinho

12/13/2019, 9:49 AM

Hi (sorry, timezones), basically I have a default flags file with

logger_plugin=tls

, when the host registers with fleet, I send different configurations for the logger (

kafka_producer

), which does not takes effect until the daemon is restarted, and when yeah, the

osquery_flags

shows the new value.

João Godinho

12/13/2019, 12:41 PM

a little more info, changing

logger_kafka_brokers

and

topic

doesn’t seem to work either, but changing

verbose

, for example, works

3 Views

Open in Slack

Previous Next