Is this the correct place to ask for help with osq...
# generalm
Michael Green
11/26/2019, 5:16 PMIs this the correct place to ask for help with osquery? I'm in a weird spot where osqueryd isn't recording events but they're visible in osqueryi using the same conf and flags.
t
theopolis
11/26/2019, 5:41 PM
Yeap! It's a good place, do you mind recapping the debugging you've done so far?
m
Michael Green
11/27/2019, 5:25 PM@theopolis Sure, so I've run the daemon in the foreground using the --verbose flag and nothing seems out of place. I've verified the config. I've shut down auditd. And I've checked the error logs (which are empty).
a
alessandrogario
11/27/2019, 9:15 PM
@Michael Green can you try again with a new database? should be located under /var/osquery
m
Michael Green
11/27/2019, 9:31 PM@alessandrogario I tried to create a new db dir and bounced the service and nothing was created in the new dir.
Michael Green
11/27/2019, 10:05 PMAlso tried osqueryctl clean and no change.
a
alessandrogario
11/28/2019, 12:21 PM
This is weird, as the database should get recreated; it is possible to pass a different path to the command line, one that the current user has written access to
alessandrogario
11/28/2019, 12:21 PM
if it works fine with osqueryd -S I'm almost sure it's a database migration error
3 Views