Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
t
timb
10/28/2019, 7:08 PMhey y’all! https://github.com/osquery/osquery/pull/5956 makes me a bit nervous; it seems like the PR implies that you can’t set logger_tls_period remotely, but we’ve been doing this for awhile via /config without issues
testing this out on 4.0.2 seems to confirm that if i remotely modify logger_tls_period, the host respects the new config
@theopolis let me know if you have any thoughts or want me to raise this another way? it looks like the PR is changing the flag type to match reality, but that’s not the current reality as far as i can tell
n
nyanshak
10/28/2019, 7:23 PMI really hope that's not the case. I have been relying on that (and configuring the logger_tls_endpoint) by remote configuration.
t
timb
10/28/2019, 7:24 PMinterestingly we just experimented with setting logger_tls_endpoint remotely in 4.0.2 and found that not to work, but testing it rn shows setting logger_tls_period does
n
nyanshak
10/28/2019, 7:25 PMah I may have lied, we do set the logger_plugin and some other config remotely, and in general I'd prefer to be able to update them remotely as much as possible.
👍 2
s
seph
10/28/2019, 8:03 PMI suspect filing an issue and references the PR is a good way to start conversation.
This also relates to some of the conversation in https://github.com/osquery/osquery/pull/5882
t
timb
10/28/2019, 8:05 PMit looks like that ended with needing more discussion about the change?
t
theopolis
10/28/2019, 11:01 PMSorry for the disruption, let’s make sure we figure this out before the next release! Verifying it does update at runtime is important
t
timb
10/28/2019, 11:04 PMno worries! let me know if i could help in any way, or if you have a good suggestion on how to demonstrably verify the current behavior?
t
theopolis
10/28/2019, 11:22 PMIf you update the tls_period, you observe the host only logging with that new period? Let’s say changing 3 seconds to 20, then to 1?
t
timb
10/28/2019, 11:24 PMack; if i update a client remotely to switch to 60s i definitely see it start reporting in once a minute
it may be relevant that we do not set this via the flags file ever, as far as i know
and only set it remotely
s
seph
10/28/2019, 11:33 PMTBH I think we should decide a rubric for what correct is. And then start moving flags around
t
theopolis
10/29/2019, 12:13 AMYou are correct, I read the code incorrectly. I just created a new PR with the changes.
🤩 1
t
timb
10/29/2019, 12:14 AMthank you so much!
t
theopolis
10/29/2019, 12:16 AMI like how quickly folks realized my mistake. It provides more confidence that people are double-checking the work! I’d encourage speaking up on PRs if you see anything that seems incorrect.
f
FG
10/29/2019, 12:43 AMtimely i just did this in my environment as well. tracing settings between fleet config and osquery flags etc .