Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
s
Sparta
08/28/2019, 12:18 PMHi @Guillaume, I am not able to log results to osqueryd.results.log with osquery on windows 10
Steps which I have followed
1.My osquery.conf file
{
"options":
{
"logger_snapshot_event_type": "true",
"schedule_splay_percent": 10
},
"platform": "windows",
"schedule":
{
"cpu_info":
{
"query": "select * from cpu_info;",
"interval": 1,
"platform": "windows",
"version": "3.3.2",
"description": "General cpu_information "
}
},
"packs": {
// "performance-metrics": "packs/performance-metrics.conf",
//"security-tooling-checks": "packs/security-tooling-checks.conf",
// "unwanted-chrome-extensions": "packs/unwanted-chrome-extensions.conf",
// "windows-application-security": "packs/windows-application-security.conf",
// "windows-compliance": "packs/windows-compliance.conf",
// "windows-registry-monitoring": "packs/windows-registry-monitoring.conf",
// "windows-attacks": "packs/windows-attacks.conf"
}
}
2.Run in powershell admin
PS C:\Program Files\osquery\osqueryd> .\osqueryd.exe
E0828 16:08:45.261500 19992 processes.cpp:312] Failed to lookup path information for process 4
E0828 16:08:45.261500 19992 processes.cpp:332] Failed to get cwd for 4 with 31
E0828 16:08:45.261500 19992 processes.cpp:312] Failed to lookup path information for process 96
E0828 16:08:45.261500 19992 processes.cpp:332] Failed to get cwd for 96 with 31
E0828 16:08:45.261500 19992 processes.cpp:312] Failed to lookup path information for process 2100
E0828 16:08:45.261500 19992 processes.cpp:332] Failed to get cwd for 2100 with 31
I0828 16:08:47.488893 17424 database.cpp:570] Checking database version for migration
E0828 16:08:47.582640 17424 init.cpp:594] Cannot activate filesystem logger plugin: Could not create file: \ProgramData\osquery\log\osqueryd.results.log pls guide me steps, what i cam doing wrong
please guide me steps, what i cam doing wrong
thank you so much
g
Guillaume
08/28/2019, 2:23 PMHi! Check out this thread - also please don't cross-post in DM + multiple channels... most of us are happy to help out but not always available, better to keep it in a single public channel. Seems like a permission issue of some kind - does the file exist already? Is the Service stopped (you can't run it twice)?
and what version are you running? installed from msi or choco?
s
Sparta
08/29/2019, 12:57 PMI have installed 3.3.2 version with msi on windows
p
pdpq
10/11/2019, 3:18 AM@Sparta hi, I met same problem and don’t know how to solve it. had you solved it?
e
ehrhardt
03/05/2020, 12:17 AMHi @Guillaume was there a link to a different thread you intended to include here?