Title
#general
j

JB

01/16/2019, 4:25 PM
so I’m trying to start the daemon on my MacOS:
Hostname:osquery root# sudo osqueryctl start --config_path=/var/osquery/osquery.conf
I0116 16:22:03.214370 2890367872 database.cpp:564] Checking database version for migration
Error reading config: Error parsing the config JSON
This is my osquery.conf:
Hostname:osquery root# cat osquery.conf
{
  "options": {
    "config_plugin": "/var/osquery/osquery.conf",
    "logger_plugin": "filesystem",
    "logger_path": "/var/log/osquery",
    "disable_logging": "false",
    "schedule_splay_percent": "10",
    "database_path": "/var/osquery/osquery.db",
    #"disable_tables": "foo_bar,time",
    "utc": "true"
  },

  "schedule": {
    "system_info": {
      "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
      "interval": 3600
    },
		"usb_devices": {
		"query": "SELECT vendor, model FROM usb_devices;",
		"interval": 60
		}
  },

  "decorators": {
    "load": [
      "SELECT uuid AS host_uuid FROM system_info;",
      "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
    ]
  },

  # Linux:        /usr/share/osquery/packs
  # OS X:         /var/osquery/packs
  # Homebrew:     /usr/local/share/osquery/packs
  # make install: {PREFIX}/share/osquery/packs
  "packs": {
    # "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf",
    # "incident-response": "/usr/share/osquery/packs/incident-response.conf",
    # "it-compliance": "/usr/share/osquery/packs/it-compliance.conf",
    # "osx-attacks": "/usr/share/osquery/packs/osx-attacks.conf",
    # "vuln-management": "/usr/share/osquery/packs/vuln-management.conf",
    # "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf",
    # "ossec-rootkit": "/usr/share/osquery/packs/ossec-rootkit.conf",
    # "windows-hardening": "C:\\ProgramData\\osquery\\packs\\windows-hardening.conf",
    # "windows-attacks": "C:\\ProgramData\\osquery\\packs\\windows-attacks.conf"
  },
}
Any ideas?
a

Alan

01/17/2019, 6:44 PM
I suspect its you last , change this attacks.conf" }, }
6:45 PM
to this attacks.conf" } }
6:45 PM
that will make it valid json
j

JB

02/06/2019, 12:36 PM
got it all working…thanks @Alan