Title
#general
theopolis

theopolis

06/20/2017, 10:11 PM
@p2 those errors are rare, but! You most likely have something turning on events, if you're on Linux then a
/etc/osquery/osquery.flags
or
/etc/osquery/osquery.flags.default
with a
--nodisable_events
or
--disable_events=false
will enable the event publishers for the shell. A config could also turn them on,
--config_dump
will write the config JSON. Next, why are the events failing? Those are all
pipe
-based to some API that is privileged on the OS, so you could be running as a restricted user, or have cgroups limiting the binary's permissions?
c

cc

08/31/2018, 9:09 PM
Saw exactly the same error. Stuck for a couple of days and finally figured out what was wrong. The issue is I have
auditd
running on my centos7 server as well, which steals all the events need to be sent to osquery. After I disabled
auditd
, everything works properly. I know this is old, but still wanna leave a message here in case anybody else has the same issue.