Channels
#fleet
Title
# fleet
o
Ojas
03/03/2022, 6:11 AMHey
I updated my fleet and osquery recently but now:
I am not able to find the osquery logs in /var/osquery/*
not in C:\Program Files\osquery\*
đź‘€ 1
there seems to be a new folder orbit. Inside this i did find osquery.db but the logs are not the sme way it used to be.
its very badly formatted and just in one single file. Most of them just say what fleet tried to run on the machine and no results are logged
mac logs
ubuntu
Windows
All i need now is someone to show me how to configure the logs to be stored on the host itself.
This is my config rn and it dosent seem to do the trick
l
Luke Heath
03/03/2022, 4:16 PMHi Ojas, yes you can do this using the filesystem as the logger plugin: https://fleetdm.com/docs/using-fleet/osquery-logs#filesystem
l
Lucas Rodriguez
03/03/2022, 6:55 PMHi Ojas!
logger_pluginresultstatuso
Ojas
03/04/2022, 5:41 AM@Luke Heath Thanks for you response. So i have configured correctly as given in above screenshot?
Coz even after configuring this i dont see any proper logs on my hosts. I do see a file which contains data of what agent is connecting to and what query ran on the machine and everything. But not he proper logs like which contains the results of the query which ran on the machine.
@Lucas Rodriguez thanks for you response. I have configured the logger_plugin but still no logs on the endpoint. The orbit logs are not as proper as the older osquery logs which were is /var/log/osquery/*
In the orbit logs file we have everything logged like what agent is doing what query ran and not in a standard format.
any way i can configure it to goto old format
I have this err on mac os:
E0304 054753.505184 129021440 shutdown.cpp:75] Cannot activate filesystem logger plugin: Could not create file: /var/log/osquery/osqueryd.results.log
If i create the folder osquery there it starts working fine but when the folder is not there it throws err that cannot create it. Any fix for this?
as i have to install it on alot of systems, manually creating those folders would be painfull
Same err on windows: Cannot activate filesystem logger plugin: Could not create file: \Program Files\osquery\
l
Lucas Rodriguez
03/04/2022, 1:46 PMHi @Ojas! I believe you hit this bug: https://github.com/fleetdm/fleet/issues/4146
(Which will be fixed on our next release coming today/early-next-week, TBD)
You will have to remove
filesystemlogger_plugintlsThough, once we release the new Orbit version, your instances should auto-update.
o
Ojas
03/04/2022, 3:10 PMalright. Thanks Lucas. I’ll wait for the update.
So after the update do i need to again generate the installer agent or do i need to install osquery on machine again to get updated config? or will that be auto-updated too
l
Lucas Rodriguez
03/07/2022, 11:45 AMHi Ojas!, once we release fleet-osquery (aka orbit) - sometime early this week - it should auto-update automatically. (If things work as expected you won't need to re-generate the installers.)
o
Ojas
03/07/2022, 11:57 AMawesome thanks
Hey @Lucas Rodriguez
I still dont see any logs created. Any update on patch?
Do i need to generate a new installer?
Also now i see another older issue, my fleet_osquery service in windows keeps stopping.
l
Lucas Rodriguez
03/21/2022, 6:30 PMHi @Ojas!
Do i need to generate a new installer?No, should auto-update.
Also now i see another older issue, my fleet_osquery service in windows keeps stopping.Could you check
C:\Windows\system32\config\systemprofile\AppData\Local\FleetDM\Orbit\Logs\orbit-osquery.logo
Ojas
03/30/2022, 10:50 AMit says ” Cannot activate filesystem logger plugin” :?
@User i still see the old error:
2022-03-30T111942Z INF start osqueryd cmd=“C:\\Program Files\\Orbit\\bin\\osqueryd\\windows\\stable\\osqueryd.exe --pidfile=C:\\Program Files\\Orbit\\osquery.pid --database_path=C:\\Program Files\\Orbit\\osquery.db --extensions_socket=\\\\.\\pipe\\orbit-osquery-extension --enroll_secret_env ENROLL_SECRET --host_identifier=uuid --tls_hostname=fleet.tpsec.co --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=60 --disable_distributed=false --distributed_plugin=tls --distributed_tls_max_attempts=10 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls --logger_tls_endpoint=/api/v1/osquery/log --disable_carver=false --carver_disable_function=false --carver_start_endpoint=/api/v1/osquery/carve/begin --carver_continue_endpoint=/api/v1/osquery/carve/block --carver_block_size=2000000 --tls_server_certs C:\\Program Files\\Orbit\\certs.pem --force --flagfile C:\\Program Files\\Orbit\\osquery.flags”
E0330 112240.311066 3380 shutdown.cpp:79] Cannot activate filesystem logger plugin: Could not create file: \Program Files\osquery\log\osqueryd.results.log
E0330 112242.511026 5160 shutdown.cpp:79] Worker returned exit status
Also on manually creating folders it works fine. It’s still the issue of not able to create the folders
l
Lucas Rodriguez
03/30/2022, 11:29 AMOK, could you run
"C:\Program Files\Orbit\bin\orbit\orbit.exe" --versionCould not create file: \Program Files\osquery\log\osqueryd.results.logOn the latest version we changed the path, that looks like the old default path.
o
Ojas
03/30/2022, 11:31 AMorbit 0.0.6
l
Lucas Rodriguez
03/30/2022, 11:32 AMOK, latest is 0.0.7 (and soon 0.0.8). For some reason it's not auto-updating.
Does the host have access to https://tuf.fleetctl.com?
o
Ojas
03/30/2022, 11:33 AMhow do i check that?
l
Lucas Rodriguez
03/30/2022, 11:33 AMAny other network error logs related to updating (in
C:\Windows\system32\config\systemprofile\AppData\Local\FleetDM\Orbit\Logs\orbit-osquery.loghow do i check that?Try visiting the URL from a browser in the host, or using the
curlwgeto
Ojas
03/30/2022, 11:35 AMi can ping it from the host
2022-03-30T111942Z INF start osqueryd cmd=“C:\\Program Files\\Orbit\\bin\\osqueryd\\windows\\stable\\osqueryd.exe --pidfile=C:\\Program Files\\Orbit\\osquery.pid --database_path=C:\\Program Files\\Orbit\\osquery.db --extensions_socket=\\\\.\\pipe\\orbit-osquery-extension --enroll_secret_env ENROLL_SECRET --host_identifier=uuid --tls_hostname=fleet.tpsec.co --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=60 --disable_distributed=false --distributed_plugin=tls --distributed_tls_max_attempts=10 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls --logger_tls_endpoint=/api/v1/osquery/log --disable_carver=false --carver_disable_function=false --carver_start_endpoint=/api/v1/osquery/carve/begin --carver_continue_endpoint=/api/v1/osquery/carve/block --carver_block_size=2000000 --tls_server_certs C:\\Program Files\\Orbit\\certs.pem --force --flagfile C:\\Program Files\\Orbit\\osquery.flags”
E0330 111944.483722 4888 shutdown.cpp:79] Cannot activate filesystem logger plugin: Could not create file: \Program Files\osquery\log\osqueryd.results.log
E0330 111945.709700 5776 shutdown.cpp:79] Worker returned exit status
2022-03-30T111945Z ERR unexpected exit error=“osqueryd exited with error: exit status 78"
2022-03-30T111947Z INF start osqueryd cmd=“C:\\Program Files\\Orbit\\bin\\osqueryd\\windows\\stable\\osqueryd.exe --pidfile=C:\\Program Files\\Orbit\\osquery.pid --database_path=C:\\Program Files\\Orbit\\osquery.db --extensions_socket=\\\\.\\pipe\\orbit-osquery-extension --enroll_secret_env ENROLL_SECRET --host_identifier=uuid --tls_hostname=fleet.tpsec.co --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=60 --disable_distributed=false --distributed_plugin=tls --distributed_tls_max_attempts=10 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls --logger_tls_endpoint=/api/v1/osquery/log --disable_carver=false --carver_disable_function=false --carver_start_endpoint=/api/v1/osquery/carve/begin --carver_continue_endpoint=/api/v1/osquery/carve/block --carver_block_size=2000000 --tls_server_certs C:\\Program Files\\Orbit\\certs.pem --force --flagfile C:\\Program Files\\Orbit\\osquery.flags”
E0330 111948.367669 5808 shutdown.cpp:79] Cannot activate filesystem logger plugin: Could not create file: \Program Files\osquery\log\osqueryd.results.log
E0330 111951.128486 3348 shutdown.cpp:79] Worker returned exit status
2022-03-30T112133Z INF start osqueryd cmd=“C:\\Program Files\\Orbit\\bin\\osqueryd\\windows\\stable\\osqueryd.exe --pidfile=C:\\Program Files\\Orbit\\osquery.pid --database_path=C:\\Program Files\\Orbit\\osquery.db --extensions_socket=\\\\.\\pipe\\orbit-osquery-extension --enroll_secret_env ENROLL_SECRET --host_identifier=uuid --tls_hostname=fleet.tpsec.co --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=60 --disable_distributed=false --distributed_plugin=tls --distributed_tls_max_attempts=10 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls --logger_tls_endpoint=/api/v1/osquery/log --disable_carver=false --carver_disable_function=false --carver_start_endpoint=/api/v1/osquery/carve/begin --carver_continue_endpoint=/api/v1/osquery/carve/block --carver_block_size=2000000 --tls_server_certs C:\\Program Files\\Orbit\\certs.pem --force --flagfile C:\\Program Files\\Orbit\\osquery.flags”
E0330 112134.335160 3884 shutdown.cpp:79] Cannot activate filesystem logger plugin: Could not create file: \Program Files\osquery\log\osqueryd.results.log
E0330 112137.178841 3876 shutdown.cpp:79] Worker returned exit status
2022-03-30T112238Z INF start osqueryd cmd=“C:\\Program Files\\Orbit\\bin\\osqueryd\\windows\\stable\\osqueryd.exe --pidfile=C:\\Program Files\\Orbit\\osquery.pid --database_path=C:\\Program Files\\Orbit\\osquery.db --extensions_socket=\\\\.\\pipe\\orbit-osquery-extension --enroll_secret_env ENROLL_SECRET --host_identifier=uuid --tls_hostname=fleet.tpsec.co --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=60 --disable_distributed=false --distributed_plugin=tls --distributed_tls_max_attempts=10 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls --logger_tls_endpoint=/api/v1/osquery/log --disable_carver=false --carver_disable_function=false --carver_start_endpoint=/api/v1/osquery/carve/begin --carver_continue_endpoint=/api/v1/osquery/carve/block --carver_block_size=2000000 --tls_server_certs C:\\Program Files\\Orbit\\certs.pem --force --flagfile C:\\Program Files\\Orbit\\osquery.flags”
E0330 112240.311066 3380 shutdown.cpp:79] Cannot activate filesystem logger plugin: Could not create file: \Program Files\osquery\log\osqueryd.results.log
E0330 112242.511026 5160 shutdown.cpp:79] Worker returned exit status
2022-03-30T112542Z INF start osqueryd cmd=“C:\\Program Files\\Orbit\\bin\\osqueryd\\windows\\stable\\osqueryd.exe --pidfile=C:\\Program Files\\Orbit\\osquery.pid --database_path=C:\\Program Files\\Orbit\\osquery.db --extensions_socket=\\\\.\\pipe\\orbit-osquery-extension --enroll_secret_env ENROLL_SECRET --host_identifier=uuid --tls_hostname=fleet.tpsec.co --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=60 --disable_distributed=false --distributed_plugin=tls --distributed_tls_max_attempts=10 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls --logger_tls_endpoint=/api/v1/osquery/log --disable_carver=false --carver_disable_function=false --carver_start_endpoint=/api/v1/osquery/carve/begin --carver_continue_endpoint=/api/v1/osquery/carve/block --carver_block_size=2000000 --tls_server_certs C:\\Program Files\\Orbit\\certs.pem --force --flagfile C:\\Program Files\\Orbit\\osquery.flags”
I0330 112543.293851 3316 eventfactory.cpp:156] Event publisher not enabled: ntfs_event_publisher: NTFS event publisher disabled via configuration
I0330 112546.206353 1712 interfaces.cpp:102] Failed to retrieve network statistics for interface 4
I0330 112546.266278 1712 interfaces.cpp:102] Failed to retrieve network statistics for interface 1
I0330 112546.269050 1712 interfaces.cpp:130] Failed to retrieve physical state for interface 1
I0330 112546.287117 1712 interfaces.cpp:157] Failed to retrieve DHCP and DNS information for interface 1
I0330 112546.377097 1712 registry.cpp:555] Failed to expand globs: Failed to open registry handle
I0330 112546.389892 1712 registry.cpp:555] Failed to expand globs: Failed to open registry handle
I0330 112546.390563 1712 registry.cpp:555] Failed to expand globs: Failed to open registry handle
I0330 112546.392493 1712 registry.cpp:555] Failed to expand globs: Failed to open registry handle
I0330 112546.395962 1712 registry.cpp:555] Failed to expand globs: Failed to open registry handle
I0330 112546.396636 1712 registry.cpp:555] Failed to expand globs: Failed to open registry handle
I0330 112546.398648 1712 registry.cpp:555] Failed to expand globs: Failed to open registry handle
I0330 112546.400411 1712 registry.cpp:555] Failed to expand globs: Failed to open registry handle
I0330 112546.401648 1712 registry.cpp:555] Failed to expand globs: Failed to open registry handle
W0330 112546.763278 1712 chocolatey_packages.cpp:65] Did not find chocolatey path environment variable
E0330 112548.131688 1712 distributed.cpp:144] Error executing distributed query: fleet_policy_query_1: no such table: gatekeeper
W0330 112548.153442 1712 bitlocker_info.cpp:52] Error retreiving information from WMI.
E0330 112548.159821 1712 distributed.cpp:144] Error executing distributed query: fleet_policy_query_3: no such table: disk_encryption
E0330 112548.164297 1712 distributed.cpp:144] Error executing distributed query: fleet_policy_query_4: no such table: disk_encryption
E0330 112548.168017 1712 distributed.cpp:144] Error executing distributed query: fleet_policy_query_5: no such table: sip_config
E0330 112548.170768 1712 distributed.cpp:144] Error executing distributed query: fleet_policy_query_6: no such table: managed_policies
E0330 112548.173740 1712 distributed.cpp:144] Error executing distributed query: fleet_policy_query_7: no such table: managed_policies
E0330 112548.176471 1712 distributed.cpp:144] Error executing distributed query: fleet_policy_query_8: no such table: managed_policies
E0330 112548.179143 1712 distributed.cpp:144] Error executing distributed query: fleet_policy_query_9: no such table: plist
I0330 112612.553747 2764 registry.cpp:555] Failed to expand globs: Failed to open registry handle
W0330 112612.555688 2764 virtual_table.cpp:961] The chrome_extensions table returns data based on the current user by default, consider JOINing against the users table
W0330 112612.558739 2764 virtual_table.cpp:961] The firefox_addons table returns data based on the current user by default, consider JOINing against the users table
W0330 112612.572578 2764 chocolatey_packages.cpp:65] Did not find chocolatey path environment variable
W0330 112612.583083 2764 virtual_table.cpp:961] The atom_packages table returns data based on the current user by default, consider JOINing against the users table
I0330 112612.585950 2764 query.cpp:102] Storing initial results for new scheduled query: pack_test_Get installed Windows software
2022-03-30T112909Z INF start osqueryd cmd=“C:\\Program Files\\Orbit\\bin\\osqueryd\\windows\\stable\\osqueryd.exe --pidfile=C:\\Program Files\\Orbit\\osquery.pid --database_path=C:\\Program Files\\Orbit\\osquery.db --extensions_socket=\\\\.\\pipe\\orbit-osquery-extension --enroll_secret_env ENROLL_SECRET --host_identifier=uuid --tls_hostname=fleet.tpsec.co --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=60 --disable_distributed=false --distributed_plugin=tls --distributed_tls_max_attempts=10 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls --logger_tls_endpoint=/api/v1/osquery/log --disable_carver=false --carver_disable_function=false --carver_start_endpoint=/api/v1/osquery/carve/begin --carver_continue_endpoint=/api/v1/osquery/carve/block --carver_block_size=2000000 --tls_server_certs C:\\Program Files\\Orbit\\certs.pem --force --flagfile C:\\Program Files\\Orbit\\osquery.flags”
I0330 112909.557931 3980 eventfactory.cpp:156] Event publisher not enabled: ntfs_event_publisher: NTFS event publisher disabled via configuration
I0330 113244.828908 3940 registry.cpp:555] Failed to expand globs: Failed to open registry handle
W0330 113244.830849 3940 virtual_table.cpp:961] The chrome_extensions table returns data based on the current user by default, consider JOINing against the users table
W0330 113244.834173 3940 virtual_table.cpp:961] The firefox_addons table returns data based on the current user by default, consider JOINing against the users table
W0330 113244.848613 3940 chocolatey_packages.cpp:65] Did not find chocolatey path environment variable
W0330 113244.859524 3940 virtual_table.cpp:961] The atom_packages table returns data based on the current user by default, consider JOINing against the users table
Able to access the site from browser as well.
l
Lucas Rodriguez
03/30/2022, 11:38 AMOK, a guess: so due to the issue (which causes orbit to crash), orbit cannot auto-update. Could you disable the
filesystemo
Ojas
03/30/2022, 11:39 AMDo i change it to tls? or just remove it from there all together?
l
Lucas Rodriguez
03/30/2022, 11:39 AMYes, just
tlso
Ojas
03/30/2022, 11:40 AMalright. Done
config:
options:
logger_plugin: tls
l
Lucas Rodriguez
03/30/2022, 11:41 AMWhat I fear is that osquery already stored
filesystemo
Ojas
03/30/2022, 11:42 AMshould i restart the machine? or just wait few minutes?
l
Lucas Rodriguez
03/30/2022, 11:42 AMLet's wait a few minutes first.
âś… 1
Worst case scenario: You will need to regenerate a
msio
Ojas
03/30/2022, 11:45 AMfor that would orbit need to be cleaned from the machine first? or as i run new installer it will auto install new one
l
Lucas Rodriguez
03/30/2022, 11:50 AMYes. Running a new installer should override current installation. Let me know if it doesn't.
o
Ojas
03/30/2022, 12:17 PMyea with new installer it got updated to orbit 0.0.7
l
Lucas Rodriguez
03/30/2022, 12:21 PMOK, let me know if the
filesystemo
Ojas
03/30/2022, 12:27 PMTried it on a new machine from scratch. Works nicely. thanks :)
So everytime there is a patch/update do i need to create a new installer?
l
Lucas Rodriguez
03/30/2022, 12:40 PMNo, orbit should automatically update. The issue here is that the filesystem configuration was causing issues at startup, so it didn't have the chance to run the auto-updater routine...
🙏 1
9 Views