https://github.com/osquery/osquery logo
Powered by
#fleet
Title
# fleet
b

benbass

09/23/2021, 7:50 PM
Does logger mode have to be set via the command line flags, or can we manage it with fleet? I am using the filesystem logger and trying to get 
644
set as the permissions on the osquery.results.log on the endpoints. Using tls dump I can see that logger mode is being sent to the endpoint, it just doesn’t look like it is being implemented by osquery (5.0.1).
z

zwass

09/23/2021, 10:11 PM
Does logger mode have to be set via the command line flags, or can we manage it with fleet?
In theory it should be configurable by Fleet as it is document as an option in osquery. I've seen plenty of osquery options not respecting this in the past though. Is there possibly some issue with returning a string value vs. integer value?
b

benbass

09/23/2021, 10:34 PM
I think it has been configurable in versions 4.9 and earlier of osquery. The settings don’t seem to be respected by version 5.0.1 though.
I do know that there were some changes in how the logger mode is implemented in osquery - I know when I set it in the flag file I have to use 
--logger-mode=0644
and when I set 
0644
in fleet, fleet resets the configs to the previous version.
the changes in fleet were done in the fleet GUI via the “Global agent options”.
When I do the TLS debug, I am seeing the settings being sent by fleet, just osquery isn’t respecting them.
z

zwass

09/24/2021, 12:20 AM
Maybe you need it in quotes for Fleet?
b

benbass

09/24/2021, 1:26 PM
I tried that and it passed the value, but the permissions on the file did not change, nor were they set properly on a freshly created log.
5 Views
Powered by