Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
b
benbass
09/23/2021, 7:50 PMDoes logger mode have to be set via the command line flags, or can we manage it with fleet? I am using the filesystem logger and trying to get
644z
zwass
09/23/2021, 10:11 PMDoes logger mode have to be set via the command line flags, or can we manage it with fleet?In theory it should be configurable by Fleet as it is document as an option in osquery. I've seen plenty of osquery options not respecting this in the past though. Is there possibly some issue with returning a string value vs. integer value?
b
benbass
09/23/2021, 10:34 PMI think it has been configurable in versions 4.9 and earlier of osquery. The settings don’t seem to be respected by version 5.0.1 though.
I do know that there were some changes in how the logger mode is implemented in osquery - I know when I set it in the flag file I have to use
--logger-mode=06440644the changes in fleet were done in the fleet GUI via the “Global agent options”.
When I do the TLS debug, I am seeing the settings being sent by fleet, just osquery isn’t respecting them.
z
zwass
09/24/2021, 12:20 AMMaybe you need it in quotes for Fleet?
b
benbass
09/24/2021, 1:26 PMI tried that and it passed the value, but the permissions on the file did not change, nor were they set properly on a freshly created log.