Does logger mode have to be set via the command line flags o osquery #fleet

Does logger mode have to be set via the command li...

benbass

09/23/2021, 7:50 PM

Does logger mode have to be set via the command line flags, or can we manage it with fleet? I am using the filesystem logger and trying to get

set as the permissions on the osquery.results.log on the endpoints. Using tls dump I can see that logger mode is being sent to the endpoint, it just doesn’t look like it is being implemented by osquery (5.0.1).

zwass

09/23/2021, 10:11 PM

Does logger mode have to be set via the command line flags, or can we manage it with fleet?

In theory it should be configurable by Fleet as it is document as an option in osquery. I've seen plenty of osquery options not respecting this in the past though. Is there possibly some issue with returning a string value vs. integer value?

benbass

09/23/2021, 10:34 PM

I think it has been configurable in versions 4.9 and earlier of osquery. The settings don’t seem to be respected by version 5.0.1 though.

benbass

09/23/2021, 10:36 PM

I do know that there were some changes in how the logger mode is implemented in osquery - I know when I set it in the flag file I have to use

--logger-mode=0644

and when I set

in fleet, fleet resets the configs to the previous version.

benbass

09/23/2021, 10:37 PM

the changes in fleet were done in the fleet GUI via the “Global agent options”.

benbass

09/23/2021, 10:37 PM

When I do the TLS debug, I am seeing the settings being sent by fleet, just osquery isn’t respecting them.

zwass

09/24/2021, 12:20 AM

Maybe you need it in quotes for Fleet?

benbass

09/24/2021, 1:26 PM

I tried that and it passed the value, but the permissions on the file did not change, nor were they set properly on a freshly created log.

5 Views

Open in Slack

Previous Next