Channels
#general
Title
# general
b
Brandon Mesa
10/27/2022, 6:56 PMHey all, upgraded to ventura on macOS and get the following, anyone run into this?
Copy code
sudo /opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd --config_path=/var/osquery/osquery.conf --disable_events=false --disable_endpointsecurity=false --enable_file_events=true
Password:
E1027 14:51:56.195858 -267033344 shutdown.cpp:79] Cannot activate filesystem logger plugin: Could not create file: /var/log/osquery/osqueryd.results.log
E1027 14:51:59.188417 1806135296 shutdown.cpp:79] Worker returned exit statuss
sharvil
10/27/2022, 6:59 PMhrm, haven't seen that one before, does
config_path=/var/osquery/osquery.conf--verboseb
Brandon Mesa
10/27/2022, 7:02 PMYep, it exists, and has been validated:
Copy code
bmesa@Brandons-MacBook-Pro-2 [15:01:31] [~]
-> % sudo osqueryctl config-check
bmesa@Brandons-MacBook-Pro-2 [15:01:38] [~]
-> % sudo /opt/osquery/lib/osquery.app/Contents/MacOS/osqueryd --config_path=/var/osquery/osquery.conf --disable_events=false --disable_endpointsecurity=false --enable_file_events=true --verbose
I1027 15:01:48.281931 -267033344 init.cpp:399] osquery initialized [version=5.5.1]
I1027 15:01:48.283535 -267033344 extensions.cpp:453] Could not autoload extensions: Cannot open file for reading: /var/osquery/extensions.load
I1027 15:01:48.283571 -267033344 dispatcher.cpp:78] Adding new service: WatcherRunner (0x600002f80018) to thread: 0x16b68b000 (0x60000128c000) in process 13192
I1027 15:01:48.284088 1802022912 watcher.cpp:680] osqueryd watcher (13192) executing worker (13193)
I1027 15:01:48.295619 -267033344 init.cpp:396] osquery worker initialized [watcher=13192]
I1027 15:01:48.296422 -267033344 dispatcher.cpp:78] Adding new service: WatcherWatcherRunner (0x600001180018) to thread: 0x16efb7000 (0x60000288c000) in process 13193
I1027 15:01:48.296506 -267033344 rocksdb.cpp:132] Opening RocksDB handle: /var/osquery/osquery.db
I1027 15:01:48.303813 -267033344 dispatcher.cpp:78] Adding new service: ExtensionWatcher (0x14e60a0e8) to thread: 0x16f38b000 (0x6000028822f0) in process 13193
I1027 15:01:48.303853 -267033344 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (0x14e60c248) to thread: 0x16f417000 (0x600002882200) in process 13193
I1027 15:01:48.303874 1866559488 interface.cpp:299] Extension manager service starting: /var/osquery/osquery.em
I1027 15:01:48.303881 -267033344 auto_constructed_tables.cpp:99] Removing stale ATC entries
E1027 15:01:48.304786 -267033344 shutdown.cpp:79] Cannot activate filesystem logger plugin: Could not create file: /var/log/osquery/osqueryd.results.log
I1027 15:01:48.305431 -267033344 dispatcher.cpp:149] Thread: 0x1f0156500 requesting a stop
I1027 15:01:48.305455 -267033344 dispatcher.cpp:156] Service: 0x600001180018 has been interrupted
I1027 15:01:48.305471 -267033344 dispatcher.cpp:156] Service: 0x14e60a0e8 has been interrupted
I1027 15:01:48.305495 -267033344 dispatcher.cpp:156] Service: 0x14e60c248 has been interrupted
I1027 15:01:48.305511 -267033344 dispatcher.cpp:122] Thread: 0x1f0156500 requesting a join
I1027 15:01:48.305672 -267033344 dispatcher.cpp:140] Service thread: 0x600002882200 has joined
I1027 15:01:48.305696 -267033344 dispatcher.cpp:140] Service thread: 0x6000028822f0 has joined
I1027 15:01:48.305713 -267033344 dispatcher.cpp:140] Service thread: 0x60000288c000 has joined
I1027 15:01:48.305728 -267033344 dispatcher.cpp:144] Services and threads have been cleared
E1027 15:01:51.289422 1802022912 shutdown.cpp:79] Worker returned exit status
I1027 15:01:51.289984 -267033344 dispatcher.cpp:149] Thread: 0x1f0156500 requesting a stop
I1027 15:01:51.290017 -267033344 dispatcher.cpp:122] Thread: 0x1f0156500 requesting a join
I1027 15:01:51.290046 -267033344 dispatcher.cpp:140] Service thread: 0x60000128c000 has joined
I1027 15:01:51.290064 -267033344 dispatcher.cpp:144] Services and threads have been clearedi created the /var/log/osquery directory and now the daemon is initializing
not sure why it didn't have sufficient privileges if i ran it as root?
s
sharvil
10/27/2022, 7:07 PMthat is weird..I wonder if some stale fd lingered on, or whether ventura changed something
fwiw, I haven't seen this on my test ventura VMs
b
Brandon Mesa
10/27/2022, 7:07 PMright, wonder if a clean install would not run into such behavior
did you do a clean install on your ventura VMs?
s
sharvil
10/27/2022, 7:08 PMone of them is a 12.6 to 13 beta upgrade, the other is a clean one
b
Brandon Mesa
10/27/2022, 7:09 PMmmm okay
s
sharvil
10/27/2022, 7:09 PMI will keep an eye out and try it when I get some more time, but feel free to open an issue as well if you are seeing it again or on more machines
s
Stefano Bonicatti
10/27/2022, 7:10 PMI think the osquery binary expects for that folder to already exists; I don’t see logic to create that, but it’s installed by the package: https://github.com/osquery/osquery-packaging/blob/4caa2c54f0d893c1efa47932571046bbce156c52/platform/macos/common.cmake#L55-L58
b
Brandon Mesa
10/27/2022, 7:12 PMAh great catch @Stefano Bonicatti. I noticed the directory was deleted after upgrading
s
Stefano Bonicatti
10/27/2022, 7:12 PMMight make sense to remove this behavior and let osquery create the folder
5 Views