One quick question, can we change the frequency of...
# fleety
Yash Boura
08/10/2021, 6:37 PMOne quick question, can we change the frequency of schedule queries less than 1 hour just to test?
j
Jocelyn Bothe
08/10/2021, 7:11 PMqueries are scheduled in seconds, so you can schedule them as frequently as you like. We run some queries every 60 seconds in our setup
👍 1
s
Sarah Gillespie
08/10/2021, 7:38 PMHi Yash, from the "Schedule" page, the "Advanced" button will take you to where you can create query packs and set your own custom frequency that is scheduled in seconds as Jocelyn noted above.
👍 1
m
Mystery Incorporated
08/11/2021, 3:13 AMI run some queries every 5 seconds, YOLO
👍 1
y
Yash Boura
08/11/2021, 5:55 AMWell thanks!
Yash Boura
08/11/2021, 6:17 AM@Mystery Incorporated where can you see your scheduled queries running, for eg. I can see the live queries running in my console but can't see the scheduled queries running in my console.
m
Mystery Incorporated
08/11/2021, 6:20 AM@Yash Boura they go in results.log and get ingested to my SIEM. I'm reporting on them using a kibana dashboard. I don't recommend kibana tho, it's highly inflexible and generally rubbish, I'd like to transfer to a different dashboarding tool at some stage.
y
Yash Boura
08/11/2021, 6:29 AM@Mystery Incorporated I'll be going with kafka producer for listening to logs. But rn I'm on windows, and the result.log just shows me the host detail I'm connected too.
m
Mystery Incorporated
08/11/2021, 6:30 AM@Yash Boura you running some snapshot queries?
Mystery Incorporated
08/11/2021, 6:30 AMIf they are differential queries and nothing changes there will be no results
y
Yash Boura
08/11/2021, 6:31 AM@Mystery Incorporated I'm running two snapshot and one differential query
Yash Boura
08/11/2021, 6:31 AMmaybe tls logger plugin giving me some issues
m
Mystery Incorporated
08/11/2021, 6:33 AMYeh run osqueryd from the console in windows see if you see anything
Mystery Incorporated
08/11/2021, 6:33 AMI have noticed many situations where osquery just fails and doesn't log anything..... logging definitely leaves something wanting.
y
Yash Boura
08/11/2021, 6:38 AMGot the issue , getting this when running osqueryd from console.
Cannot activate filesystem logger plugin: Could not create file: \Program Files\osquery\log\osqueryd.results.logm
Mystery Incorporated
08/11/2021, 6:52 AM@Yash Boura if you're using TLS it shouldn't even be trying to use filesystem, I think you maybe have BOTH filesystem and TLS declared as logging types, try remove the filesystem see if it works.
y
Yash Boura
08/11/2021, 7:10 AM@Mystery Incorporated tried it no luck.
m
Mystery Incorporated
08/11/2021, 7:17 AM@Yash Boura same error? Also delete any osquery.conf file
y
Yash Boura
08/11/2021, 7:27 AM@Mystery Incorporated osquery.conf is a required file right?
m
Mystery Incorporated
08/11/2021, 7:27 AM@Yash Boura nope, use only the flags file delete it
y
Yash Boura
08/11/2021, 7:35 AM@Mystery Incorporated I'm kinda confused. I start my osqueryd along with flag files only.
m
Mystery Incorporated
08/11/2021, 7:36 AMSo what? delete the .conf file because by default osquery looks for flags and conf at default paths
Mystery Incorporated
08/11/2021, 7:37 AMWith fleet it pushes the config that overrides the .conf file but if it's not connecting to fleet then it's probably trying to use the default .conf file which would exactly be the reason why it's still trying to log to filesystem despite you removing that from flags.
👍 1
y
Yash Boura
08/11/2021, 7:42 AM@Mystery Incorporated cool, on it
Yash Boura
08/11/2021, 10:25 AM@Mystery Incorporated working now!
m
Mystery Incorporated
08/11/2021, 10:25 AMTold ya 😛
😊 1
4 Views