Hi Everyone, has anybody encountered an issue where osquery fails to parse augeas files? I tried running the query below as a test and i get no results

osquery> SELECT label FROM augeas WHERE path = 'etc/sudoers';
osquery>

Current running versions: OSquery: v5.4.0 Fleet: v4.17.1

Is that path correct? I imagine it should be

/etc/sudoers

, though I also don’t remember of augeas does funny things

@seph you are correct, i missed typed but i still get no results

Are you running as root? sudoers isn’t usually world readable. Does

select * from augeas

preduce results?

Hi @seph, i was actually able to resolve this issue. Apparently as of version 4.5.1 of the osquery agents, i can no longer specify the location where my custom template goes. Augeas lenses is now bundled with newer osquery distribution and the default location for the .aug files are in

/opt/osquery/share/osquery/lenses

, so i just moved our custom template over to that dir and it started working

Ah yes. That’s true! Previously osquery used both the default augeas search path and the osquery specific lenses. In 4.5.1 we dropped the augeas search path, so that site admins can restrict what osquery uses more directly.