https://github.com/osquery/osquery logo
Join Slack
Powered by
Hi Everyone! I am running into an issue where flee...
# fleet
j
Hi Everyone! I am running into an issue where fleet is not sending any logs to 
/var/log/osquery
for bot result.log and status.log. I was using the old environment variables from Kolide, but I recently changed them to match what is shown in the Fleetdm 3.9 doc's since I recently upgraded to that version.
n
Hi @jsanchez! Do you mind posting the env variables you’re using to configure logging in this thread?
j
Copy code
FLEET_LOGGING_JSON: "true"
      FLEET_FILESYSTEM_ENABLE_LOG_ROTATION: "true"
      FLEET_FILESYSTEM_STATUS_LOG_FILE: /var/log/osquery/status.log
      FLEET_FILESYSTEM_RESULT_LOG_FILE: /var/log/osquery/result.log
      FLEET_OSQUERY_STATUS_LOG_PLUGIN: filesystem
      FLEET_OSQUERY_RESULT_LOG_PLUGIN: filesystem
Those are the environment variable I have enabled
z
Can you have a look at the troubleshooting steps in https://github.com/fleetdm/fleet/blob/master/docs/1-Using-Fleet/FAQ.md#troubleshooting and let us know what you find?
j
I have gone over the troubleshooting steps. there is no 
/tmp/osquery_result
I have checked the configuration by using 
fleet config_dump
everything is configured correctly, I have made a query pack that runs every 1hr checking for my user name which does provide results and I have chosen snapshot for type of logging in the query pack. the log path still is empty at this point.
z
Did you check 
osquery_schedule
?
j
Yes the query pack I have setup has had 36 executions
I was able to figure it out, issue with a directory w/r permissions.. Thanks for the help! sorry for wasting your time.
n
Glad you figured out the issue!
1
z
@jsanchez did Fleet log any sort of error information that you could have used to find that? If not we might like to try to add some logging.
n
@jsanchez which directory had issues with w/r permissions? We may also want to add this information to the troubleshooting steps.
j
So fleet was issuing errors for not being able to open 
/var/log/osquery
but since both status.log and result.log were configured to be placed there I was not able to see the issue until I changed the permissions on that directory. the file was created as root, and had no other permissions set for other users. I changed the permissions to allow r/w for our fleet user that runs 
/usr/bin/fleet serve
ty 1
4 Views
Open in Slack
PreviousNext
Powered by