https://github.com/osquery/osquery logo
Powered by
Title
j

jsanchez

03/26/2021, 5:12 PM
Hi Everyone! I am running into an issue where fleet is not sending any logs to 
/var/log/osquery
for bot result.log and status.log. I was using the old environment variables from Kolide, but I recently changed them to match what is shown in the Fleetdm 3.9 doc's since I recently upgraded to that version.
n

Noah Talerman

03/26/2021, 5:41 PM
Hi @jsanchez! Do you mind posting the env variables you’re using to configure logging in this thread?
j

jsanchez

03/26/2021, 5:42 PM
FLEET_LOGGING_JSON: "true"
      FLEET_FILESYSTEM_ENABLE_LOG_ROTATION: "true"
      FLEET_FILESYSTEM_STATUS_LOG_FILE: /var/log/osquery/status.log
      FLEET_FILESYSTEM_RESULT_LOG_FILE: /var/log/osquery/result.log
      FLEET_OSQUERY_STATUS_LOG_PLUGIN: filesystem
      FLEET_OSQUERY_RESULT_LOG_PLUGIN: filesystem
Those are the environment variable I have enabled
z

zwass

03/26/2021, 6:25 PM
Can you have a look at the troubleshooting steps in https://github.com/fleetdm/fleet/blob/master/docs/1-Using-Fleet/FAQ.md#troubleshooting and let us know what you find?
j

jsanchez

03/26/2021, 6:51 PM
I have gone over the troubleshooting steps. there is no 
/tmp/osquery_result
I have checked the configuration by using 
fleet config_dump
everything is configured correctly, I have made a query pack that runs every 1hr checking for my user name which does provide results and I have chosen snapshot for type of logging in the query pack. the log path still is empty at this point.
z

zwass

03/26/2021, 7:07 PM
Did you check 
osquery_schedule
?
j

jsanchez

03/26/2021, 8:42 PM
Yes the query pack I have setup has had 36 executions
I was able to figure it out, issue with a directory w/r permissions.. Thanks for the help! sorry for wasting your time.
n

Noah Talerman

03/26/2021, 9:52 PM
Glad you figured out the issue!
1
z

zwass

03/27/2021, 12:39 AM
@jsanchez did Fleet log any sort of error information that you could have used to find that? If not we might like to try to add some logging.
n

Noah Talerman

03/30/2021, 3:20 PM
@jsanchez which directory had issues with w/r permissions? We may also want to add this information to the troubleshooting steps.
j

jsanchez

03/30/2021, 6:06 PM
So fleet was issuing errors for not being able to open 
/var/log/osquery
but since both status.log and result.log were configured to be placed there I was not able to see the issue until I changed the permissions on that directory. the file was created as root, and had no other permissions set for other users. I changed the permissions to allow r/w for our fleet user that runs 
/usr/bin/fleet serve
:ty: 1
#fleetJoin Slack
Powered by