https://github.com/osquery/osquery logo
Join Slack
Powered by
I now have a running fleet-server using the `osque...
# fleet
j
I now have a running fleet-server using the 
osquery-in-a-box
setup, I can populate it with data from a Linux (Fedora 32) host by running osqueryd manually from the command line:
Copy code
osqueryd --flagfile /etc/osquery/flags.txt --config_path /etc/osquery/osquery.conf
But starting osqueryd using systemctl doesn’t work, I’ve checked /etc/sysconfig/osqueryd and it points to the same files as I point to running it manually (and can be verified by running 
ps
after starting) but still it doesn’t communicate with my fleet instance. Anyone seen the same and found a solution?
r
Hi, can you share your systemd file? I’ll compare it to mine.
j
Service definition or config file? I'm out for lunch now and will share in a while
r
so differences between mine and this is I have the Unit 
After=network.target
j
Yeah, but that’s only relevant at boot
r
I use ExecStart the same way you do, but with all the daemon flags in the service
Copy code
[Unit]
Description=osquery
Documentation=<https://osquery.io>
After=network.target

[Service]
# Daemon flags from: <https://osquery.readthedocs.io/en/stable/installation/cli-flags/>
ExecStart=/usr/bin/osqueryd --enroll_secret_path=/var/osquery/enroll_secret \
                            --tls_server_certs=/var/osquery/fleet.pem \
                            --tls_hostname={{ osquery_fleet_server }} \
                            --host_identifier=hostname \
                            --enroll_tls_endpoint=/api/v1/osquery/enroll \
                            --config_plugin=tls \
                            --config_tls_endpoint=/api/v1/osquery/config\
                            --config_refresh=10 \
                            --disable_distributed=false \
                            --distributed_plugin=tls \
                            --distributed_interval=3 \
                            --distributed_tls_max_attempts=3 \
                            --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read \
                            --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write \
                            --logger_plugin=tls \
                            --logger_tls_endpoint=/api/v1/osquery/log \
                            --logger_tls_period=10 \
                            --watchdog_level=0 \
                            --watchdog_delay=60 \
                            --utc=true \
                            --schedule_splay_percent=10 \
                            --schedule_max_drift=60 \
                            --extensions_autoload=/etc/osquery/extensions.load \
                            --extensions_timeout=5 \
                            --extensions_interval=5
Restart=always

[Install]
WantedBy=multi-user.target
that’s what I have
if it helps 🙂
j
So, you have all the settings in the service file I use the default from the rpm
r
yeah I guess
this service file is managed by Ansible in our case, so I just set everything in there
j
I want to be able to use the default for me to be able to push the config with puppet
r
Ansible and Puppet are very similar, but even so you should be able to compare your flags files with what I have, to see if anything looks amiss?
j
It’s downloaded from my fleet-machine from the “Add host” dialog
But I use the exact same file when starting osqueryd manually
And when run manually it starts properly, but not when using systemctl
Or - maybe I’m just stupid… Let me try something here
Yeah, I AM stupid - see in my flags file above - I don’t have absolute paths to the secret and the tls_cert, that was the problem… facepalm
So - PICNIC!
r
ahhhh!
yeah it’s always something simple like that heheh
j
It was thanks to my showing it to you that I understood it
r
glad I could help 🙂
as a rubber duck
j
👍
z
psyduck
glad you got it worked out 🙂
j
Yeah, me too
11 Views
Open in Slack
PreviousNext
Powered by