https://github.com/osquery/osquery logo
Powered by
#fleet
Title
# fleet
j

jby

12/02/2020, 8:44 AM
I now have a running fleet-server using the 
osquery-in-a-box
setup, I can populate it with data from a Linux (Fedora 32) host by running osqueryd manually from the command line:
Copy code
osqueryd --flagfile /etc/osquery/flags.txt --config_path /etc/osquery/osquery.conf
But starting osqueryd using systemctl doesn’t work, I’ve checked /etc/sysconfig/osqueryd and it points to the same files as I point to running it manually (and can be verified by running 
ps
after starting) but still it doesn’t communicate with my fleet instance. Anyone seen the same and found a solution?
r

Ryan

12/02/2020, 11:04 AM
Hi, can you share your systemd file? I’ll compare it to mine.
j

jby

12/02/2020, 11:18 AM
Service definition or config file? I'm out for lunch now and will share in a while
r

Ryan

12/02/2020, 1:32 PM
so differences between mine and this is I have the Unit 
After=network.target
j

jby

12/02/2020, 1:33 PM
Yeah, but that’s only relevant at boot
r

Ryan

12/02/2020, 1:33 PM
I use ExecStart the same way you do, but with all the daemon flags in the service
Copy code
[Unit]
Description=osquery
Documentation=<https://osquery.io>
After=network.target

[Service]
# Daemon flags from: <https://osquery.readthedocs.io/en/stable/installation/cli-flags/>
ExecStart=/usr/bin/osqueryd --enroll_secret_path=/var/osquery/enroll_secret \
                            --tls_server_certs=/var/osquery/fleet.pem \
                            --tls_hostname={{ osquery_fleet_server }} \
                            --host_identifier=hostname \
                            --enroll_tls_endpoint=/api/v1/osquery/enroll \
                            --config_plugin=tls \
                            --config_tls_endpoint=/api/v1/osquery/config\
                            --config_refresh=10 \
                            --disable_distributed=false \
                            --distributed_plugin=tls \
                            --distributed_interval=3 \
                            --distributed_tls_max_attempts=3 \
                            --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read \
                            --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write \
                            --logger_plugin=tls \
                            --logger_tls_endpoint=/api/v1/osquery/log \
                            --logger_tls_period=10 \
                            --watchdog_level=0 \
                            --watchdog_delay=60 \
                            --utc=true \
                            --schedule_splay_percent=10 \
                            --schedule_max_drift=60 \
                            --extensions_autoload=/etc/osquery/extensions.load \
                            --extensions_timeout=5 \
                            --extensions_interval=5
Restart=always

[Install]
WantedBy=multi-user.target
that’s what I have
if it helps 🙂
j

jby

12/02/2020, 1:35 PM
So, you have all the settings in the service file I use the default from the rpm
r

Ryan

12/02/2020, 1:36 PM
yeah I guess
this service file is managed by Ansible in our case, so I just set everything in there
j

jby

12/02/2020, 1:39 PM
I want to be able to use the default for me to be able to push the config with puppet
r

Ryan

12/02/2020, 1:59 PM
Ansible and Puppet are very similar, but even so you should be able to compare your flags files with what I have, to see if anything looks amiss?
j

jby

12/02/2020, 2:01 PM
It’s downloaded from my fleet-machine from the “Add host” dialog
But I use the exact same file when starting osqueryd manually
And when run manually it starts properly, but not when using systemctl
Or - maybe I’m just stupid… Let me try something here
Yeah, I AM stupid - see in my flags file above - I don’t have absolute paths to the secret and the tls_cert, that was the problem… facepalm
So - PICNIC!
r

Ryan

12/02/2020, 3:13 PM
ahhhh!
yeah it’s always something simple like that heheh
j

jby

12/02/2020, 3:14 PM
It was thanks to my showing it to you that I understood it
r

Ryan

12/02/2020, 3:19 PM
glad I could help 🙂
as a rubber duck
j

jby

12/02/2020, 3:32 PM
👍
z

zwass

12/02/2020, 4:15 PM
psyduck
glad you got it worked out 🙂
j

jby

12/02/2020, 4:33 PM
Yeah, me too
10 Views
Powered by