Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
j
jby
12/02/2020, 8:44 AMI now have a running fleet-server using the
osquery-in-a-boxosqueryd --flagfile /etc/osquery/flags.txt --config_path /etc/osquery/osquery.confpsr
Ryan
12/02/2020, 11:04 AMHi, can you share your systemd file? I’ll compare it to mine.
j
jby
12/02/2020, 11:18 AMService definition or config file?
I'm out for lunch now and will share in a while
r
Ryan
12/02/2020, 1:32 PMso differences between mine and this is I have the Unit
After=network.targetj
jby
12/02/2020, 1:33 PMYeah, but that’s only relevant at boot
r
Ryan
12/02/2020, 1:33 PMI use ExecStart the same way you do, but with all the daemon flags in the service
[Unit]
Description=osquery
Documentation=<https://osquery.io>
After=network.target
[Service]
# Daemon flags from: <https://osquery.readthedocs.io/en/stable/installation/cli-flags/>
ExecStart=/usr/bin/osqueryd --enroll_secret_path=/var/osquery/enroll_secret \
--tls_server_certs=/var/osquery/fleet.pem \
--tls_hostname={{ osquery_fleet_server }} \
--host_identifier=hostname \
--enroll_tls_endpoint=/api/v1/osquery/enroll \
--config_plugin=tls \
--config_tls_endpoint=/api/v1/osquery/config\
--config_refresh=10 \
--disable_distributed=false \
--distributed_plugin=tls \
--distributed_interval=3 \
--distributed_tls_max_attempts=3 \
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read \
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write \
--logger_plugin=tls \
--logger_tls_endpoint=/api/v1/osquery/log \
--logger_tls_period=10 \
--watchdog_level=0 \
--watchdog_delay=60 \
--utc=true \
--schedule_splay_percent=10 \
--schedule_max_drift=60 \
--extensions_autoload=/etc/osquery/extensions.load \
--extensions_timeout=5 \
--extensions_interval=5
Restart=always
[Install]
WantedBy=multi-user.targetthat’s what I have
if it helps 🙂
j
jby
12/02/2020, 1:35 PMSo, you have all the settings in the service file I use the default from the rpm
r
Ryan
12/02/2020, 1:36 PMyeah I guess
this service file is managed by Ansible in our case, so I just set everything in there
j
jby
12/02/2020, 1:39 PMI want to be able to use the default for me to be able to push the config with puppet
r
Ryan
12/02/2020, 1:59 PMAnsible and Puppet are very similar, but even so you should be able to compare your flags files with what I have, to see if anything looks amiss?
j
jby
12/02/2020, 2:01 PMIt’s downloaded from my fleet-machine from the “Add host” dialog
But I use the exact same file when starting osqueryd manually
And when run manually it starts properly, but not when using systemctl
Or - maybe I’m just stupid… Let me try something here
Yeah, I AM stupid - see in my flags file above - I don’t have absolute paths to the secret and the tls_cert, that was the problem… 🤦
So - PICNIC!
r
Ryan
12/02/2020, 3:13 PMahhhh!
yeah it’s always something simple like that heheh
j
jby
12/02/2020, 3:14 PMIt was thanks to my showing it to you that I understood it
r
Ryan
12/02/2020, 3:19 PMglad I could help 🙂
as a rubber duck
j
jby
12/02/2020, 3:32 PM👍
z
zwass
12/02/2020, 4:15 PM😛syduck:
glad you got it worked out 🙂
j
jby
12/02/2020, 4:33 PMYeah, me too