Hi all happy Friday I have a quick question around macOS Osq osquery #macos

Hi all! happy Friday, I have a quick question arou...

Sammy

04/24/2020, 3:33 PM

Hi all! happy Friday, I have a quick question around macOS Osquery /var/log/osquery directory 🙂 , I am sure a lot of you have noticed Apple macOS recursively emptied contents of /var/log during a major system update or migration and now the 10.15 architecture (read-only system volume) is that each minor update (10.15.1 -> 10.15.2) is treated as a full system migration, so it's currently expected that updates would clear the contents of /var/log and Osquery not built to recreate that directory, hence breaking Osquery 😞 . With that said, my question is - What everyone is doing about this? workarounds to store logs in a different directory?

zwass

04/24/2020, 3:43 PM

You can configure osquery to write to any directory you like with

--logger_path

. Given this info, we may need to look at moving the default log directory on macOS. @seph @groob thoughts?

👍 1

Sammy

04/24/2020, 3:57 PM

Thanks Zach, Yeah we are thinking about configuring osquery to write logs to a different directory. I will ask Apple what location would be preferable that macOS changes will not delete it!

Sammy

04/24/2020, 4:08 PM

Lastly I would recommend or request for a future enhancement to the osquery - if we can bake the log mkdir step into the package and also to include an extra step for example if

--logger_path

doesn't exist then mkdir again - this will help us keep osquery running just in case Apple decided to delete that specified log directory 🙂, Thoughts?

seph

04/24/2020, 5:47 PM

Thinking….

seph

04/24/2020, 5:48 PM

That we blur together ERROR/WARN/INFO and results logging makes this feel weird. It seems totally normal to put ERROR/WARN/INFO into /var/log, and to not worry much about it being removed on upgrade, But it seems like data lose to lose result logs.

seph

04/24/2020, 5:49 PM

I’m hard pressed to name a better directory though. Inside the app bundle, but we’re not doing that.

seph

04/24/2020, 5:50 PM

So I think this is 3 issues? 1. osquery blurs ewrror/warn/info with results. Maybe this is fine, since if you really care, you can ship them 2. osquery should probably attempt a

mkdir

, that seems reasonable 3. This change means a common filesystem setup will lose results

Sammy

04/24/2020, 5:52 PM

The main problem is directory /var/log/osquery being deleted on upgrades and osquery trying to write logs to a nonexistent path

seph

04/24/2020, 5:53 PM

That is I think (2). I think some people would find (3) to be a larger problem. And (1) makes simple fixes harder

groob

04/24/2020, 11:01 PM

File an issue with Apple.

👍 1

Sammy

04/24/2020, 11:20 PM

We already did! Deleted content inside /var/log/ directory is expected :) it used to be true for major upgrades and now In Catalina also true for minor updates :)

groob

04/28/2020, 11:36 PM

Wait what??? Apple said it’s expected?

groob

04/28/2020, 11:36 PM

Mind sharing the ticket?

Open in Slack

Previous Next