https://github.com/osquery/osquery logo
Powered by
#macos
Title
# macos
s

Sammy

04/24/2020, 3:33 PM
Hi all! happy Friday, I have a quick question around macOS Osquery /var/log/osquery directory 🙂 , I am sure a lot of you have noticed Apple macOS recursively emptied contents of /var/log during a major system update or migration and now the 10.15 architecture (read-only system volume) is that each minor update (10.15.1 -> 10.15.2) is treated as a full system migration, so it's currently expected that updates would clear the contents of /var/log and Osquery not built to recreate that directory, hence breaking Osquery 😞 . With that said, my question is - What everyone is doing about this? workarounds to store logs in a different directory?
z

zwass

04/24/2020, 3:43 PM
You can configure osquery to write to any directory you like with 
--logger_path
. Given this info, we may need to look at moving the default log directory on macOS. @seph @groob thoughts?
👍 1
s

Sammy

04/24/2020, 3:57 PM
Thanks Zach, Yeah we are thinking about configuring osquery to write logs to a different directory. I will ask Apple what location would be preferable that macOS changes will not delete it!
Lastly I would recommend or request for a future enhancement to the osquery - if we can bake the log mkdir step into the package and also to include an extra step for example if 
--logger_path
doesn't exist then mkdir again - this will help us keep osquery running just in case Apple decided to delete that specified log directory 🙂, Thoughts?
s

seph

04/24/2020, 5:47 PM
Thinking….
That we blur together ERROR/WARN/INFO and results logging makes this feel weird. It seems totally normal to put ERROR/WARN/INFO into /var/log, and to not worry much about it being removed on upgrade, But it seems like data lose to lose result logs.
I’m hard pressed to name a better directory though. Inside the app bundle, but we’re not doing that.
So I think this is 3 issues? 1. osquery blurs ewrror/warn/info with results. Maybe this is fine, since if you really care, you can ship them 2. osquery should probably attempt a 
mkdir
, that seems reasonable 3. This change means a common filesystem setup will lose results
s

Sammy

04/24/2020, 5:52 PM
The main problem is directory /var/log/osquery being deleted on upgrades and osquery trying to write logs to a nonexistent path
s

seph

04/24/2020, 5:53 PM
That is I think (2). I think some people would find (3) to be a larger problem. And (1) makes simple fixes harder
g

groob

04/24/2020, 11:01 PM
File an issue with Apple.
👍 1
s

Sammy

04/24/2020, 11:20 PM
We already did! Deleted content inside /var/log/ directory is expected :) it used to be true for major upgrades and now In Catalina also true for minor updates :)
g

groob

04/28/2020, 11:36 PM
Wait what??? Apple said it’s expected?
Mind sharing the ticket?
Powered by