Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
s
Sammy
04/24/2020, 3:33 PMHi all! happy Friday, I have a quick question around macOS Osquery /var/log/osquery directory 🙂 , I am sure a lot of you have noticed Apple macOS recursively emptied contents of /var/log during a major system update or migration and now the 10.15 architecture (read-only system volume) is that each minor update (10.15.1 -> 10.15.2) is treated as a full system migration, so it's currently expected that updates would clear the contents of /var/log and Osquery not built to recreate that directory, hence breaking Osquery 😞 .
With that said, my question is - What everyone is doing about this? workarounds to store logs in a different directory?
z
zwass
04/24/2020, 3:43 PMYou can configure osquery to write to any directory you like with
--logger_path👍 1
s
Sammy
04/24/2020, 3:57 PMThanks Zach, Yeah we are thinking about configuring osquery to write logs to a different directory. I will ask Apple what location would be preferable that macOS changes will not delete it!
Lastly I would recommend or request for a future enhancement to the osquery - if we can bake the log mkdir step into the package and also to include an extra step for example if
--logger_paths
seph
04/24/2020, 5:47 PMThinking….
That we blur together ERROR/WARN/INFO and results logging makes this feel weird. It seems totally normal to put ERROR/WARN/INFO into /var/log, and to not worry much about it being removed on upgrade,
But it seems like data lose to lose result logs.
I’m hard pressed to name a better directory though. Inside the app bundle, but we’re not doing that.
So I think this is 3 issues?
1. osquery blurs ewrror/warn/info with results. Maybe this is fine, since if you really care, you can ship them
2. osquery should probably attempt a
mkdirs
Sammy
04/24/2020, 5:52 PMThe main problem is directory /var/log/osquery being deleted on upgrades and osquery trying to write logs to a nonexistent path
s
seph
04/24/2020, 5:53 PMThat is I think (2). I think some people would find (3) to be a larger problem. And (1) makes simple fixes harder
g
groob
04/24/2020, 11:01 PMFile an issue with Apple.
👍 1
s
Sammy
04/24/2020, 11:20 PMWe already did! Deleted content inside /var/log/ directory is expected :) it used to be true for major upgrades and now In Catalina also true for minor updates :)
g
groob
04/28/2020, 11:36 PMWait what??? Apple said it’s expected?
Mind sharing the ticket?