Title
#linux
t

theresa

09/25/2020, 9:16 AM
Dear all, can a kind soul please help me debug my osquery.conf? It's driving me mad. As soon as I enable the osquery packs, it stops working and fails to parse the config.
{
    "options": {
    "config_plugin": "filesystem",
    "logger_plugin": "filesystem",
    "logger_path": "/var/log/osquery",
    "utc": "true"
  },

  "schedule": {
    "system_info": {
      "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
      "interval": 3600
    }
  },

  "decorators": {
    "load": [
      "SELECT uuid AS host_uuid FROM system_info;",
      "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
    ]
  },

  Linux: /usr/share/osquery/packs
  "packs": {
    "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf",
    "incident-response": "/usr/share/osquery/packs/incident-response.conf",
    "it-compliance": "/usr/share/osquery/packs/it-compliance.conf",
    "vuln-management": "/usr/share/osquery/packs/vuln-management.conf",
    "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf",
  },
}
b

blaedj

09/25/2020, 12:14 PM
you can check if the config is valid by running
osqueryd --config_check --config_path ./osquery.conf
- when I run that on the code pasted above, osquery is unable to parse the json. I think it's around line 19, around
linux: /usr/share/osquery/packs
.
12:15 PM
try something like this:
{
  "options": {
    "config_plugin": "filesystem",
    "logger_plugin": "filesystem",
    "logger_path": "/var/log/osquery",
    "utc": "true"
  },
  "schedule": {
    "system_info": {
      "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
      "interval": 3600
    }
  },
  "decorators": {
    "load": [
      "SELECT uuid AS host_uuid FROM system_info;",
      "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
    ]
  },
  "packs": {
    "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf",
    "incident-response": "/usr/share/osquery/packs/incident-response.conf",
    "it-compliance": "/usr/share/osquery/packs/it-compliance.conf",
    "vuln-management": "/usr/share/osquery/packs/vuln-management.conf",
    "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf"
  }
}
t

theresa

09/25/2020, 12:40 PM
Thank you @blaedj ... I'll try that once I'm back home. It's interesting, because it was the config that came with the installation. Isn't that supposed to work?
b

blaedj

09/25/2020, 12:41 PM
That is interesting, I would expect it would, but it's certainly not valid json.
12:42 PM
if you're referencing https://github.com/osquery/osquery/blob/600f21dcfbfa2047bd8540b27f89e2c31a097ff6/tools/deployment/osquery.example.conf, it looks like your conf file had some lines and characters removed
t

theresa

09/25/2020, 12:43 PM
Hmm, I actually was lazy and installed it by using my package manager. Maybe the maintainer of the package messed up the config or included a messy config. But thanks for your help @blaedj 😃
b

blaedj

09/25/2020, 12:45 PM
Ah yea, could be a good issue to file with the package maintainer. My pleasure!