Dear all, can a kind soul please help me debug my osquery.conf? It's driving me mad. As soon as I enable the osquery packs, it stops working and fails to parse the config.

{
    "options": {
    "config_plugin": "filesystem",
    "logger_plugin": "filesystem",
    "logger_path": "/var/log/osquery",
    "utc": "true"
  },

  "schedule": {
    "system_info": {
      "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
      "interval": 3600
    }
  },

  "decorators": {
    "load": [
      "SELECT uuid AS host_uuid FROM system_info;",
      "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
    ]
  },

  Linux: /usr/share/osquery/packs
  "packs": {
    "osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf",
    "incident-response": "/usr/share/osquery/packs/incident-response.conf",
    "it-compliance": "/usr/share/osquery/packs/it-compliance.conf",
    "vuln-management": "/usr/share/osquery/packs/vuln-management.conf",
    "hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf",
  },
}

you can check if the config is valid by running

osqueryd --config_check --config_path ./osquery.conf

- when I run that on the code pasted above, osquery is unable to parse the json. I think it's around line 19, around

linux: /usr/share/osquery/packs

.

Thank you @blaedj ... I'll try that once I'm back home. It's interesting, because it was the config that came with the installation. Isn't that supposed to work?

That is interesting, I would expect it would, but it's certainly not valid json.

Hmm, I actually was lazy and installed it by using my package manager. Maybe the maintainer of the package messed up the config or included a messy config. But thanks for your help @blaedj :)

Ah yea, could be a good issue to file with the package maintainer. My pleasure!