https://github.com/osquery/osquery logo
Join Slack
Powered by
to see the schedule you need to query it from a sc...
# macos
g
to see the schedule you need to query it from a scheduled query
j
sorry I might have missed your point here. Do you mean I need to write another search in the conf file to query what has been scheduled to run?
g
yes
you can only get the osqueryd schedule by querying it in the config and reading the logs
j
oh okay
g
the schedule lives in the db, and osqueryi never interacts with the db
j
any idea on why it's not writing to the result file?
g
try a simpler config file with a frequent query to debug
there could be a million reasons why but if you’re importing a big config it’s hard to tell
j
ok. Thank you. As always.:D
g
it could be something like you connecting to a TLS server which overrides the config order and points to a different logger
j
oh,....Fleet doesn't do that...does it?
g
it does
j
oh ;(
g
if you specified config_plugin=tls then your config file is useless
i you specified config_plugin=filesystem then your pack configs in fleet are useless
pick one
j
lol! It turns out we have both! great catch!
I don't need 
config_plugin=tls
for it to talk to fleet, right?
g
right, you can choose config_plugin=filesystem.
j
👍 thank you
g
but note that it means you can’t use the fleet packs screens anymore
you can still use fleet for live queries, provided you specified 
distributed_plugin=tls
in your conf file
labels will also continue to work that way
also note that fleet has it’s own config file format you can use to manage packs if you want to do it outside the UI
it’s an option, but there’s very little advantages that I know of to using config_plugin=filesystem if you’re committing to using fleet
j
True. Given that our tunnel is up and reliable 😄 meanwhile, I am just using filesystem to fill the gap, once our cloud routing is hardened
2 Views
Open in Slack
PreviousNext
Powered by